The week’s big news: The White House now has issued an executive order that explicitly addresses the need to step up cyber security defenses because it is game on and there is no apparent turning back from continued digital skirmishes with China, Iran, Russia and various other nation state players with dreams to reign supreme in the cyber world.
The Feb. 12 order plainly stated: “Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cyber security. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the nation's critical infrastructure in the face of such threats.”
The key question for us: Are credit unions part of “the nation’s critical infrastructure?”
Pierluigi Stella, chief technology officer of Network Box USA said, “Reading the entirety of the order, one might conceive this to be more related to power grid, water systems, refineries and the likes. In reality though, during his [State of the Union] speech, the president made clear reference to the cyber threat our banking system faces. As such, one must assume that, in his mind, the banking industry at large is part of our critical infrastructure, and that if cyber criminals or cyber enemies were to take down our banking system, it would have a drastic impact our national economic security.”
As for precisely what Obama said, his State of the Union cyber security language is here: “America must also face the rapidly growing threat from cyber attacks....Now, we know hackers steal people's identities and infiltrate private e-mails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
Which means: Yes, probably credit unions – as “financial institutions” – indeed are part of the “critical infrastructure” and, therefore, the White House is exhorting them to share cyber threat information with the U.S. government.
Realistically, however, Stella cautions that no credit union should expect a summons from the Department of Homeland Security anytime soon.
The nation’s money center banks will get those invites and possibly a sprinkling of the largest credit unions will too. But, at least in the early days of this cyber security campaign, most credit unions will escape the scrutiny of the executive branch.
And do note, the executive order is clear that compliance with disclosure requests will be “voluntary” on the part of private sector entities.
Yet that does not mean inaction is a good idea, cautioned Jerry Irvine, CEO of security firm Prescient Solutions, who stressed that “financial institutions need to get their security ducks in a row.”
Irvine worried that if details leaked out about a cyber intrusion and the financial institution appeared to be ill prepared, “that could impact goodwill and reputation.”
Irvine’s advice is to gear up to meet present industry best practices. That probably will be good enough, at least to evade cyber censure for unpreparedness, suggested Irvine.
Know however that the executive order is a kind of rough draft – “It’s very vague,” shrugged Irvine. Within 240 days of its issuance, a draft of a cyber-security framework will be released for comment and within one year, a final version of the cyber security document will be released.
That document may of much more use in the way of specifics. Until then, said Irvine, a credit union that implements best practices can know it is doing just about the best it could.