White House just getting started on cybersecurity
Report details the year's progress, but a lot of work remains
The White House yesterday released a progress report
highlighting its accomplishments in securing cyberspace following last year's Cyberspace Policy Review. And although the administration has made some real progress, security experts say the job is far from finished.
Since President Obama’s statement in May 2009 that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and “America's economic prosperity in the 21st century will depend on cybersecurity,” he has appointed a cybersecurity coordinator, established a military cyber command and initiated national strategies for trusted identity and incident response. The Commerce Department is supporting deployment of the DNS Security Extensions protocols to secure the Internet’s Domain Name System.
A team also is updating the Comprehensive National Cyberspace Initiative, established by President Bush in the previous administration.
“This revised Presidential Directive will further elaborate and advance implementation of the strategy outlined by the [Cyberspace Policy Review] and executed through the CNCI,” the report says.
Access control: Feds search for scalable solution
White House plans strategy for better cyber authentication
White House lifts the veil on Bush cybersecurity initiative
But much work remains to be done in securing the nation’s national security, civil and private-sector information infrastructures.
“There are things happening, but it is fair to say there is not an exhaustive list of accomplishments,” said Larry Clinton, president of the Internet Security Alliance, who attended Wednesday’s White House meeting at which the report was released.
The meeting included representatives from federal, state and local government; law enforcement; industry; academia; and civil liberty and privacy advocacy groups. Clinton said the fact that the president spoke at the meeting, which was chaired by Cybersecurity Coordinator Howard Schmidt and also included Commerce Secretary Gary Locke and Homeland Security Secretary Janet Napolitano, was encouraging.
“It was a statement of commitment at the highest level to continue to evolve the partnership” between the public and private sectors in securing cyberspace, he said.
The president early on identified cybersecurity as an important issue in his administration and ordered a comprehensive review of executive cybersecurity policy. Delays in releasing the report and difficulty in finding a person to fill the position of cybersecurity coordinator highlighted the challenges of securing the interconnected, critical cyberspace. Repeated reports of breaches and frequent government and private-sector studies continue to point out the vulnerability of information technology systems to penetration.
Among the accomplishments noted in the progress report is the new guidance from the Office and Management and Budget for complying with the Federal Information Security Management Act, which focuses on real-time awareness rather than static assessments.
“This change means that agencies will be able to identify vulnerabilities faster and actively protect against attacks,” the report states. “The new approach builds on government and industry best practices that will make our cybersecurity efforts more effective.”
A National Incident Response Plan now is in final draft and will be tested in September as part of the Cyber Storm III exercise. It will be revised based on lessons learned in that exercise. A National Strategy for Trusted Identity in Cyberspace has been released for public comment and is expected to be released in final form by the end of the year. National Security Presidential Directive 54 and Homeland Security Presidential Directive 23, which established CNCI and key cybersecurity roles and responsibilities in government, also are being updated.
Under CNCI, the Trusted Internet Connection initiative is reducing the number if Internet access points in federal networks, and the Einstein program now is providing intrusion detection for 12 of 19 major federal agencies. DHS has established a National Cybersecurity and Communications Integration Center, integrating existing incident response mechanisms into a unified operations center. The department also opened the Industrial Control System – Computer Emergency Response Team facility to address cybersecurity threats to critical infrastructure control systems.
On the legal front, the United States is stepping of law enforcement efforts against hackers and cyber criminals.
“The Secret Service has resolved over 1,100 cases and cracked the Heartland Payment Systems case that compromised over 130 million credit cards,” the report noted. “Albert Gonzalez, a main defendant in that case, was sentenced to 20 years in prison.”
Clinton said he was encouraged that Schmidt spoke of cybersecurity in economic rather than technical terms.
“We have to increase the price for attackers,” Clinton said. “We are thinking of security too much as a technical, operational issue and it’s really an economic issue. We want to focus on why the attacks occur.”
The president and other officials reiterated in the meeting that the administration’s approach to cybersecurity will be based on incentives for cooperation between the public and private sectors rather than on regulation, which was a message that industry representatives were happy to hear.