Cybersecurity Issues ‘Very Urgent’ But Require Long-Term Solutions, White House Official Says
There’s a “very urgent” need to address cybersecurity issues, “but it is also a long-term problem,” said White House Cybersecurity Coordinator Michael Daniel during an event Friday at the Center for Strategic and International Studies. “We didn’t get here overnight, and we're not going to get ourselves out of this situation overnight either,” he said. President Barack Obama signed an executive order on cybersecurity Feb. 12, which he said would help “strengthen our cyberdefenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy.” The order, among other things, directs the National Institute of Standards and Technology to lead an effort in conjunction with other federal agencies and industry stakeholders to develop a Cybersecurity Framework of voluntary best practices and other standards that could be used to strengthen the cybersecurity defenses of critical infrastructure (CD Feb 14 p1).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Alan Paller, director of research at the SANS Institute, criticized the executive order for not taking immediate actions on cybersecurity issues. While the administration “can do a lot” to address the problem with the provisions that are included in the order, it would only take 10 days for it to become clear whether anything important will come out of it, he said. “Can you do anything with what you know works, or do you have to give it a year for people to have meetings?” Paller said. NIST is required to publish a final version of the Cybersecurity Framework within one year of the order.
The U.S. will not “actually have to wait an entire year to take any action” on cybersecurity, but it’s “important for us to actually run a very collaborative, very open process, and that takes time,” Daniel said. “It takes time for NIST to do the process that it needs to do to be able to actually get the input from all of the stakeholders. And since we can’t do it without those stakeholders, we recognize that we have to invest the time. So we tried to strike a balance between moving at the normal federal government speed, which would have had us doing something five or six years from now, with actually allowing enough time for collaboration."
Industry executives can begin to take action now on cybersecurity, Daniel said, noting that the administration included suggestions for immediate action in its rollout of the executive order and an accompanying policy directive. Those suggestions include specific cybersecurity questions CEOs can immediately ask their chief information officers to answer (http://xrl.us/bog8kv). “If [they] don’t have good answers to those questions, they know that they've got something that they should start on right now,” Daniel said.
Obama issued the order because “the consequences of inaction are too high,” Daniel said. The potential targets for cyberattacks continue to increase, while cyberattack methods continue to become more sophisticated, he said. The threat a cyberattack poses is also increasing -- attacks that used to pose the Internet equivalent of graffiti have escalated into attacks like the Iranian cyberattack against Saudi Arabia’s Aramco national oil company, he said. In the case of critical infrastructure, “if something bad happened to them in cyberspace, something bad happens in the physical world,” Daniel said.
The onus for making the Cybersecurity Framework succeed will fall on industry stakeholders, said NIST Director Patrick Gallagher. “We deliberately inverted this relationship so the federal agencies don’t become the barrier here,” he said. “I think this really only works if we invert the problem and have a very clear goal and I think there’s real accountability toward that outcome. ... It won’t matter if they tell us what to do and we do it or not, this really has to be a work product of the group."
NIST wants the framework development process to become a “living document” that will allow the public-private partnership on cybersecurity to adapt to the changing nature of cyberthreats over time, Gallagher said. NIST plans to gather information through its normal consultation process -- at first by issuing a request for information in the Federal Register, and then through a series of workshops, he said. The involvement of industry players in the process is critical because they can provide perspective to make the framework function at market scale -- to make it cost-effective so owner-operators will actually adopt the voluntary standards the framework will include, Gallagher said.