As federal authorities scramble to meet the first wave of milestones outlined in President Obama's February executive order on cybersecurity, administration officials are stressing that the government is seeking a collaborative approach and eschewing heavy-handed mandates for industry stakeholders.
Officials from the White House and the departments of Commerce and Homeland Security described the administration's efforts to develop a coordinated approach to cybersecurity during a panel discussion here at the annual conference hosted by NCTA, the principal trade group representing the cable industry.
The first round of deliverables under Obama's executive order is due to the White House today, with national security officials expected to present reports outlining suggestions for how to develop a better system of sharing information about cyber threats, ways to incentivize stronger security among private-sector businesses, and an approach to incorporating new cybersecurity standards into the federal acquisition and contracting processes.
That work began with the formation of an interagency task force that was convened by DHS and intended to bring together officials from an array of departments with responsibilities for cybersecurity.
Step 1: Having Cybersecurity Conversations
"Challenge number 1," says task force director Robert Kolasky, "was how do we organize the whole community in a way that we can have that conversation."
The view is similar from the White House, which has emphasized the collaborative nature that is essential to the development of any coherent policy on an issue that spans the public and private sectors and touches as many government jurisdictions as cybersecurity.
"None of us can operate on island, particularly as it relates to cybersecurity," says Samara Moore, director for cybersecurity and critical infrastructure at the White House.
Moore is quick to point out the limitations of the executive order, describing it as just one of several fronts on which policymakers must address the cybersecurity threat. In particular, she reiterates the White House's call for legislation that would establish stronger oversight of private-sector operators of critical infrastructure.
Part of the work of the task force that Kolasky heads has been to identify specific elements of that infrastructure where an attack would pose the greatest risk. DHS is to produce that report within a month (or day 150 from the issuance of Obama's executive order; Wednesday marks day 120), enumerating the infrastructure components "where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security." The good news, according to Kolasky, is that it's shaping up to be a short list.
"Our critical infrastructure is pretty resilient," he says. "We do not see a lot of things that could cause catastrophe [if attacked]."
The executive order, limited though it is, intends to prod agencies toward crafting a framework to open the lines of communication regarding cyber threats both within the federal government and between the government and industry.
"As it relates to information sharing--in fact, that is the area where we have the most deliverables due later this week--first, it's the government working together to find a way to share information, as much as possible, as much unclassified information as possible, in a timely manner in a way that's actionable such that owners and operators [of critical infrastructure] can leverage that information and be able to act quickly to address and identify the threat," Moore says.
Information Sharing Is Key
Information sharing has been a central component of several proposals for legislation that have emerged on Capitol Hill. The White House has thrown its support behind a comprehensive approach to cybersecurity legislation that would address information sharing along with new regulatory standards for critical infrastructure providers in the private sector, cybersecurity research and development programs and other measures.
In the absence of legislation, however, the directive in Obama's executive order instructs DHS, the attorney general and the director of national intelligences to produce by Wednesday instructions for releasing unclassified information about cyber threats and potential targets that have been identified.
National security officials are also directed to develop a plan for expanding a voluntary program that involves the sharing of classified threat information to all participating critical infrastructure providers, and to formulate a process for promptly disseminating classified reports to cleared private-sector operators.
Upcoming milestones include the release of a preliminary version of the "cybersecurity framework" that Commerce's National Institute of Standards and Technology is to produce by day 240 from the release of the White House executive order.
That framework is to include a "prioritized, flexible, repeatable, performance-based and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk," drawing on standards that can be applied across industries and technologies. The framework is intended to include "voluntary consensus standards and industry best practices to the fullest extent possible."
"If you take anything out of this, we don't want to centrally plan what companies do to adopt cybersecurity practices," Kolasky says.
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow Kenneth on Twitter @kecorb. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.
Read more about security in CIO's Security Drilldown.