SAN FRANCISCO — Critics of the president’s cybersecurity executive order complain it lacks the authority to enforce cybersecurity standards for the nation’s most critical systems.
But one expert said the order’s information-sharing provisions will be key in prodding owners and operators of those critical assets to improve their cyber defenses.
Under the executive order, the government will share unclassified intelligence reports with private companies it believes are the target of a cyber attack. Companies operating critical infrastructure, such as power plants and water systems, will receive classified reports if the government suspects they are the target of a cyber attack.
“Imagine if you’re a CEO, board of directors or the general counsel or outside counsel advising that company, and you get a notice saying you are now a target,” said Roland Trope, a partner at Trope and Schramm. “Do you stamp it and put it in a file? I think not.”
If a company receives credible reports from the federal government that it is a target, the likelihood of an attack becomes probable, and companies will have to respond accordingly, said Trope, who spoke on a panel here at the RSA conference.
“What are you going to do because if you don’t do something, [and] if you don’t fulfill those responsibilities in a reasonable and diligent way, you expose yourself to potential lawsuits,” Trope said. “You might be exposed to stockholder derivative lawsuits. You’re certainly going to suffer reputation damage.”
While many companies are practicing good cybersecurity and have a strategy to mitigate attacks, Trope warned those that don’t need to begin planning how they will respond if they receive notice from the government that they’re the target of an attack.
“You don’t want to wait until you get the notice and start thinking, how are we going to deal with this,” he said.
Kevin Gronberg, with cybersecurity firm Mandiant, is skeptical that companies will be moved to improve cybersecurity, considering the government is already sharing cyber intelligence data with companies.
“I don’t think a transfer of information, which is at this point not legally prohibited, is necessarily going to ... change the behavior of corporate America, especially critical infrastructure,” Gronberg said. “What I’m concerned about, though, is that only the threat of litigation will move them.”
Trope, however, argued that the executive order does create the threat of litigation. While agencies share cyber information with companies, it often comes after the companies have been attacked, he said.
“The threat of litigation [and] the threat of reputation is going to, I think, move certain CEOs in a certain way,” he said of the executive order.