Cybersecurity Executive Order’s Legacy Dependant on Outcome of Framework Adoption, Experts Say
The legacy of President Barack Obama’s cybersecurity executive order (EO) remains a work in progress even after the National Institute of Standards and Technology’s release last week of the finalized “Version 1.0” Cybersecurity Framework, said cybersecurity experts in interviews. The framework has been the most high-profile element of the executive order, but the experts said the order’s legacy will ultimately depend on whether federal agencies are able to encourage voluntary industry adoption of the framework’s standards and best practices.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
NIST released the Version 1.0 framework in tandem with the Department of Homeland Security’s unveiling of its voluntary Critical Infrastructure Cyber Community (C3) program, which will encourage industry adoption of the framework, to mark one year since Obama issued the executive order (CD Feb 13 p5). Experts said they believe the C3 program is inadequate as currently structured and DHS needs to expand it in tandem with expedited White House efforts to introduce effective incentives that will encourage industry adoption.
NIST’s process for developing the framework may be the main legacy of federal agencies’ work over the past year to implement the executive order, said Allan Friedman, a visiting scholar at George Washington University’s Cyber Security Policy Research Institute. Framework development “brought together people who should've been brought together long ago” on cybersecurity issues, giving both the government and industry a better sense of what tools were currently available, he said.
The White House has been adamant about keeping adoption of the framework voluntary, “which is fine if it works, but if it doesn’t they're going to have to go back to the drawing board,” said James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy program. “The difference from two years ago is that companies are much more aware now about the threat, and the framework gives them a little bit of an incentive to think about what they need to do.” The White House could have been a little more heavy-handed in mentioning regulatory “sticks” along with its work on developing incentive “carrots,” but it’s unsurprising that didn’t occur given that the White House has wanted to avoid “being stuck with the label of instituting job-killing regulations,” Friedman said.
The executive order’s cybersecurity legacy is “still a chapter to be written,” said Bob Dix, Juniper Networks vice president-government affairs and critical infrastructure protection. The first year of the executive order’s implementation included “a lot of meetings and a lot of conversation, but very little action on anything to move the needle in a positive direction on improving the cybersecurity of the nation,” he said. Internet Security Alliance President Larry Clinton said he views the framework’s release and the start of the C3 program as the end of the executive order’s “design phase.” It’s not possible yet to determine the order’s legacy, because there’s no clear metrics available to measure its effectiveness, he said.
ISA has argued that the government should put the framework through beta testing to create those metrics, with DHS using the 3,000 companies it has notified of cyberthreats under expanded information sharing programs instituted in the EO as a voluntary test bed. A pilot program would allow the government to look at the economics of implementation and identify any implementation problems, as well as collect “actual metrics and data -- which we don’t have now -- that they can use on a real campaign to roll this out,” Clinton said. “If they can go to industry at large and say which elements will and won’t be cost-effective, and offer appropriate incentives, they can achieve voluntary adoption.” Beta testing outside large companies will also provide a wider array of metrics that will reflect the entire critical infrastructure landscape, he said. Clinton said the Department of Energy used a pilot program in 2012 to test out its Electricity Subsector Cybersecurity Capability Maturity Model before implementing it industrywide. “Can the government do that now? Sure they can,” he said. “A lot of smaller companies aren’t going to naturally pick this framework up and implement it, so the government needs to offer to collaborate and involve the sector coordinating councils."
DHS C3 Program, Incentives Need Work
The current version of the C3 program consolidates many existing DHS cybersecurity programs and resources, which DHS has tailored to the framework. DHS has said the program’s initial focus will be on engaging with sector-specific agencies and private sector entities to develop guidance on framework implementation, with the intent that the program will later expand its focus as its resources grow. Clinton and Dix said in separate interviews that they had doubts that the C3 program is adequate for initial framework implementation activities. “I'm not sure that what they've discussed so far is going to get it done,” Clinton said. “We're going to need more than the C3 website and another roadshow."
DHS’s decision not to include new resources in the initial C3 program stems from its reluctance to appear to be expanding its own authority because Congress has been explicitly against that, Friedman said. DHS hasn’t been known to have a “light touch, so it’s interesting they've identified that weakness and aren’t trying to overstep,” he said. The National Cybersecurity and Critical Infrastructure Protection Act (HR-3696), which recently passed the House Homeland Security Committee, would codify DHS’s existing public-private collaboration on cybersecurity issues, but would not extend the department’s powers (CD Feb 6 p7). Friedman views the C3 program as unlikely to remain in its currently constructed form, he said. “It makes a little more sense if you view it as something temporary to ease DHS into its role of shepherding and coordinating the entire world of critical infrastructure cyber protection.”
Future developments to the C3 program may depend on how Secretary of Homeland Security Jeh Johnson, who took over the department in December, decides to change DHS’s blueprint on handling cybersecurity issues and stakeholder engagement, Dix said. DHS hasn’t been effective on stakeholder engagement in comparison with what NIST and DOE have done, he said. “DHS’s metric has been how many meetings they've held or how many people attended, not what action items have come out and what progress has been made.” Dix said he was concerned about DHS’s handling of stakeholder engagement in the writing of the National Infrastructure Protection Plan, and faulted the department for the government’s slow progress on moving forward on cybersecurity incentives.
Dix said he’s “optimistic that new leadership at the top of the department will reinforce the value of working collaboratively. I hope that’s what will happen -- that’s what’s going to be necessary.” DHS may not have a choice but to undertake a NIST-like multistakeholder model to develop the C3 program, Lewis said. “There are so many different actors, and each of them has slightly different interests and concerns.” A DHS spokesman referred us to remarks Johnson made when DHS introduced the C3 program and a blog post by Suzanne Spaulding, DHS acting undersecretary-National Protection and Programs Directorate (1.usa.gov/1guUBYv).
Clinton said he would like to see the White House put the same amount of work into advancing its work on cybersecurity incentives as it did in developing the framework. However, he said he’s also “encouraged” by news that the White House plans to release a road map in the coming months that will guide action on the eight incentives categories it identified in August. “We haven’t seen much progress on that since then,” Clinton said. The White House and federal agencies can take action on many incentives without needing additional authorization from Congress, including streamlining regulations and making preferential offerings for framework adopters, he said. “Even if DHS were to significantly expand the technical assistance it plans to provide through the C3 program, that would be significant.” Experts have said they don’t anticipate much progress in Congress on most cybersecurity legislation in 2014, including liability protections seen as being an effective incentive (CD Jan 6 p2).
Critical infrastructure entities may also have an incentive to adopt the framework solely to “demonstrate that they don’t need stronger government intervention,” Friedman said. Language in the order directing sector-specific agencies to “keep an eye on things” effectively means that industries “really need to show that they're acting in good faith,” he said. “That’s a stick that’s hidden behind the executive order’s back to say ‘do it this way and play nice. If you don’t, we'll come back in a year or two and say it’s still a national priority and therefore we need stronger titular authority.'”