Government Needs Help With Cybersecurity

Information sharing is a big component of thenew cybersecurity framework being created by an Obama executive order.There's an emphasis on voluntary participation,but once an organization is deemed to havecritical infrastructure, there may be consequences for saying to the government, "Thanks, but no thanks."

Get involved on the front end, advisesformer FCC chief of public safety Jamie Barnett-- right (with Raytheon'sRandy Fort),who just joined Venable astelecom co-chair. Hemoderated the firm's briefing this week on the recently released executive order.The order says DHS will have five months to point out infrastructure that could have a catastrophic effect if cyber-attacked. Its owners and operators will be asked to comply with a framework created by NIST,complete with annual reports to the President. (The incentives for participating will come out before either the framework or its participants, in four months.) But those dubbed critical infrastructure can appeal the decision through a to-be-created process.

The executive order is a "major step forward, but I wouldn't want any company to walk away thinking they can justchoose not to follow the standards because they're called voluntary," says Jamie.Organizations can submit information to NISTuntilApril 8 and attend a workshop onApril 3(more should follow).The timing, along withDOD andGSA incorporating security standards into government contracts before they see the framework, Jamie says, is more reason toget involved now. (So lawyers repping those industries, prepare to hunker down.)After the panel, communications headRick Joyce, above right, caught up with former FCC Wireless Telecom Bureau head and former Venable partnerJohn Muleta.

Venable partner and former US Transportation Secretary Jim Burnley sat on a panel with partner John Bowman, moderated by partner Anthony Rosso.Why wouldn't a company want the "critical risk" designation, which comes with the chance ofclassified info from the government? The classified aspect is part of it: It could thrust private companies into aquasi-government contractor role as its employees need security clearances before seeing the info. Some shareholders may not want to be linked to a company designated such a high risk. And what are the consequences for what one does--or doesn't do--with the government information? The chance of regulation isn't discounted, along withnegative incentives for not complying, likeinsurance issues if not compliant and hacked.

Government contracts partner Diz Locaria and energy partner Brian Zimmet. The financial services industryand electric industry were brought up as some that may serve as a model for NIST's framework.Possible standards include disclosure requirements, stricter password rules,tightening and monitoring access to computer networks, and something only computer-savvy folks will understand about closing all open ports without legitimate business reasons.