The cybersecurity executive order recently signed by President Obama increases information sharing between government and industry, but at its core, it’s really about government sharing knowledge outward, said White House Senior Director for Cybersecurity Dr. Andy Ozment.
Ozment, speaking at Friday’s AFCEA DC Cybersecurity Symposium, said the executive order – by nature – is “not magical” and cannot provide the government’s critical infrastructure partners in industry with liability insurance, causing the focus to be on one the government can provide to the industry base.
“This really focuses on the government sharing information outwards and sharing threats it sees with industry,” Ozment said before the crowd of more than 500 at the Capitol Hilton in Washington, D.C. “It allows for the critical infrastructure partners to allow the government to come in when there is a threat and subvert it to help keep everyone safe during attack.”
Ozment pointed to three other key parts of the executive order:
- Clearances. He said the executive order allows for more industry partners to get the clearance needed to be effective against a threat as in the past not nearly enough people in an organization were cleared.
- Increase information sharing. That includes, Ozment said, the volume, timeliness and quality of information the government shares with the public sector. Ozment warned, though, “It’s a balance, because we don’t want so many people to know about a threat that our adversaries catch wind and modify their behavior.”
- The executive order essentially is an extension of the Department of Defense’s Defense Industrial Base cyber security pilot – also known as DIB – started a few years ago that brought information sharing on cyber threats between the Pentagon and its industry partners.
Finally, Ozment asked for industry’s help.
“We need you to participate,” he said. “We need you to contribute to the NIST [National Institute of Standards and Technology] framework that’s being written, we need you to participate in organizations your sector uses to work with government and we need to focus on both physical and cybersecurity. Only then will the threat diminish.”
The needs of U.S. Cyber Command
The U.S. military should act at an operational level of war in cyberspace – the same as it would in the land, air and maritime domains, said Air Force Maj. Gen. Brett Williams, director of operations for the U.S. Cyber Command.
Williams said the military must use the same joint operational and military decision-making process it uses for other battles to attack the threat in cyberspace, adding that despite its uniqueness, the cyber fight has much in common with other military missions.
“People talk about how different and mysterious the cyber domain is,” Williams said, “but it’s not any more unique than the difference between flying an airplane or steering a ship.”
Williams also acknowledged the DOD’s intention to be more offensive in cyberspace, something that had long been seen as taboo.
Williams said if the department only acts defensively, it would be approximately 70 percent effective in its cybersecurity mission. That number would be the same – or less – if the department only acted offensively as it would become too vulnerable to attack. The key, he said, is finding the middle ground between offense and defense.
To help do this, Williams said U.S. Cyber Command has three needs from the technology community:
- An “ultimate data” solution that gives the DOD all of the parameters that are knowable within the department’s networks from the unclassified level to top secret. “We need a solution that will collect every piece of data imaginable to give us a clear picture of what is happening in our networks at all times,” he said.
- Within that “ultimate data” collection, Williams wants the ability to move that data around and visualize it in a way that is best for the person viewing it – meaning if he wants “little airplanes” that light up and show threats, that’s what he wants to create, if it helps him understand the problem. The same should happen for someone that wants to view the data in rows of “TSP and IP stuff.”
- And finally, Williams said he wants a knowledge management system that can help officials make military decisions based on all the cyber data that’s been collected.
DHS: Reconstitution key
It is imperative for the government to reconstitute itself after an attack given the inevitability of a cyber attack, even with the best prevention efforts, said Department of Homeland Security Chief Information Security Officer Jeffrey Eisensmith.
“The key will be how quickly you can get back on your feet and accomplish the mission again given that you know you’ll be hacked,” he said.
Whereas information security officers in the past served primarily an auditing function, Eisensmith said that we’re in a phase of continuous monitoring, and the role of the CISO has to change significantly.
“The key is to retool our workforce away from an auditing mentality towards the continuous monitoring modality,” Eisensmith said.
Ties between physical and cyber
Suzanne Spaulding, deputy under secretary of the National Protection and Programs Directorate at DHS, said that physical and cybersecurity are inexorably intertwined and cannot be separated in the critical infrastructure arena because cyber attacks can have such significant physical consequence.
For the federal government, this necessitates a government and community approach. In the private sector this requires bringing together CEOs, CIOs and CISOs for the same mission.
“We cannot meet this challenge without a true collaboration in which we bring all of our knowledge, expertise and capabilities together,” said Spaulding, referencing the importance of private sector partnerships in critical infrastructure, cybersecurity efforts.
In addressing President Obama’s release of both a cybersecurity Executive Order and Presidential Policy Directive 21 on February 12, Spaulding said, “it is really not a coincidence that they were released on the same day. We have established an integrated implementation task force which will focus on holistically implementing both documents, drawing on expertise from across NPPD, DHS, across agencies” as well as sector specific agencies, private sector partners and academia.
Spaulding addressed the private sector partners in attendance saying, “we are coming to the table together, and we’re rolling up our sleeves and we’re going to do this in a way that recognizes that you’re part of the discussion.”
FedScoop’s Kathryn Sadasivan contributed to this report.