Department of Homeland Security (DHS) Secretary Janet Napolitano said today that the voluntary cybersecurity framework outlined in President Obama's February 2013 executive order (EO) and public policy directive is at this point "an experiment" because it grants major responsibility for the nation's security to the private sector, an arguable first in the history of national defense. Speaking at an event at the Wilson Center in Washington, DC, Napolitano said "the voluntary program…is going to be at this point an experiment and a very important one. Where security is concerned, we don’t normally depend on the private sector. We inherently view that as an inherently government function."
Napolitano was specifically referring to the development of a cybersecurity framework taking place under the auspices of the National Institute of Standards and Technology (NIST) pursuant to the EO, which is premised on the idea that a public-private partnership can create cybersecurity rules of the road that minimize cybersecurity breaches across 16 critical infrastructure industries. "If we can make this work and show that there is a vital ongoing strong partnership…we will have succeeded in this experiment," she said .
But, "I don’t think we have yet come to closure whether this is an appropriate thing to have shared responsibility as opposed to an inherently governmental responsibility," she stressed. "This is really the first time in our nation’s history that we’ve approached a major security problem in this way."
Other speakers at the event echoed Napolitano's skepticism. Former DHS Secretary Michael Chertoff, now Chairman of the Chertoff Group, said "it is kind of a novelty…we don’t really expect the private sector to defend itself against attacks." The only other alternative is for the federal government to step in which would "put the government into everybody’s computers and everybody’s networks," he said. Speaking about Napolitano's emphasis on how experimental the framework is, Chertoff said "I do think her message is that at the end of the day if it’s not done and the private sector doesn’t step up…the public will demand mandates."
It won't be easy for the private sector to implement the right cybersecurity measures needed, according to Steve Flynn, Founding Co-Director of the George J. Kostas Research Institute for Homeland Security and Professor of Political Science at Northeastern University. "An element of the challenge here is that we’re kind of late to the game and kind of boilerplate on security safeguards for systems that were not built to be made essentially safe, certainly for the threats we have," he said. "It’s a bit like trying to take a raised ranch home and make it handicapped accessible. It’s going to be expensive, ugly and not work well."