Just in time for cybersecurity awareness month in October, the White House will launch the initial operating capability of the cyber threat intelligence integration center (CTIIC).
Michael Daniel, the White House cybersecurity coordinator, said Sept. 10 at the NIST cybersecurity event in Washington that some of the initial capabilities are moving in place.
“We are hopeful we can get all of that together and have it start producing some of its products in the first part of the fiscal year,” Daniel said.
As a quick refresher, the White House announced the creation of the CTIIC in February, modeling it after the approach used after the Sept. 11, 2001 attacks to better bring together terrorism-related information. The broader goal of the CTIIC is to look beyond the ones and zeros, and combine what the intelligence community knows about malware with what it also knows about the rest of the world, including the state and non-state actors who are using it.
Daniel said he hopes the new cyber information sharing construct plays mostly a behind-the-scenes role.
“If it does its job well, it will not be something that is terribly visible to the outside world,” he said. “It’s really designed to actually enable the government to get its act together and really understand that intelligence picture much more effectively.”
Daniel said creating this full picture of the government’s intelligence capabilities will take some time.
But Congress and the White House already are fighting over the CTIIC even before it gets off the ground.
In the House’s version of the 2016 Intelligence Authorization Act, lawmakers detail prescriptive rules around the creation of the organization. The bill, H.R.-2596, which passed the full House in June, would limit the CTIIC to have 50 permanent positions, not be allowed to augment the staff with contractors, detailees or other typical ways, must be located in an office owned or run by the intelligence community and lays out five primary mission areas.
The White House pushed back in its Statement of Administration Policy on the bill, saying it objects to the House’s provisions because it expands the role of the CTIIC into functions that already are being performed in the government.
“Given the rapidly changing nature of cyber threats to the United States, the CTIIC will require flexibility in executing its core functions,” the administration wrote. “Furthermore, the limits this bill would place on CTIIC’s resources, and the expansive approach the bill would take with regard to CTIIC’s missions, are unnecessary and unwise, and would risk the CTIIC being unable to fully perform the core functions assigned to it in the bill.”
The Senate’s version of the intelligence authorization bill, S.1705, received approval from the Intelligence Committee in July. The report on the bill, however, doesn’t mention the CTIIC or even cyber.
Related to the CTIIC, Daniel said summer of 2014 his office reconstituted an interagency group focused on cyber responses.
“It’s the body I use to help coordinate interagency response to major cyber incidents,” he said. “We also are looking to mature how we engage with the private sector. We’ve spent an extensive amount of time to-date with the financial services industry, talking about how we can better partner with that industry. To that end, we’ve been convening a series of table-top exercises to better understand how both sides actually respond to incidents. Of the key lessons we’ve learned is that neither side really understands what the other one does when the balloon actually goes up.”
Beyond the CTIIC, Daniel offered a few other tidbits worth noting.
He praised the Office of Management and Budget’s efforts around cyber, saying Tony Scott, the federal chief information officer, and his staff have really taken critical steps through the cyber sprint and other actions to improve the security of federal data and networks.
“We see many systemic weaknesses across federal IT networks and we really have to work to improve the IT security of those networks,” he said. “We worked very close with Tony Scott to help create and work on the cybersecurity sprint, which really focused on patching critical vulnerabilities rapidly within the federal government, actually figuring out how many privileged users we really had across the federal government, and tightening down on those, making sure we are deactivating accounts when they are no longer needed, and dramatically accelerating implementation of multi-factor authentication, especially for privileged user.”
Daniel said his office is working with OMB on implementing a plan to further operationalize the protection of federal networks, including the need to standardize and automate many of the manual processes, strengthening the security across the entire lifecycle of a network or system, retiring legacy systems and reducing the attack surface agencies face by segmenting networks.
“This surge to better protect the federal enterprise will be augmented by a range of policy tools. For the first time in 15 years, OMB is updating Circular A-130. As long as I’ve been doing cybersecurity, there has been talk of updating A-130, so I think it’s great we are finally getting around to it,” Daniel said. “Our goal is by the end of 2015 to have this updated foundational document for federal IT policies.”