The systems that run our nation’s critical infrastructure such as the electric grid, our drinking water, our trains, and other transportation are increasingly networked. As with any networked system, these systems are potentially vulnerable to a wide range of threats, and protecting this critical infrastructure from cyber threats is among our highest security priorities. That is why, earlier this year, the President signed an Executive Order designed to increase the level of core capabilities for our critical infrastructure to manage cyber risk. The Order does this by focusing on three key areas: information sharing, privacy, and adoption of cybersecurity practices.
To promote cybersecurity practices and develop these core capabilities, we are working with critical infrastructure owners and operators to create a Cybersecurity Framework – a set of core practices to develop capabilities to manage cybersecurity risk. These are the known practices that many firms already do, in part or across the enterprise and across a wide range of sectors. The draft Framework will be complete in October. After a final Framework is released in February 2014, we will create a Voluntary Program to help encourage critical infrastructure companies to adopt the Framework.
While this effort is underway, work on how to incentivize companies to join a Program is also under consideration. While the set of core practices have been known for years, barriers to adoption exist, such as the challenge of clearly identifying the benefits of making certain cybersecurity investments. As directed in the EO, the Departments of Homeland Security, Commerce, and Treasury have identified potential incentives and provided their recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs.