FIRST: In a surprise move on Tuesday night, President Obama signed the long awaited and highly anticipated executive order on cybersecurity a day earlier than expected. SECOND: In addition, the administration issued Presidential Policy Directive (PPD) 21 that revokes the ten year old Homeland Security Presidential Directive (HSPD) 7 (scroll down to “The PPD” for more coverage). THIRD, we attended a presentation at the Commerce Department today held by senior executive officials that was titled “Update on Administration Priorities for Cybersecurity Policy” (scroll down to “The Administration Presentation” for more coverage).
I. The Executive Order
The EO has been in draft form for several months and, unsurprisingly, the final form focuses on critical infrastructure. The EO defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that [their] incapacity or destruction…would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters.” Although this definition is quite broad, the executive order is voluntary for the private-sector. Thus, companies that had been concerned in the past about whether they fell under the definition (think CISPA), need not worry as much about the EO.
The mechanism of information sharing plays a prominent role in the EO, which establishes a policy that intends to “increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities.” The Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence have 4 months to issue instructions to their respective agencies to “ensure the timely production of unclassified reports of cyber threats.”
One of the most interesting things to me about the EO is the specific wording around how and why shared information will be utilized. The EO states that the reason for information sharing with private sector entities is “so that these entities may better protect and defend themselves against cyber threats” (emphasis added). The question arises as to why that choice of words – “protect and defend”? If they were only talking about defensive cyber measures, the use of “defend” alone would have been sufficient. Given the recent work we have been doing in the area of Active Cyber Defense, I wonder whether the addition of the word “protect” is to convey that information sharing may be used for activities beyond defense.
Balanced against the use of information sharing, the EO spends considerable time laying out how privacy and civil liberties will be protected. Right up front, the Fair Information Privacy Principles are called out. In addition, the DHS Secretary must produce a “publicly available report” within one year that recommends ways to reduce privacy risks.
II. The PPD
PPD-21 sets the national policy on strengthening critical infrastructure security and resilience both in the physical and cyber space by defining the DHS’s role. It calls for a comprehensive approach for national preparedness in the event of a physical or cyber attack by sharing responsibility among all important stakeholders, including the federal government, states, and private-sector, critical infrastructure owners and operators. The PPD to this end identifies 16 critical infrastructure sectors and designates them with an associated Federal Sector-Specific Agency (SSA). However, most importantly, the PPD-21 outlines three strategic imperatives with the ultimate goal of having DHS offer “near real-time situational awareness” about threats that may affect critical infrastructure.
The first imperative directs DHS to operate two integrated, national critical infrastructure centers (one for physical and one for cyber) that can provide critical infrastructure partners with situational awareness and other actionable information. The second imperative tasks the DHS to identify requirements and standards to facilitate timely information sharing between federal departments and critical infrastructure partners. The third imperative, building on the first two, seeks for DHS to implement an “integration and analysis function,” for the national critical infrastructure centers to conduct vulnerability assessments, support incident response efforts, and provide predictive analytics on attack impacts and effects.
The implementation of the directive calls for DHS to provide the President with the following: (i) within 120 days of the directive, a description of the functional relationships within DHS and across the federal government for critical infrastructure protection; (ii) within 150 days, an analysis of existing public-private partnership models with recommendations to improve them; (iii) within 180 days, a team of experts (including those from private industry and privacy advocates) responsible for identifying data and system requirements to establish information exchange; (iv) within 240 days, a demonstration of the near real-time situational awareness capability to track threats; (v) within 240 days, a successor to the National Infrastructure Protection Plan, which will include a risk management framework; and (vi) within 2 years, a R&D plan, accounting for the evolving threat landscape and identifying investment priorities.
Interestingly, the directive’s definition of “security” suggests that DHS’s role in the protecting cyber critical infrastructure is limited to defensive cyber measures only. This is in contrast with what some might consider to be the more permissive language envisioned under the EO, as noted above.
III. The Administration Presentation
This morning’s presentation at the Department of Commerce had the feeling of a pep rally. The speakers included Rebecca Blank from Commerce; Mike Daniel, White House Cybersecurity Coordinator; Gen. Keith Alexander, DIRNSA and Commander of U.S. Cyber Command; Jane Lute from DHS; Jim Cole from DOJ; and Dr. Pat Gallagher from NIST.
Ms. Blank led off with the observation that the long line outside to get in meant that the Commerce Department cybersecurity policy meeting was “the place to be this morning” and in many ways it was, as she declared that the Administration is stepping up to the plate with a whole of government approach. Reiterating President Obama’s declaration that we must use existing authorities to move forward, Ms. Blank became the first of many to observe that cybersecurity is a complex challenge that “cannot be addressed by government alone.”
Mike Daniel spoke next, stating that the Administration took a big step forward with the EO and PPD but that the existing threats demanded those actions. According to Mr. Daniel, the Administration is basing its approach on three pillars: information sharing, privacy, and a framework of standards for critical infrastructure. Perhaps most interesting was the observation that the EO “is just a down payment until legislation passes.”
General Alexander stated, as he has in the past, that the threats are real and growing, so we need to act now. Most importantly, we need to extend beyond just information sharing and instead use that information sharing to harden all networks against attack. No one agency, he explained, can do it all. Government and industry must work together as a team. Furthermore, he noted that information sharing alone won’t work. As a result the EO establishes a Cybersecurity Framework as a way to address the harder challenges. In perhaps one of the most poignant parts of the morning, Gen. Alexander noted that “we need legislation to which everyone can agree.” Such legislation must “remove barriers to sharing information from the private sector to the governments, provide incentives to secure private networks, and address industry liability concerns.”
Jane Lute and Jim Cole followed General Alexander, and both noted the need for an active dialog between the private sector and the government. Mr. Cole reiterated the existence now of a “whole of government policy” that will allow the private sector to protect itself. He also noted that the activities of the government will be transparent in this process so as to not lose sight of the privacy obligations that exist.
Pat Gallagher wrapped up with a more detailed description of the Framework than is in the EO. The Framework, he said, intends to help achieve the performance and resiliency described in both the EO and the PPD. He then pointed out that he doesn’t view this as a NIST work product. Instead, it belongs to industry. He further distinguished between standards (which are very precise and measured) and norms (which are used everywhere and developed by industry) as a way of illustrating how the Framework will be developed. Finally, he invited the private sector (and government as well) to help in this effort. To that end, the NIST website will have invitations for input via a series of workshops.
IV. Next steps
The “triple play” was impressive, first because the President took assertive steps to further his cybersecurity agenda and second because all three events occurred within 24 hours. The EO clearly draws some lines in the sand by describing who does what with respect to cybersecurity. It was good to see that those lines have a flexible boundary such that the government and private sector can hopefully work better together with information sharing. Finally, it was also good that some reasonable “teeth” exist (both in the EO and PPD-21) by which progress can be measured. Now, as they say, the devil is in the details.