Napolitano: We'll Try Voluntary Cybersecurity and See How It Goes


(Washington, DC)  Department of Homeland Security (DHS) Secretary Janet Napolitano today gave a lukewarm thumbs-up to President Obama's recently issued cybersecurity executive order, saying that the Administration will give the voluntary approach to critical infrastructure cybersecurity a chance but that, once again, Congress still needs to pass comprehensive cybersecurity legislation.

Following a State of Homeland Security address at the Brookings Institution here, Napolitano said during Q and A that she hopes Congress will pass a cybersecurity bill along the lines of what the Administration had been promoting last year because "the executive order can only go so far.  It’s not only standards, it’s information sharing.  It’s sharing information early enough so that we can all get in there, find out what the intrusion is and work to mitigate or minimize the harm and to share knowledge about it so others can protect themselves," Napolitano said.

"We can’t mandate that.  That will have to be done legislatively.  We’re going to try to do it with the voluntary adoption and sharing of standards.  We will see how that goes.  But there are areas in the cyber realm that only legislation will help."

Napolitano also addressed how it is that DHS, the primary government department through which the cybersecurity order will work, interacts with two other important cybersecurity federal players, the Department of Defense (DoD) and the FBI.  She said that DHS, the FBI and DoD have developed amongst themselves what they call the "troika" on cybersecurity, collaboratively sharing resources and information to combat cyber threats.  "Working together we have alighted upon a realistic and workable solution for how we organize in the federal government how to deal with cyber."

Napolitano began her talk with a description of what she calls DHS 3.0, which bases its approach to national security threats, including cyber threats, on a "risk-based" strategy.  Ironically, the Brookings Institution just released a paper by Ralph Langner and Perry Pederson concluding that a risk-based approach to cybersecurity, such as that outlined in the cybersecurity order, is doomed to fail. 

Citing the business-based foundation of a risk-based approach, which weighs the costs involved in implementing adequate security against the cost fallout of a cyber incident, the authors conclude:

Unfortunately, this new order is set up to fail. By promoting voluntary action by the private sector supported by information sharing on cyber threats and risk-based standards, the executive order doesn’t deliver on a fresh approach. Efforts to address the very same problem by similar means go back to the Clinton administration and have not resulted in any measurable improvements.

Critical Infrastructure Providers Take Note: Key Deadlines in the Cybersecurity Executive Order


While I was completely off the grid last week, President Obama finally issued the much-anticipated cybersecurity executive order prior to his State of the Union address.  For those who followed the machinations surrounding the order, the contents of the final order contained no surprises.  In almost every respect, it tracked the publicly released draft executive order dated November 21, 2012, which was a very business-friendly modification of some of the early, more pro-regulatory draft orders.

The order, among other things, basically establishes a one-way information flow, ensuring that the government shares technical and cyber threat information with critical infrastructure providers.  Most of the tweaks to the earlier order underscore the importance of government agencies sharing information with critical infrastructure owners rather than the other way around.  Thus the final order is a far cry from the earliest versions, which proposed regulations of critical infrastructure owners to mitigate risks.

New language that emphasizes the importance of providing threat information (particularly classified threat information) to critical infrastructure owners is peppered throughout the order.  For example, Section 4 (a) of the order says "It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats."

Even if the order lacks true bite, a slew of government agencies, offices and departments will nevertheless quickly kick into gear to implement the order's directives.  And any industry or company that might end up categorized as "critical infrastructure" in the order had better get involved right now because the ball will roll very quickly.


The table above and the chart at the top of the article list the major tasks spelled out in the order, when those tasks begin, how much time is slated for completing the task based on its start date and when the task is ordered to be completed.  (Click on the images for clearer resolution).

As you can see, the deadlines are very tight.  NIST, for example, has only 240 days from the date of the order to develop a preliminary cybersecurity framework that includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.  NIST, therefore, must come up with a comprehensive technical, standards-based cybersecurity framework to cover all affected critical infrastructure industries by October 10, which is a very tall order indeed. (Update:  NIST has already issued its RFI for this framework at http://www.nist.gov/itl/cyberframework.cfm).

Congress hasn't been cut out of the cybersecurity maelstrom, not by a long shot.  The day after Obama issued the order, House Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA).  From a brief scan of the language, it's basically the same bill of the same name passed by the House last year and slammed by privacy advocates.  Not surprisingly, privacy advocates rushed in to slam this bill on the same grounds.

Moreover, the Obama Administration has said all along that even with this order, Congress must act to redress problems, particularly the lack of incentives for critical infrastructure providers to participate in a meaningful cybersecurity program, that the order cannot legally reach.  Even in his State of the Union address, President Obama reiterated the need for legislation.  "That's why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks," Obama said.

Mike Rogers: We're in a Cyberwar. Make No Mistake About It.


(Washington, DC) Mike Rogers (R-MI), House Intelligence Committee Chairman, today amped up the rhetoric on cybersecurity by out-and-out declaring that the U.S. is in a cyberwar.  "We're in  a cyberwar, make no mistake about it," he told attendees at the annual winter meeting of the National Association of Regulatory Utility Commissioners (NARUC) here.  "We are in a cyberwar and we're losing," he said.

Rogers said that the government, particularly the National Security Agency (NSA), does a good job of protecting government infrastructure, but that government infrastructure is a small slice of the national security pie.  "When you get over there [at the NSA] you see some big-brained cybersecurity work.  But that's only five percent of networks across America.  There is no government that doesn't use private networks."

He addressed the issue of Iran as a major cybersecurity threat.  "What about countries like Iran? Would they make a non-rational decision.  I argue absolutely.  Look at what they did to the Saudi Arabian oil company Aramco.  They actually broke the machines...you don't get to go reboot" something like that, Rogers said.

Rogers also said that the recent spate of announcements by American newspapers, including the New York Times and the Wall Street Journal, that they have been hacked is a strangely positive development from the perspective of awakening the public to the threat of cyberattacks. "In an odd way, the newspapers that came out and said they'd been hacked is a good thing."

The White House, for its part, still plans to issue an executive order, Dr. Andy Ozment, Senior Director for Cyber Security at the White House, told the NARUC audience, stressing, however, the continued need for the Congress to pass a cybersecurity bill.  "A cyber EO [executive order] would be a downpayment for legislation, not a substitute on it," Ozment said because of the many cybersecurity fixes that  an EO can't reach.

Whatever cyber EO the White House issues, it will emphasis the need for not only information-sharing, but also collaboration.  "We will be very clear about how we will foster engagement.  If we don't have you all at the table, we're lost before we're begun," he said.

Correction:  An earlier version of this post misidentified Mike Roger's state and committee title.

Twitter Delicious Facebook Digg Stumbleupon Favorites More