Cybersecurity Executive Order Leaves Tough Work UndoneGovernment and industry must work together in challenging new ways to implement the White House's executive order on cybersecurity, top federal officials said Wednesday.
Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)
It will require a lot of hard work and extensive new public-private collaboration to improve the nation's cybersecurity posture, key federal officials repeatedly stressed Wednesday in their first public remarks since the release of the White House's executive order on cybersecurity
"Cybersecurity must be a shared, collective endeavor," White House cybersecurity coordinator Michael Daniel said before a packed crowd of officials and industry executives at a Department of Commerce event Wednesday morning, adding that success in implementing the order will depend on the government "forging new relationships" among agencies and with the private sector.
The new executive order unveiled late Tuesday sets up and expands public-private cybersecurity threat information sharing initiatives and creates a process for building a framework of voluntary cybersecurity standards for critical infrastructure companies.
[ Will budget cuts derail cybersecurity plans? Read Federal CIO Details Concerns On Looming Budget Cuts. ]
"The American people deserve nothing less than a whole-of-government approach," said Rebecca Blank, deputy secretary of the Department of Commerce, adding that "the government cannot do this alone."
According to Daniel, the cybersecurity executive order itself is the product of extensive outreach by the White House. "An enormous number of stakeholders' views are incorporated into the executive order," he said.
The Department of Homeland Security has the job of creating a task force to keep stakeholders at the table and over the next several weeks agencies tasked with implementing the executive order will hold an additional series of meetings with trade associations, other agencies and sector coordinating councils to discuss next steps. Among the first tasks will be to identify critical infrastructure entities nationwide, senior DHS cybersecurity official Bruce McConnell told InformationWeek.
"The systems that we depend on are overwhelmingly owned and operated by industry," added National Security Agency director and U.S. Cyber Command commander Gen. Keith Alexander. "We need to make sure private sector companies have the information they need to protect their networks and have that information in a timely manner."
That will require sharing among private sector entities and with government as well as government to private sector sharing, Alexander added, saying that the government often suffers from "blind spots" that prevent Cyber Command and others from knowing what they need to know to better defend the nation against cyber attacks.
According to McConnell, companies from various industries are already expressing interest in the Enhanced Cybersecurity Services program, which grew out of the defense industry-specific Defense Industrial Base pilot.
However, McConnell added, work still needs to be done to determine further incentives to spark interest and participation in both information sharing and adoption of voluntary cybersecurity standards that the executive order would establish. Part of that challenge will come from understanding the disparate needs of the different critical infrastructure sectors, Alexander said.
In addition to information, the other collaborative piece to the executive order will be the development and establishment of voluntary and possibly in some cases mandatory cybersecurity standards for critical infrastructure entities.
DHS and the National Institute of Standards and Technology will work closely together with industry to develop a framework for these standards, one that DHS deputy secretary Jane Lute said will be "outcome-based and technology neutral." According to Lute, DHS has already begun dialogs on these standards between the electricity sector and the Department of Energy and the financial sector and the Department of Treasury, among others.
In remarks at the event and an in interview with InformationWeek afterwards, NIST director Patrick Gallagher sketched out the yet-to-be developed framework a bit more. "The framework [will be a] series of practices, standards, guidance, methods, methodologies, whatever it takes that if implemented would create a desired level of resilience and cybersecurity effectiveness," he said. "The framework will include both broad principles and methods, common practices and tools, specific and sometimes sector-specific practices."
Gallagher was quick to say that while NIST will coordinate the development of the framework, the private sector will play a lead role. "This is not a NIST framework," he said. "This framework will also belong to industry. What we are trying to create is an aligned effort." NIST has already posted a number of questions on its website that it intends to ask in a forthcoming request for information seeking industry input on the framework.
While officials Wednesday stressed the need for collaboration throughout the implementation process, a number of them also said that the executive order alone is insufficient. Both Daniel and Alexander, among others, urged Congress to pass bipartisan legislation to fill in gaps in the executive order.
One unanswered question is how and when that legislation will come together and make it to the President's desk in a form that the Obama Administration is willing to sign. Even Alexander, who has numerous times told Congress that cyber legislation is needed, admitted Wednesday that agreement on legislation is "challenging" due to differences in philosophies on the proper role of government in the cyber space.
With implementation months away, and officials continuing to push for legislation, what's clear is that much more needs to be done to put in place robust processes for government and industry to work together to improve the nation's cybersecurity. The executive order was a first step, but is only just that. Said NIST's Gallagher: "We're at the beginning of the beginning."