Digital Version of November/December 2014 Print Edition
Agency leaders explain White House executive order on cyber security
Leaders with expertise in cyber security from private industry, the Department of Commerce, the Department of Homeland Security, the Department of Defense, and other agencies packed an auditorium at the Commerce Department’s Washington, DC, headquarters on Feb. 13 to hear the details of how the president’s newly-announced Cyber Security Executive Order will work.
The answers -- provided by the primary government agencies tasked with implementing the presidential order -- boiled down to private critical infrastructure industries’ willingness to collaborate among themselves on how to protect against the explosion of electronic assaults.
The Executive Order, explained Michael Daniel, special assistant to the president and White House Cyber security coordinator, is aimed at establishing a firm foundation on which a scaffolding of government and private sector industries efforts can be built. The order also looks to set up a new system of information sharing that draws from Defense Department and DHS intelligence to better inform critical infrastructure companies.
President Obama issued the Cyber security order late on Feb. 12 in the hours leading up to his State of the Union address. The bottom line of the Executive Order, or EO, aimed at strengthen Cyber security of critical infrastructure, is based on increasing information sharing and a voluntary framework of Cyber security best practices jointly developed and implemented with private industry partners .
Cyber security, said deputy secretary of commerce Rebecca Blank in remarks at the event, “is the most crucial economic issue”
“The EO takes a step towards action,” said Gen. Keith Alexander, commander of the U.S. Cyber Command and director of the National Security Agency.
DHS deputy secretary Jane Holl Lute said the EO will expand the use of classified information beyond the traditional “defense industrial base” to critical infrastructure industries, while allowing those industries to develop and disseminate their own best practices of protection.
“The EO rests on three pillars,” said Daniel -- including information sharing; privacy and civil liberties and a voluntary framework of standards.
Under the EO, the White House expands the voluntary Enhanced Cybersecurity Services program beyond the Defense Industrial Base, enabling near real time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts.
The National Institute of Standards and Technology (NIST) has been tasked by the White House as lead developer of the Cyber security framework. NIST will work collaboratively with critical infrastructure stakeholders to develop the framework relying on existing international standards, practices, and procedures that have proven to be effective. NIST’s director and undersecretary of commerce for standards and technology Dr. Patrick Gallagher told private industry not to read too much into the term “standard,” adding that the term sometimes gives the impression that something it being imposed. He likened the industry standards under the EO to the collaborative “standards” that allowed the computer industry to develop products that worked together, or projects like the collaboratively-developed “smart grid” technology adopted by the energy industry.
DHS has several jobs under the EO. Within 120 days of the order’s issue, the U.S. attorney general, the secretary of Homeland Security, and the director of National Intelligence have to each issue instructions that ensure the timely production of unclassified reports of Cyber threats to the U.S. homeland that identify a specific targeted entity. The instructions, said the EO, shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations.
Also within 120 days, the DHS secretary, in collaboration with the Secretary of Defense, has to roll out procedures expand the Enhanced Cyber security Services program to all critical infrastructure sectors. The voluntary information sharing program, said the White House, will provide classified cyber threat and technical information from the government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.
The most difficult part of the order, according to the officials, could be to get everyone in critical infrastructure industries to participate. They all said the EO is a “down payment” on critical legislation from Capitol Hill. “This is a downpayment on what we need,” said Gallagher. “We need quick legislation” to make the plan most effective, he said.
Congressional legislation might cover minimum requirements for how critical infrastructure companies should protect their operations and information networks and electronic equipment. Former DHS secretary Michael Chertoff, also in the audience at the Commerce Department event, told reporters that legislation might also push recalcitrant companies that don’t want to participate in, or adhere to, the processes and practices developed by other companies voluntarily, to implement protection.