During his annual State of the Union address Tuesday night, President Barack Obama took several moments to acknowledge “the real and growing threat” of cyber attacks on American infrastructure and announced that he had signed an executive order to strengthen cyber defenses and promote the sharing of information related to security threats.
In his remarks, Obama called on Congress to pass legislation that would give the government greater capacity to secure national and private enterprise networks. “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy,” he said.
The order, which can be read in full on the White House website, states that companies responsible for the country’s infrastructure (dams, electrical grids, and financial institutions) may join the Enhanced Cybersecurity Services program, which will provide classified cyber threat and technical information from the federal government to eligible critical-infrastructure companies or contracted vendors that offer security services to critical infrastructure. It also requires federal agencies to “expedite the processing of security clearances” for companies deemed eligible for the program, and to produce unclassified reports of specific threats in real time so that the companies can be prepared.
Jerry Ferguson, co-chair of the privacy and data protection practice at global law firm BakerHostetler, says the verbiage of the executive order is deliberately oblique on the issue of disclosure by private-sector businesses of information about cyber threats to the government. “The order is very clear when it talks about the government sharing information with the industry about threats because that’s not controversial. But it’s much more euphemistic when it talks about the sharing going the other way,” he says.
Legislation on cyber security has repeatedly stalled because of concerns surrounding mandatory standards, information sharing, and civil liberties, especially as the latter applies to customer privacy. The executive order addresses all of the issues in vague ways, Ferguson says. “It calls for agencies to develop plans around these issues and asks for further reporting. But I wouldn’t say that, just because it’s ambiguous, it’s not going to go anywhere,” he says. “I think when the reports come out, we’ll see some teeth.”
Ferguson’s partner and co-chair Theodore Kobus notes that U.S. businesses seem more willing than ever to partner with the government on cyber defense. He cites a survey of Fortune 500 companies released in January by West Virginia Sen. Jay Rockefellerin which 80% of the respondents said they considered the threat of cyber security a leading concern.
Many supported the creation of federal cyber-security standards as long as they are voluntary. “That level of engagement is impressive — but expect some tension to occur over implementing ways for companies to share more proprietary information with government agencies, including customer data and personal information,” says Kobus. “Compliance with the new standards will ultimately depend on how hard the White House and other agencies decide to press.”
The Takeaway for CFOs
Kobus believes there are a number of risks CFOs should be aware of when considering voluntary disclosure about cyber threats. The first is whether such disclosures will interfere with or be inconsistent with standard Securities and Exchange Commission filings. “Should you be disclosing under SEC guidance that you’re telling the government about these threats?”
Then there’s the risk that a disclosure to the government about a security breach could get in the hands of a competitor or criminal and cause further damage. A third worry for CFOs: will companies that choose not to disclose information under the voluntary arrangement be subject to enhanced regulatory scrutiny — or even denied a government contract?
“It’ll be interesting to see to what extent companies will comply with voluntary disclosures when they weigh the risk of complying,” he says.
Cyber threats have increasingly laid bare the lack of security in the private sector as well as government networks. Last year the Department of Homeland Security reported that it had responded to 198 cyber incidents, 41% of which were attacks on the energy sector. Last month companies like the New York Times and Wall Street Journal reported cyber attacks from hackers based in China. Companies that relegate cyber security to IT alone could find themselves in trouble, Ferguson warns.
“You can’t let cyber security be siloed in the IT department. It’s a boardroom issue, and the CFO really has to be [the] driver of that issue being discussed,” he says.