Risk
2/13/2013
01:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cybersecurity Executive Order Leaves Tough Work Undone

Government and industry must work together in challenging new ways to implement the White House's executive order on cybersecurity, top federal officials said Wednesday.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
It will require a lot of hard work and extensive new public-private collaboration to improve the nation's cybersecurity posture, key federal officials repeatedly stressed Wednesday in their first public remarks since the release of the White House's executive order on cybersecurity.

"Cybersecurity must be a shared, collective endeavor," White House cybersecurity coordinator Michael Daniel said before a packed crowd of officials and industry executives at a Department of Commerce event Wednesday morning, adding that success in implementing the order will depend on the government "forging new relationships" among agencies and with the private sector.

The new executive order unveiled late Tuesday sets up and expands public-private cybersecurity threat information sharing initiatives and creates a process for building a framework of voluntary cybersecurity standards for critical infrastructure companies.

[ Will budget cuts derail cybersecurity plans? Read Federal CIO Details Concerns On Looming Budget Cuts. ]

"The American people deserve nothing less than a whole-of-government approach," said Rebecca Blank, deputy secretary of the Department of Commerce, adding that "the government cannot do this alone."

According to Daniel, the cybersecurity executive order itself is the product of extensive outreach by the White House. "An enormous number of stakeholders' views are incorporated into the executive order," he said.

The Department of Homeland Security has the job of creating a task force to keep stakeholders at the table and over the next several weeks agencies tasked with implementing the executive order will hold an additional series of meetings with trade associations, other agencies and sector coordinating councils to discuss next steps. Among the first tasks will be to identify critical infrastructure entities nationwide, senior DHS cybersecurity official Bruce McConnell told InformationWeek.

"The systems that we depend on are overwhelmingly owned and operated by industry," added National Security Agency director and U.S. Cyber Command commander Gen. Keith Alexander. "We need to make sure private sector companies have the information they need to protect their networks and have that information in a timely manner."

That will require sharing among private sector entities and with government as well as government to private sector sharing, Alexander added, saying that the government often suffers from "blind spots" that prevent Cyber Command and others from knowing what they need to know to better defend the nation against cyber attacks.

According to McConnell, companies from various industries are already expressing interest in the Enhanced Cybersecurity Services program, which grew out of the defense industry-specific Defense Industrial Base pilot.

However, McConnell added, work still needs to be done to determine further incentives to spark interest and participation in both information sharing and adoption of voluntary cybersecurity standards that the executive order would establish. Part of that challenge will come from understanding the disparate needs of the different critical infrastructure sectors, Alexander said.

In addition to information, the other collaborative piece to the executive order will be the development and establishment of voluntary and possibly in some cases mandatory cybersecurity standards for critical infrastructure entities.

DHS and the National Institute of Standards and Technology will work closely together with industry to develop a framework for these standards, one that DHS deputy secretary Jane Lute said will be "outcome-based and technology neutral." According to Lute, DHS has already begun dialogs on these standards between the electricity sector and the Department of Energy and the financial sector and the Department of Treasury, among others.

In remarks at the event and an in interview with InformationWeek afterwards, NIST director Patrick Gallagher sketched out the yet-to-be developed framework a bit more. "The framework [will be a] series of practices, standards, guidance, methods, methodologies, whatever it takes that if implemented would create a desired level of resilience and cybersecurity effectiveness," he said. "The framework will include both broad principles and methods, common practices and tools, specific and sometimes sector-specific practices."

Gallagher was quick to say that while NIST will coordinate the development of the framework, the private sector will play a lead role. "This is not a NIST framework," he said. "This framework will also belong to industry. What we are trying to create is an aligned effort." NIST has already posted a number of questions on its website that it intends to ask in a forthcoming request for information seeking industry input on the framework.

While officials Wednesday stressed the need for collaboration throughout the implementation process, a number of them also said that the executive order alone is insufficient. Both Daniel and Alexander, among others, urged Congress to pass bipartisan legislation to fill in gaps in the executive order.

One unanswered question is how and when that legislation will come together and make it to the President's desk in a form that the Obama Administration is willing to sign. Even Alexander, who has numerous times told Congress that cyber legislation is needed, admitted Wednesday that agreement on legislation is "challenging" due to differences in philosophies on the proper role of government in the cyber space.

With implementation months away, and officials continuing to push for legislation, what's clear is that much more needs to be done to put in place robust processes for government and industry to work together to improve the nation's cybersecurity. The executive order was a first step, but is only just that. Said NIST's Gallagher: "We're at the beginning of the beginning."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/13/2013 | 10:12:55 PM
re: Cybersecurity Executive Order Leaves Tough Work Undone
I'm wary about mandatory standards, because the tricky bit is auditing and enforcement of those standards. However, I was pleased to see the caveat that they would be "outcome-based and technology-neutral." Whether that translates into robust and broadly implemented risk management practices remains to be seen.

Drew Conry-Murray
Editor, Network Computing
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/19/2013 | 8:05:51 AM
re: Cybersecurity Executive Order Leaves Tough Work Undone
I am actually glad to see that this is a concern and also a part of protection, just like the military protects us physically. I am also very curious to see how the collaboration of private sectors will occur and adhere to this. Alexander I dead-on when he state that ewe need a cyber division in legislature, this is a direct reflection of the technological times we are living in and cyber defense protects all of us in ways that beyond the scope of this article.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.