Obama's Cybersecurity Mandate Hits First Milestone

As federal authorities scramble to meet the first wave of milestones outlined in President Obama's February executive order on cybersecurity, administration officials are stressing that the government is seeking a collaborative approach and eschewing heavy-handed mandates for industry stakeholders.

Officials from the White House and the departments of Commerce and Homeland Security described the administration's efforts to develop a coordinated approach to cybersecurity during a panel discussion here at the annual conference hosted by NCTA, the principal trade group representing the cable industry.

The first round of deliverables under Obama's executive order is due to the White House today, with national security officials expected to present reports outlining suggestions for how to develop a better system of sharing information about cyber threats, ways to incentivize stronger security among private-sector businesses, and an approach to incorporating new cybersecurity standards into the federal acquisition and contracting processes.

That work began with the formation of an interagency task force that was convened by DHS and intended to bring together officials from an array of departments with responsibilities for cybersecurity.

Step 1: Having Cybersecurity Conversations

"Challenge number 1," says task force director Robert Kolasky, "was how do we organize the whole community in a way that we can have that conversation."

The view is similar from the White House, which has emphasized the collaborative nature that is essential to the development of any coherent policy on an issue that spans the public and private sectors and touches as many government jurisdictions as cybersecurity.

"None of us can operate on island, particularly as it relates to cybersecurity," says Samara Moore, director for cybersecurity and critical infrastructure at the White House.

Moore is quick to point out the limitations of the executive order, describing it as just one of several fronts on which policymakers must address the cybersecurity threat. In particular, she reiterates the White House's call for legislation that would establish stronger oversight of private-sector operators of critical infrastructure.

Part of the work of the task force that Kolasky heads has been to identify specific elements of that infrastructure where an attack would pose the greatest risk. DHS is to produce that report within a month (or day 150 from the issuance of Obama's executive order; Wednesday marks day 120), enumerating the infrastructure components "where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security." The good news, according to Kolasky, is that it's shaping up to be a short list.

"Our critical infrastructure is pretty resilient," he says. "We do not see a lot of things that could cause catastrophe [if attacked]."

The executive order, limited though it is, intends to prod agencies toward crafting a framework to open the lines of communication regarding cyber threats both within the federal government and between the government and industry.

"As it relates to information sharing--in fact, that is the area where we have the most deliverables due later this week--first, it's the government working together to find a way to share information, as much as possible, as much unclassified information as possible, in a timely manner in a way that's actionable such that owners and operators [of critical infrastructure] can leverage that information and be able to act quickly to address and identify the threat," Moore says.

Information Sharing Is Key

Information sharing has been a central component of several proposals for legislation that have emerged on Capitol Hill. The White House has thrown its support behind a comprehensive approach to cybersecurity legislation that would address information sharing along with new regulatory standards for critical infrastructure providers in the private sector, cybersecurity research and development programs and other measures.

In the absence of legislation, however, the directive in Obama's executive order instructs DHS, the attorney general and the director of national intelligences to produce by Wednesday instructions for releasing unclassified information about cyber threats and potential targets that have been identified.

National security officials are also directed to develop a plan for expanding a voluntary program that involves the sharing of classified threat information to all participating critical infrastructure providers, and to formulate a process for promptly disseminating classified reports to cleared private-sector operators.

Upcoming milestones include the release of a preliminary version of the "cybersecurity framework" that Commerce's National Institute of Standards and Technology is to produce by day 240 from the release of the White House executive order.

That framework is to include a "prioritized, flexible, repeatable, performance-based and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk," drawing on standards that can be applied across industries and technologies. The framework is intended to include "voluntary consensus standards and industry best practices to the fullest extent possible."

"If you take anything out of this, we don't want to centrally plan what companies do to adopt cybersecurity practices," Kolasky says.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow Kenneth on Twitter @kecorb. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Read more about security in CIO's Security Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecuritysecuritycommerce departmentTechnology Topicsgovernmentwhite housecyber threatsDepartment of Homeland SecurityTechnology Topics | SecurityDHSObama on cybersecurity

More about FacebookGoogleTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place