Recent Posts

Telecom Execs: Industry-to-Industry Cybersecurity Information Sharing is Needed

Telecommunications companies believe that better information sharing among private sector companies is a necessary next step to ensure better critical infrastructure cybersecurity, a goal that can best be accomplished by Congressional action in the wake of  President Obama's February cybersecurity executive order and policy directive.   Or at least that view seemed to be the consensus held by a group of executives speaking today during a policy briefing hosted by USTelecom.

"When it comes to cybersecurity, one of the things we want to get to as an end-state is real-time information sharing.  The best way to do that is with automated threat-sharing," Chris Boyer, Assistant Vice President of AT&T said. "One of the obstacles to that is whether or not that is permitted under the existing legal framework. Every time something comes up with security, we have to consult with our legal department to determine if it can be shared. We really want to expedite that process so that we can make it real-time and respond to the threats."

"We certainly don’t have any automated real-time information sharing links between AT&T and CenturyLink," Kathryn Condello, Director of Cybersecurity and Emergency Preparedness at CenturyLink, said.  "The information sharing does exist but it’s more informal and ad hoc. The time, the speed, the acceleration, the nature of the cyber threat is much, much faster" than what ad hoc information sharing can handle.

"The information-sharing piece is the most immediately important thing for us," Kate Dean, Executive Director, United States Internet Service Provider Association, said.  "To improve and enhance private-to-private and government-to-private will really require an action by Congress."

The NIST-derived cybersecurity framework specified in the Executive Order may not be as important to major telecommunications providers as it will be to smaller companies or other companies in other critical infrastructure sectors because telecom providers are forced by the marketplace to implement best-of-breed security measures.  "There are going to be some sectors where [legislatively extended] incentives [to abide by the framework] are more important than others.  I think the fact that we have to deliver our services on a nanosecond by nanosecond basis has driven the adoption of standards" in telecom, Condello said. "I think that we may find that even if they offered us the incentives, the vast majority of us have already been doing that."

This issue of how cybersecurity practices vary from big to small companies, from competitive to regulated industries, is a theme that has emerged over the past few months, one echoed during the briefing by administration point person Ari Schwartz, Senior Policy Advisor, Department of Commerce. "I've heard a lot from some of the leaders in this space 'What are you going to tell us that we’re not already doing?'  If you’re a leading company you’re already doing what you need to do to protect this space.”  But, "there are a number of companies that are not even putting the basic protections in place," he said.

The telecom providers also agreed that for now the Federal Communications Commission (FCC) should bow out of the process, despite the fact that the presidential policy directive accompanying the order (PPD-21) directs the FCC to partner with the Department of Homeland Security (DHS) and others in developing guidance and recommendations. "When you look at what’s happening now...there are eight streams within the sector coordinating council [at DHS], there will be a lot of activity around the framework.  As a practical matter it will be a challenge for the industry to staff additional work over at the CSRIC [Communications Security, Reliability, and Interoperability Council at the FCC]," AT&T's Boyer said.

Image of Ari Schwartz captured from screenshot.

GAO: Only 8 of 22 Federal Agencies Comply with Cyber Risk Management Requirements

During 2012, only eight of 22 major government agencies complied with cybersecurity risk management requirements mandated under the Federal Information Security Management Act (FISMA), down from 13 out of 24 in 2011, a top official from the General Accounting Office (GAO) told the Senate Homeland Security and Governmental Affairs Committee today during a hearing.  Citing a little-noticed report that the GAO issued last month, Gregory C. Wilshusen, Director of Information Security Issues at GAO, said that President Obama's cybersecurity executive order, also issued last month, is a good step but must be integrated into an "overarching strategy that includes a clearer process for oversight of agency risk management" based on the study's examination of weaknesses in the federal government's own cybersecurity practices.

The main attraction of the hearing, aimed at examining the executive order, was Department of Homeland Security (DHS) Secretary Janet Napolitano, who said that the just-imposed sequester cuts will no doubt disrupt DHS' cybersecurity efforts. "We do not have the luxury of making significant reductions to our capabilities without having significant impacts," she said.

Patrick Gallagher, Under Secretary for Standards and Technology at the Department of Commerce said that  Commerce's National Institute of Standards and Technology (NIST), which is charged with developing a comprehensive cybersecurity framework under the recent executive order, will likely not be as disrupted by the sequester cuts when it comes to getting that framework out the door.  "I am hopeful that there is a very minimal impact on our ability to deliver the framework," he said.

NIST plans to host  at least four workshops in order to develop the final draft of the framework within the one-year deadline established in the order, with the first workshop slated for April 3 at NIST facilities in Gaithersburg, MD.  But, how easily NIST will be able to get its arms around the thorny and intricate topic remains to be seen.

NIST plans to model its process on its earlier efforts to develop standards for the smart grid and cloud computing, although far more people will probably be involved in this cybersecurity effort, Gallagher said. "In the case of smart grid, we were up to over 1,600 people [involved in developing the standards] and this is broader than that."

Biggest Challenge for Cybersecurity Executive Order: Herding All the Cats

Department of Homeland Security Secretary Janet Napolitano is about to testify today before the Senate Committee on Homeland Security and Govermental Affairs regarding the President's February 12 cybersecurity executive order.  As I've mentioned in the past, the cybersecurity scene in Washington is a labyrinth and the recent EO only promises to make it much more so.

By my reckoning there are 15 government departments, agencies or offices responsible for implementing it, each to varying degrees.  They are:
  1. Administrator of General Services
  2. Attorney General
  3. Department of Agriculture (Named via Sector Specific Agency references)
  4. Department of Commerce's NIST
  5. Department of Defense
  6. Department of Energy (Named via Sector Specific Agency references)
  7. Department of Health and Human Services (Named via Sector Specific Agency references)
  8. Department of Homeland Security
  9. Department of the Treasury (Named via Sector Specific Agency references)
  10. Director of National Intelligence
  11. Environmental Protection Agency (Named via Sector Specific Agency references)
  12. Federal Acquisition Regulatory Council
  13. National Security Agency
  14. Office of Management and Budget
  15. Privacy and Civil Liberties Oversight Board
And the order covers 16 critical infrastructure industries.  They are:
  1. Chemical
  2. Commercial Facilities
  3. Communications
  4. Critical Manufacturing
  5. Dams
  6. Defense Industrial Base
  7. Emergency Services
  8. Energy
  9. Financial Services
  10. Food and Agriculture
  11. Government Facilities
  12. Healthcare and Public Health
  13. Information Technology
  14. Nuclear Reactors, Materials, and Waste
  15. Transportation Systems
  16. Water and Wastewater Systems
If I were on the Homeland Security Committee, I'd be asking a lot of questions about how DHS plans to herd all these cats through the labyrinth on such a complex subject.  Stay tuned for an update on the hearing itself.

Image Courtesy of

Twitter Delicious Facebook Digg Stumbleupon Favorites More