Reassuring Industry on IT Best PracticesFederal Government Will Follow Industry's Lead on Standards
Top administration officials told Congress that industry, not the federal government, will take the lead in establishing IT security best practices for critical infrastructure operators called for in a presidential executive order.
At a Senate hearing on March 7, Homeland Security Secretary Janet Napolitano and National Institute of Standards and Technology Director Patrick Gallagher addressed concerns, raised by big industry groups, that the government would dictate IT security best practices for critical infrastructure operators.
Napolitano said that the federal government would follow well established practices to protect physical critical infrastructure in the cyber-dominion. In the physical arena, she said, businesses in 18 different sectors have taken the lead in shaping performance goals and standards. "In a way," the secretary said, "this is simply extending that into the cyber-realm. We intend and are pursuing a realm that's collaborative in nature. Our goal is set to set performance goals, and NIST then establishes the framework and the standards on how those goals are reached."
Gallagher explained that NIST, the Commerce Department agency tasked by President Obama to develop IT security best practices with industry, is organizing at least four workshops with the private sector to do just that. He said he expects representatives from thousands of businesses to participate.
"The way we like to approach that is by having the industry and critical infrastructure community put the framework together themselves," Gallagher testified. "We've done this approach in smart grid and cloud computing, where those same stakeholders, who are operating either under mandatory or industry-led standards, are quite willing to put those on the table. That's actually the starting point for this framework process. This is not NIST developing new or additional material. This is much better thought of as a harmonization of what industry is presently doing itself."
Protecting Critical Infrastructure vs. Intellectual Property
One of the key threats to business is the theft of intellectual property, but in response to a question from Sen. Tom Coburn, R-Okla., Napolitano said the federal government considers keeping critical infrastructure functioning as more important than safeguarding corporate trade secrets.
Napolitano said it's easier to quantify investments to protect intellectual property and trade secrets than to prevent a catastrophic attack against infrastructure. "Our key interest is the protection of the country from a cyber-event that could cause undue economic loss, or in worst-case circumstance, even endanger life," Napolitano said.
The Senate Homeland Security and Governmental Affairs Committee and the Commerce, Science and Transportation Committee - both panels with cybersecurity oversight - sponsored the hearing.
Impact of Sequestration on Cybersecurity
Napolitano told the joint session that the automatic budget cuts known as sequestration, which took effect March 1, mean that DHS could experience a 10 to 12 percent reduction in the filling of vacancies at United States Computer Emergency Readiness Team, which coordinates cyber-incident responses. Funding cuts also could delay by a year implementation of a sophisticated network intrusion detection program known as Einstein 3 Accelerated.
Gallagher said sequestration should have little impact on the NIST task to help implement President Obama's executive order to coordinate the development of IT security best practices, although other NIST initiatives would feel the budget pinch. "It's hard to say that cybersecurity is not going to be in top of that [priority] list," said Gallagher, who as NIST director also serves as Commerce Department undersecretary for standards and technology.
CISPA Opposition Voice
Prompted by a question from Commerce Committee Chairman Jay Rockefeller, D-W.Va., Napolitano said she sees deficiencies in the Cyber Intelligence and Sharing Protection Act, the bill commonly known as CISPA, which the leaders of the House Permanent Select Committee on Intelligence reintroduced last month. CISPA last year passed the House, but never came up for a vote in the Senate
President Obama threatened to veto CISPA last year, and Napolitano said the administration has the same problems with the bill this year, contending it lacks privacy protections and gives too much responsibility to the National Security Agency, the electronics spy agency within the military, when much of the activity surrounding information sharing focuses on civilian agencies and businesses. "It has no privacy protections built around it, which is particularly important in the civilian realm," she said.
Napolitano said CISPA also is too narrowly focused, and the administration seeks legislation to codify in law the presidential executive order on information sharing and establishing best IT security practices, as well as address other cybersecurity needs. Among those needs: updating the Federal Information Security Management Act to emphasize continuous monitoring for vulnerabilities of federal IT systems, as well as increased investments in cybersecurity research and development. "As we kind of lay out the topics involved under the umbrella of cybersecurity, real-time information sharing is critical, but it is not the only concern we have in this arena," Napolitano said.
Rockefeller and Sen. Tom Carper, the Delaware Democrat who chairs the Homeland Security and Governmental Affairs Committee, agreed that more comprehensive legislation is needed and pledged to move such a measure in the 113th Congress.
GAO Details Cybersecurity Challenges Confronting the Government
Gregory Wilshusen, director for information security issues at the Government Accountability Office, testified that the federal government faces challenges in effectively implementing cybersecurity, including:
- Designing and implementing risk-based cybersecurity programs at federal agencies. "Shortcomings persist in assessing risks, developing and implementing security programs, and monitoring results at federal agencies," Wilshusen said, "due in part to the fact that agencies have not fully implemented information security programs, resulting in reduced assurance that controls are in place and operating as intended to protect their information resources."
- Establishing and identifying standards for critical infrastructures. "Agencies with responsibilities for critical infrastructure have not yet identified cybersecurity guidance widely used in their respective sectors," he said. "Critical infrastructure sectors vary in the extent to which they are required by law or regulation to comply with specific cybersecurity requirements."
- Detecting, responding to and mitigating cyber-incidents. Sharing information among federal agencies and key private-sector entities remains a challenge, due to, for example, the lack of a centralized information-sharing system, Wilshusen said, adding that DHS has yet to fully develop a capability for predictive analysis of cyberthreats.
Wilshusen pointed out that federal law assigns the Office of Management and Budget responsibility for oversight of federal government information security, yet OMB has transferred some of that responsibility to DHS.
"This decision may have had practical benefits, such as leveraging additional resources and expertise, but it remains unclear how OMB and DHS are to share oversight of individual departments and agencies," Wilshusen said. "Additional legislation could clarify these responsibilities. Further, without an integrated strategy that includes key characteristics, the federal government will be hindered in making further progress in addressing cybersecurity challenges."