(Washington, DC) Department of Homeland Security (DHS) Secretary Janet Napolitano today gave a lukewarm thumbs-up to President Obama's recently issued cybersecurity executive order, saying that the Administration will give the voluntary approach to critical infrastructure cybersecurity a chance but that, once again, Congress still needs to pass comprehensive cybersecurity legislation.
Following a State of Homeland Security address at the Brookings Institution here, Napolitano said during Q and A that she hopes Congress will pass a cybersecurity bill along the lines of what the Administration had been promoting last year because "the executive order can only go so far. It’s not only standards, it’s information sharing. It’s sharing information early enough so that we can all get in there, find out what the intrusion is and work to mitigate or minimize the harm and to share knowledge about it so others can protect themselves," Napolitano said.
"We can’t mandate that. That will have to be done legislatively. We’re going to try to do it with the voluntary adoption and sharing of standards. We will see how that goes. But there are areas in the cyber realm that only legislation will help."
Napolitano also addressed how it is that DHS, the primary government department through which the cybersecurity order will work, interacts with two other important cybersecurity federal players, the Department of Defense (DoD) and the FBI. She said that DHS, the FBI and DoD have developed amongst themselves what they call the "troika" on cybersecurity, collaboratively sharing resources and information to combat cyber threats. "Working together we have alighted upon a realistic and workable solution for how we organize in the federal government how to deal with cyber."
Napolitano began her talk with a description of what she calls DHS 3.0, which bases its approach to national security threats, including cyber threats, on a "risk-based" strategy. Ironically, the Brookings Institution just released a paper by Ralph Langner and Perry Pederson concluding that a risk-based approach to cybersecurity, such as that outlined in the cybersecurity order, is doomed to fail.
Citing the business-based foundation of a risk-based approach, which weighs the costs involved in implementing adequate security against the cost fallout of a cyber incident, the authors conclude:
Unfortunately, this new order is set up to fail. By promoting voluntary action by the private sector supported by information sharing on cyber threats and risk-based standards, the executive order doesn’t deliver on a fresh approach. Efforts to address the very same problem by similar means go back to the Clinton administration and have not resulted in any measurable improvements.