The White House’s much anticipated Executive Order on cybersecurity depends on a simple premise: How well can the Homeland Security Department and the National Institute of Standards and Technology work with industry. DHS and NIST are the lynchpins to the collaborative effort to create voluntary standards and increase information sharing as called for in the new order and Presidential Policy directive.
Michael Daniel, the White House’s cybersecurity coordinator, said the order calls for a “whole of government approach” to securing the nation’s critical infrastructure. But DHS and NIST will do the heavy lifting across all three major sections of the strategy.
DHS will have an expanded role, but in many ways it’s in addition to what it has been doing for a number of years as opposed to doing new stuff.
“One of the key tasks that need to be done, that is a heavy lift, from a difficulty standpoint, is the identification of critical infrastructure,” said Bruce McConnell, a cybersecurity counselor for the National Protection and Programs directorate at DHS. “Section 9 of the order says identify those critical infrastructure entities who own systems and assets which if they were disrupted by cyber attack or incident would create a catastrophic event. We have a list of systems and assets today that we’ve done for other purposes, but not really focused on the cyber piece of it.”
McConnell said a DHS led task force will talk with the critical infrastructure sectors and find out what they think their most critical systems and assets are and how are they being protected today.
DHS is facing several deadlines in the next six-to-eight months and already is hitting the ground running.
Among the requirements for DHS in the EO are to:
Develop a description of the relationships in the federal government with the critical infrastructure security and resilience in 120 days.
Complete the assessment of public-private partnership model and recommend ways to improve it in 150 days
Develop a situational awareness capability for critical infrastructure in 240 days
Update national infrastructure protection plan in 240 days
One area where the agency has begun work is around the expansion of the cyber information sharing program, now called the Enhanced Cyber Services program, instead of the Defense Industrial Base (DIB) pilot.
The order stated the goal is to share classified and unclassified cyber threat information with the private sector.
Jane Holl Lute, the deputy secretary at DHS, said the cybersecurity framework NIST will develop is an important piece to the expanding participation in the cyber threat information sharing program.
“These baseline security improvements will better position many firms to participate in the information sharing programs,” she said. “For example, we’ve already begun with the Department of Energy a dialogue with the electricity sector and we look forward to continuing this effort. Similarly, we’ve been working with the Department of Treasury in the financial sector. And we will continue to work with all of the sector specific agencies and sector coordinating councils that represent industry to develop programs to assist companies with implementing the framework and identifying incentives for its adoption.”
McConnell added the information sharing program is open to all companies and DHS will help speed up the security clearance process for people in the company who will receive the information from the government.
“I think we are starting to see interest among the non-Defense industrial base companies in the [information sharing] program,” McConnell said. “We are in the early stages, but expressions of interest have been quite positive.” NIST and DHS also will work together to create the broad cybersecurity framework to secure critical infrastructure systems . Patrick Gallagher, the director of NIST, said the two organizations signed a memorandum of agreement earlier this week to ensure their efforts are aligned. NIST will continue to act as a convener and use a collaborative approach to pull together the best practices from across the community. The goal is to create a voluntary cybersecurity framework.
“The whole idea here is to empower industry to be responsive. So you have to put the performance goal out there and basically the ball goes entirely into industry’s court,” Gallagher said. “The extent to which they can provide a very robust framework will provide I think the best answer because it could minimize the need for additional regulatory action or other sort of unilateral action. It could enhance the fact this is being done as broadly as possible so the markets are wide open. So I think in some ways this is the most empowering way I could envision stepping out on this issue.”
Incentive recommendations due soon
He said the collaborative process will start by NIST pulling together all existing best practices, whether from government or from industry. Then, the agency will host a series of workshops, with the first one likely scheduled for early April, to gather input and have a discussion with industry and other experts.
“I would expect this framework to be a layered approach,” Gallagher said. “It will include both broad principles and methods, identify common practices and tools as well as identify specific and in some cases sector specific practices and tools.”
Gallagher said by encouraging industry to lead the effort he hopes the framework will be used, and be a living document that gets updated as needed. He said the EO also includes approaches to incentivize adoption by industry. NIST, the General Services Administration, the Treasury Department and others are developing a report on how best to get industry to adopt the framework. That report is due in the next 120 days.
NIST has 240 days to publish the preliminary version of the cybersecurity framework, and must finalize it within a year. Reaction to the order has been mixed.
Alan Paller, director of research for the SANS Institute, initially was disappointed with the summary draft, but changed his mind after seeing the White House held strong against industry pressure.
“All summer and early fall the industry lobbyists made repeated visits to the White House pressing to remove any words like mandate or words that required any company to do anything to protect the computers on which America depends. They were entirely successful and by November all that was left were voluntary standards and incentives for good behavior and a hope that industry might act voluntarily. Then when I saw the summary of the EO that had nothing about prioritized controls or incentives for compliance, I assumed that the industry lobbyists had come back for another diminution. I was wrong,” he said. “Bottom line: I am impressed that the White House had the strength of conviction to hold on to the elements they did. The country deserves more. We will know that when a major telecom supplier or power supplier is out of operation for an extended period. But as Winston Churchill so famously quipped: ‘Americans can always be counted in to do the right thing …after they have exhausted all other possibilities.'”
Place holder for legislation
The U.S. Chamber of Commerce expressed disappointment with the order, saying it’s an overreach and the critical infrastructure owners and operators don’t need any new regulation. The EO instructs DHS and the sector specific agencies, such as Energy or Treasury, to review existing regulations and decide if they need to be updated, meaning new regulations are possible.Verizon also expressed disappointment with the order.
Craig Silliman, Verizon senior vice president, public policy, said in a statement that order fails to include IT and software providers. “Categorically excluding relevant entities in the Internet ecosystem undermines our shared objective of protecting critical broadband assets,” he said.
“The administration has acknowledged that the order cannot address all of the important policy issues needed to improve our national cybersecurity posture. Federal legislation is necessary. Verizon supports bipartisan, consensus-based legislation that boosts ongoing cybersecurity efforts by promoting the sharing of cyber threat information among communications companies and federal agencies, and provides appropriate liability protections and consumer privacy safeguards. ”
Other industry organizations such as TechAmerica and the Professional Services Council, are supportive of the order, but called for legislation. Michael Daniel, the White House’s cyber coordinator, said the order is a down payment on the legislation and continues the ongoing conversations about cybersecurity.
“I expect these conversations will actually continue as we go through the hard work of implementing this executive order. So the bottom line is we will need your help in making this EO work. Cybersecurity must be a shared collective endeavor. I’m asking everyone in the audience today to help us make the information sharing processes work and useful, to help us make the frameworks effective, useful and actually reflect the needs of industry, and help us put these frameworks into place.”