Cybersecurity Order, Bills Could Reignite Channel

If there were any doubt, it was alleviated over the last few weeks: Cybersecurity is far from a dead issue in government circles and the U.S. at large.

In fact, the noise around cybersecurity is reaching a crescendo, with stirrings around a new cybersecurity bill, a presidential executive order to harden infrastructure and the controversial Cyber Intelligence Sharing and Protection Act (CISPA) reawakened in the U.S. House of Representatives.

The implications are varied, complex and numerous. It all portends revived opportunities for the security channel, which could dust off its government Rolodexes and lay a foundation of public-sector strategy for 2013.

Perhaps the most significant turn of events for the security community occurred Tuesday, when President Barack Obama signed an executive order that sought better protection of the nation’s critical infrastructure and aimed to protect systems from losses incurred during a cyberattack. The order directs government officials to create standards that reduce cybersecurity risks and accelerate information-sharing on potential threats between the government and critical infrastructure companies.

The order aims to fulfill gaping security holes after the proposed Cybersecurity Act of 2012, which was endorsed by the White House and defeated in the U.S. Senate last summer. The bill, also known as CSA 2012, mandated critical infrastructure upgrades, bolstered defenses and accelerated response time by establishing cybersecurity standards for electrical power grids, water treatment facilities and nuclear plants.

Pres. Obama’s new cybersecurity executive order, while not a direct substitute for law, could bode well for the channel. Critical infrastructure and public sector entities, tapped to bolster cybersecurity, will require stepped-up vulnerability assessments, pre-audit services and policy and cybersecurity strategies to determine cost-effective next steps. These could give rise to expanded channel consulting services dedicated to government, critical infrastructure and public sector organizations.

It’s likely solution providers partnering with major security vendors — in particular, those with established government ties — will be called on for installation and ongoing monitoring and maintenance services once implementation phases are underway.

There are mitigating factors. The order doesn’t have the same weight as law, and it also carries no power to compel infrastructure companies to share information. The net-net: The order has a slew of government incentives to encourage companies to adopt policies and strengthen infrastructure, but it lacks legal enforcement capabilities, relegating adoption of the cybersecurity framework to a voluntary status.

And while the order’s incentives might get the ball rolling for some organizations, its voluntary nature will slow the process down.

Channel partners shouldn’t be knocking on public utility doors just yet, but hope could be reignited with a recently proposed bill that represents another crack at establishing cybersecurity legislation.

Shortly after Pres. Obama’s inauguration, Sens. Jay Rockefeller (D-W.VA.), Tom Carper (D-Del.) and Dianne Feinstein (D-Calif.) introduced the Cybersecurity and American Cyber Competitiveness Act of 2013, a bill attempting to implement and harden security systems in critical infrastructure to prevent cyberattacks.

“The threat of a cyberattack is real, and it is growing,” Feinstein said in a statement. “Congress must act soon to improve the government’s ability to share and receive information on cyber attacks and threats with the private sector. Our national and econoemic security depend on robust information sharing, and I look forward to working with my colleagues again this Congress to develop strong incentives for this practice, coupled with the needed privacy protections.”

Should the bill pass, the channel will be on the front lines to conduct massive infrastructure overhauls, especially those partnering with organizations such as Symantec Corp., McAfee Inc. and RSA, the security division of EMC Corp., which have long-established and deeply entrenched relationships with government, manufacturing and critical infrastructure verticals.

Meanwhile, issues around privacy and information sharing are resurfacing after authors of the controversial CISPA revived the bill in the House earlier this week. The bill allows voluntary information-sharing between private organizations and the government to reduce the risk of a foreign-born attack from nations such as China or Iran.

Supporters say information-sharing is an imperative measure in preventing cyberattacks. Critics contend the law would enable tech firms and other corporations to freely dig up and share private data on their customers in the name of cybersecurity.

The bill was defeated on the Senate floor last spring, but with what appears to be strong House support and renewed conversation about foreign cyberattacks, CISPA supporters may have a fighting chance in the months ahead.

For now, much of the cybersecurity legislation — which one day might translate to channel opportunity — remains theory, and how the impending laws hake out will be made evident farther down the road. What remains clear is that the issue of cybersecurity not going away.

Cybersecurity has become more integral to public policy and the public mindset. Without being overshadowed by looming presidential elections, the issue will remain on the table for the next few years. And that will open channel doors. How the eventual paradigm shift translates to the channel, though, remains to be seen.