Alexander, Rogers Appeal for Cybersecurity Legislation While Lute Says It's a Sure Thing


(Washington, DC) National Cybersecurity Awareness Month is not even upon us yet but the DC hype meter tilted into the red today with three dueling cybersecurity events, each populated by prominent panelists who propounded on their pet topics and theories surrounding the state of systems security.  Some attendees moved from event to event throughout the day, catching one set of speakers and then moving on to the next venue.

The speakers across all three events ranged from the highly technical to the highly political, with most emphasizing the need for better cybersecurity policy and practices.  If one common theme emerged across the two dozen-plus speakers and panelists it is the need for a cyber bill which, at the minimum, facilitates information sharing and encourages better conformance to good cyber schemes.

One day-long event was hosted at the National Press Club (keynote videos here) and generated the most buzz due to its opening keynote speaker, embattled National Security Agency (NSA) Director Keith Alexander.  Alexander first castigated what he considered the media leaks flowing from former contractor Edward Snowden and then shifted into a plaintive plea for help from the public and private industry in maintaining the vast electronic intelligence apparatus his agency has built.

"We first have to address media leaks," Alexander said.  Speaking of the call records collection authorized by the Foreign Intelligence Surveillance Court, Alexander attempted again to explain, as he has many times over the past several months, that media coverage has distorted the kinds of information NSA collects, reiterating that the bulk of the collection focuses on metadata, comprising call details such as date, time, length of call, and not on the content of the calls.  "It’s been sensationalized and inflamed in much of the reporting that we’re listening to people’s calls and reading their emails.  That’s flat wrong."

Alexander frequently asked for help and support in maintaining NSA's activities, saying that the security of the nation depends on the efforts of his and other intelligence groups.  "Our mission is to have to defend this country," he said.  "We can’t do it without your help and without the tools that the nation needs."

He also appealed on behalf of those Internet and technology companies that supply data to NSA, stressing that they only do so under court order.  "Industry isn't driving up to NSA, dumping off U.S. persons' or foreign person's data to us," he said.  "What they’re doing is they’re providing what the courts have directed for them to provide."

He walked through a series of statistics about the "incidents" or "violations" that have occurred with the data NSA collects, saying that only 5% involve U.S. persons, and even then mostly involve typos and not deliberate privacy invasions.  Most of the NSA personnel engaged in the violations either retired, resigned or were appropriately admonished.  "What that means for you and the American people is that you are guaranteed that we will do everything we can to protect your civil liberties and your privacy and defend this country," he said.

At one other big cybersecurity event, hosted by the U.S. Chamber of Commerce, House Intelligence Committee Chairman Mike Rogers (R-MI), bemoaned how much more difficult it now is to pass cybersecurity legislation due to the controversy triggered by the Snowden leaks.  Rogers, like Alexander, hopes that Congress can move past the drama and enact effective cybersecurity legislation.

He was specifically referring to a bill he co-sponsored, the Cyber Intelligence Sharing and Protection Act (CISPA), which would facilitate cyber threat information sharing.  "I haven't given up on CISPA," Rogers said.

At the third cybersecurity event of the day, hosted by DC lobbying and law firm Venable, Jane Holl Lute, CEO of the Council on CyberSecurity and former Deputy Secretary of the Department of Homeland Security (DHS), said that cybersecurity legislation is practically a sure thing.  "I think it's a near certainty that there will be legislation regarding cybersecurity," she said.

A big factor that will drive Congress is the failure of the marketplace to provide adequate security in the cyber realm.  "Of those who say they want to keep government out, government will step in...because frankly we're at an unacceptable level of vulnerability and the market is not taking care of that," Lute said.

NIST Cybersecurity Framework Subject to Major Work Ahead of Public Comment


The National Institute of Standards and Technology (NIST) is racing the clock to whip into shape the comprehensive cybersecurity framework mandated by President Obama's February executive order.  As my most recent piece for CSO Magazine highlights, critical infrastructure providers say there is a lot of work to get done before the framework, a first-time government effort to bolster better cybersecurity across all critical infrastructure, is published in the Federal Register on October 10 and put out for public comment.

The final framework is due in February, but when it comes to the constantly changing world of cybersecurity, the framework could keep evolving indefinitely.  As Patrick Gallagher, the head of NIST, saiid, "in my view the framework is never finished."

Check out the full article here.

NIST's Latest Draft Cybersecurity Framework: Not Yet Ready for Primetime


The National Institute of Standards and Technology (NIST) released the latest version of its draft cybersecurity framework on August 28 and the reviews are...mixed.  The voluntary framework, mandated under President Obama's February executive order and intended to help critical infrastructure providers establish better cybersecurity programs, needs a lot more work, experts say, despite the greater detail NIST provided between versions one and two of the document.

But little time remains between a final workshop on the framework that NIST will host in Dallas next week and the October 10th deadline for publishing the preliminary framework in the Federal Register.  Read my latest take on the framework in this article commissioned by CSO Magazine.

Image from the August 28th document released by NIST.

Twitter Delicious Facebook Digg Stumbleupon Favorites More