Yesterday found me walking down the street in Washington DC a little before noon, when suddenly I ran into some friends, old and new, who had just popped out of the US Department of Commerce. They witnessed directly, and gave me a first-hand account, of the birth of the administration's Executive Order (EO) on better securing the nation's critical infrastructures.
We've been waiting for this, or something like this, for quite a while. The most recent legislative pushes were the GRID Act of 2010 which almost made it, and the Cybersecurity Act of 2012, which came similarly close but failed to pass both houses. The narrative goes: since Congress couldn't do it, the President did what he could.
Anyway, let's get to the EO while we're young. Of the torrent of analysis I came across yesterday, this one, by Irving Lachow and Jacob Stokes of the Center for New American Security (CNAS) stood out as the best and most comprehensible.
I'll highlight one section before giving you a link to their work. It's on the part many of us are wondering about ... that is, what is the likelihood that the EO will have a marked and observable impact on security posture. Nothing in the EO is mandatory; therefore, as some have suggested, it may turn out to be much ado about nothing.
Anyway, let's get to the EO while we're young. Of the torrent of analysis I came across yesterday, this one, by Irving Lachow and Jacob Stokes of the Center for New American Security (CNAS) stood out as the best and most comprehensible.
I'll highlight one section before giving you a link to their work. It's on the part many of us are wondering about ... that is, what is the likelihood that the EO will have a marked and observable impact on security posture. Nothing in the EO is mandatory; therefore, as some have suggested, it may turn out to be much ado about nothing.
Here's the CNASers' take:
The provisions within the EO may not, by themselves, change the fundamental incentives driving the behavior of critical infrastructure operators. As important as it is to identify possible incentives for changing the behavior of critical infrastructures, the government will need to experiment with these incentives to see which ones work. Conducting such experimentation will require the establishment of a well-structured and rigorous evaluation program. Congressional action may be needed to implement some incentives and to enable the proper evaluation of different options.
But I and many others hope it's much ado about something. Here's a LINK to the full CNAS write-up, and here's a LINK to the EO itself. We'll have to see how it plays out, and play our respective parts too. NIST is going to need your input and I'll share notices on how and when you can do that when I get the info.
Meanwhile, have a great and potentially romantic day please.
0 nhận xét:
Đăng nhận xét