Napolitano: Voluntary Cybersecurity Framework is "An Experiment" At This Point


Department of Homeland Security (DHS) Secretary Janet Napolitano said today that the voluntary cybersecurity framework outlined in President Obama's February 2013 executive order (EO) and public policy directive is at this point "an experiment" because it grants major responsibility for the nation's security to the private sector, an arguable first in the history of national defense.  Speaking at an event at the Wilson Center in Washington, DC, Napolitano said "the voluntary program…is going to be at this point an experiment and a very important one.  Where security is concerned, we don’t normally depend on the private sector.  We inherently view that as an inherently government function."

Napolitano was specifically referring to the development of a cybersecurity framework taking place under the auspices of the National Institute of Standards and Technology (NIST) pursuant to the EO, which is premised on the idea that a public-private partnership can create cybersecurity rules of the road that minimize cybersecurity breaches across 16 critical infrastructure industries.  "If we can make this work and show that there is a vital ongoing strong partnership…we will have succeeded in this experiment," she said .  

But, "I don’t think we have yet come to closure whether this is an appropriate thing to have shared responsibility as opposed to an inherently governmental responsibility," she stressed.  "This is really the first time in our nation’s history that we’ve approached a major security problem in this way."

Other speakers at the event echoed Napolitano's skepticism.  Former DHS Secretary Michael Chertoff, now Chairman of the Chertoff Group, said "it is kind of a novelty…we don’t really expect the private sector to defend itself against attacks."  The only other alternative is for the federal government to step in which would "put the government into everybody’s computers and everybody’s networks," he said. Speaking about Napolitano's emphasis on how experimental the framework is, Chertoff said "I do think her message is that at the end of the day if it’s not done and the private sector doesn’t step up…the public will demand mandates."

It won't be easy for the private sector to implement the right cybersecurity measures needed, according to Steve Flynn, Founding Co-Director of the George J. Kostas Research Institute for Homeland Security and Professor of Political Science at Northeastern University.  "An element of the challenge here is that we’re kind of late to the game and kind of boilerplate on security safeguards for systems that were not built to be made essentially safe, certainly  for the threats we have," he said.  "It’s a bit like trying to take a raised ranch home and make it handicapped accessible.  It’s going to be expensive, ugly and not work well."

DHS Advisor: There Is a Really Short List of Potential Cybersecurity Catastrophes


(Washington, DC)  One of the Department of Homeland Security (DHS) officials in charge of executing on the key tasks outlined in President Obama's February 2013 cybersecurity executive order (EO) and public policy directive said yesterday that his agency has found few situations that can cause a catastrophe.  "Our critical infrastructure is pretty resilient and we do not see a long list of things that can cause catastrophe," Robert Kolasky, Co-Chair of the DHS Integrated Task Force said during a panel discussing at The Cable Show, the cable industry's big annual conference held here.

Kolasky was mainly referring to the process outlined in the EO whereby DHS is obligated to identify what constitutes critical infrastructure, a controversial task that has to be completed by July 12 of this year. Presumably in developing the list or inventory or identification of critical infrastructure, DHS has examined where potential cyber harm can cause the greatest damage.  "It's going to be a really short list of potential catastrophes," he said, noting that communications and electricity are the top two critical infrastructure sectors under examination.  "We still come at it from the perspective that communications and electricity are critical."

The communications sector may be in better shape than electricity.  "A lot of what we've seen is that there is redundancy and resiliency with communications service," Kolasky said.  The situation is different for the electric sector he said later in an interview because of the various structural and geographic factors that make it difficult to build redundancy and resiliency into the electric grid.

Another task in the EO, the development of a comprehensive cybersecurity framework that covers 16 designated critical infrastructure sectors, is well underway with a third workshop on that framework to be hosted in San Diego during the second week of July.  Critical infrastructure representatives should be really prepped for that meeting, Donna Dodson, Chief of Cybersecurity for the National Institute of Standards and Technology (NIST), the government arm in charge of developing the framework, told the cable group.  "I think it's important from our perspective that people come in to the next workshop with a strong understanding of the executive order and the framework process," she said.

One question dogging the President's EO and policy directive mandates is whether the various agencies involved can meet what some consider to be extraordinarily tight deadlines for a host of difficult tasks on such a complex subject.  "With the executive order, we have really stepped it up," Samara Moore, White House Director for Cybersecurity and Critical Infrastructure said.  Through an active interagency process, "we've been working together to meet the deadlines."

Twitter Delicious Facebook Digg Stumbleupon Favorites More