Risk
2/13/2013
01:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cybersecurity Executive Order Leaves Tough Work Undone

Government and industry must work together in challenging new ways to implement the White House's executive order on cybersecurity, top federal officials said Wednesday.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
It will require a lot of hard work and extensive new public-private collaboration to improve the nation's cybersecurity posture, key federal officials repeatedly stressed Wednesday in their first public remarks since the release of the White House's executive order on cybersecurity.

"Cybersecurity must be a shared, collective endeavor," White House cybersecurity coordinator Michael Daniel said before a packed crowd of officials and industry executives at a Department of Commerce event Wednesday morning, adding that success in implementing the order will depend on the government "forging new relationships" among agencies and with the private sector.

The new executive order unveiled late Tuesday sets up and expands public-private cybersecurity threat information sharing initiatives and creates a process for building a framework of voluntary cybersecurity standards for critical infrastructure companies.

[ Will budget cuts derail cybersecurity plans? Read Federal CIO Details Concerns On Looming Budget Cuts. ]

"The American people deserve nothing less than a whole-of-government approach," said Rebecca Blank, deputy secretary of the Department of Commerce, adding that "the government cannot do this alone."

According to Daniel, the cybersecurity executive order itself is the product of extensive outreach by the White House. "An enormous number of stakeholders' views are incorporated into the executive order," he said.

The Department of Homeland Security has the job of creating a task force to keep stakeholders at the table and over the next several weeks agencies tasked with implementing the executive order will hold an additional series of meetings with trade associations, other agencies and sector coordinating councils to discuss next steps. Among the first tasks will be to identify critical infrastructure entities nationwide, senior DHS cybersecurity official Bruce McConnell told InformationWeek.

"The systems that we depend on are overwhelmingly owned and operated by industry," added National Security Agency director and U.S. Cyber Command commander Gen. Keith Alexander. "We need to make sure private sector companies have the information they need to protect their networks and have that information in a timely manner."

That will require sharing among private sector entities and with government as well as government to private sector sharing, Alexander added, saying that the government often suffers from "blind spots" that prevent Cyber Command and others from knowing what they need to know to better defend the nation against cyber attacks.

According to McConnell, companies from various industries are already expressing interest in the Enhanced Cybersecurity Services program, which grew out of the defense industry-specific Defense Industrial Base pilot.

However, McConnell added, work still needs to be done to determine further incentives to spark interest and participation in both information sharing and adoption of voluntary cybersecurity standards that the executive order would establish. Part of that challenge will come from understanding the disparate needs of the different critical infrastructure sectors, Alexander said.

In addition to information, the other collaborative piece to the executive order will be the development and establishment of voluntary and possibly in some cases mandatory cybersecurity standards for critical infrastructure entities.

DHS and the National Institute of Standards and Technology will work closely together with industry to develop a framework for these standards, one that DHS deputy secretary Jane Lute said will be "outcome-based and technology neutral." According to Lute, DHS has already begun dialogs on these standards between the electricity sector and the Department of Energy and the financial sector and the Department of Treasury, among others.

In remarks at the event and an in interview with InformationWeek afterwards, NIST director Patrick Gallagher sketched out the yet-to-be developed framework a bit more. "The framework [will be a] series of practices, standards, guidance, methods, methodologies, whatever it takes that if implemented would create a desired level of resilience and cybersecurity effectiveness," he said. "The framework will include both broad principles and methods, common practices and tools, specific and sometimes sector-specific practices."

Gallagher was quick to say that while NIST will coordinate the development of the framework, the private sector will play a lead role. "This is not a NIST framework," he said. "This framework will also belong to industry. What we are trying to create is an aligned effort." NIST has already posted a number of questions on its website that it intends to ask in a forthcoming request for information seeking industry input on the framework.

While officials Wednesday stressed the need for collaboration throughout the implementation process, a number of them also said that the executive order alone is insufficient. Both Daniel and Alexander, among others, urged Congress to pass bipartisan legislation to fill in gaps in the executive order.

One unanswered question is how and when that legislation will come together and make it to the President's desk in a form that the Obama Administration is willing to sign. Even Alexander, who has numerous times told Congress that cyber legislation is needed, admitted Wednesday that agreement on legislation is "challenging" due to differences in philosophies on the proper role of government in the cyber space.

With implementation months away, and officials continuing to push for legislation, what's clear is that much more needs to be done to put in place robust processes for government and industry to work together to improve the nation's cybersecurity. The executive order was a first step, but is only just that. Said NIST's Gallagher: "We're at the beginning of the beginning."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/19/2013 | 8:05:51 AM
re: Cybersecurity Executive Order Leaves Tough Work Undone
I am actually glad to see that this is a concern and also a part of protection, just like the military protects us physically. I am also very curious to see how the collaboration of private sectors will occur and adhere to this. Alexander I dead-on when he state that ewe need a cyber division in legislature, this is a direct reflection of the technological times we are living in and cyber defense protects all of us in ways that beyond the scope of this article.

Paul Sprague
InformationWeek Contributor
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/13/2013 | 10:12:55 PM
re: Cybersecurity Executive Order Leaves Tough Work Undone
I'm wary about mandatory standards, because the tricky bit is auditing and enforcement of those standards. However, I was pleased to see the caveat that they would be "outcome-based and technology-neutral." Whether that translates into robust and broadly implemented risk management practices remains to be seen.

Drew Conry-Murray
Editor, Network Computing
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.