One of the effects of the executive order on cybersecurity President Barack Obama signed earlier this month is to begin sharing up-to-date, classified government information on cyber threats with companies that operate critical infrastructure. The White House says that broader sharing comes with some significant Homeland Security Department, and National Institute of Standards and Technology lynchpins helping the cyber order succeed.
Until now, the government has kept an extremely tight lid on the data it collects and maintains about current cyber threats, initially distributing those attack signatures to select members of the defense industrial base, and later, to some of their Internet service providers. But the president’s executive order expands the sharing outside the Defense sector, to companies that own or operate critical infrastructure systems.
Any decision to expand that circle of trust involves a sensitive balancing act, said Andy Ozment, the senior director for cybersecurity in the Executive Office of the President.
“When you share information too broadly, sometimes it can lose its value because your adversaries learn of it and they change their techniques, and the information is no longer useful. At the same time, if you don’t share information at all, it’s very rarely useful,” he told a cybersecurity conference hosted by AFCEA D.C. Friday. “So, what we’ve done here is said that as we’re doing this risk analysis on whether to share information, we need to put our finger on the scale a bit. We’re going to emphasize the benefit we’re going to receive and we’re going to take more risk as a government with the information we’ve collected. We think that’s the only way to make progress, because this is a responsibility we all share, and critical infrastructure operators can’t respond to cyber threats unless they’re informed.”
More people to receive threat information
Ozment said the White House is committed to significantly increasing the timeliness, the volume and the quality of the information the government shares with private industry. One way agencies will try to keep critical infrastructure operators better informed is to expand the number of people in those industries who have security clearances. The White House realizes the clearance process has been inadequate so far, he said.
“We hear time and again from people in the critical infrastructure sectors that they need more clearances. They say, ‘Look, we have one person in our company with a clearance. He receives the threat information but doesn’t have the operational abilities to respond.’ Or conversely, operators can get the granular information, but they lack the strategic threat picture,” he said. “We hear that message, so the executive order directs DHS to prioritize and increase the issuance of clearances to critical infrastructure owners and operators. DHS had a program for doing that and it was on hiatus for about a year-and-a-half for lots of bureaucratic reasons, which we have conquered.”
Clearances, however, can’t be the only answer. There are, Ozment said, simply far too many people in the universe of critical infrastructure operators who need to understand cybersecurity issues to grant clearances to all of them. The White House hopes the Enhanced Cybersecurity Services (ECS) program — formerly known as the Defense Industrial Base pilot — will fill that gap. The Defense Department already has been using the program to share cyber threat signatures with a handful of Internet service providers, so that they, in-turn, can offer protection to defense companies as a managed service.
“To use an analogy, let’s say you’re a military base and you want to protect the perimeter, so you have a guardhouse at the entrance to the base. In our scenario, you’ve contracted that guardhouse out, and they can deal with classified information. So the government gives them a classified photo of a bad guy and says ‘Don’t let this guy into the base’, but the people inside the base don’t get to see that photo,” he said. “So you’re receiving the protection if you’re on base, but we’re also not revealing the classified information too broadly. That’s essentially the concept behind ECS.”
Advanced understanding needed
At the same time though, Ozment said agencies continue to struggle over concerns that some companies who operate critical infrastructure don’t have the capacity or know-how to understand and react to cyber threats adequately. In those cases, information sharing isn’t good enough.
“What we’ve found is unless an organization has a basic level of cybersecurity defenses, there’s no amount of sharing we can do that will make them successful,” he said. “The guardhouse works if it’s on the road to the base. But if you don’t know how many roads are going in and out of your base, you can’t put guardhouses on them, and having a photo of the bad guy does you no good if you have no understanding of the roads that are entering and exiting your base. That’s the situation we find sometimes in critical infrastructure.”
And so, even though the White House says it needs congressional action to effectively ensure minimal cybersecurity standards are being adhered to in critical infrastructure sectors, the executive order does contemplate new cybersecurity regulations, using the power that sector-specific federal agencies already have to regulate their industries.
The process will begin with the creation of what the White House calls a cybersecurity framework, a basic set of best practices. NIST will run the effort , which the White House says it chose to lead the charge on the sensitive issue of cyber standard-setting for a very specific reason.
“What we heard from folks in the private sector is that they like to work with NIST. They’re comfortable with the organization, they know that they have a collaborative process with industry,” he said. “NIST will work with the private sector and develop a collection of standards. The framework is not one particular standard that says here’s how you configure your Wi-Fi or here’s how you do risk management. It’s a collection of standards that we think constitute the core cybersecurity best practices and standards.”
NIST has released a request for information to gather industry input on the framework. It expects to issue a preliminary version in eight months, and a final version within a year.
Roadmap to better cybersecurity
Then, Ozment said, the White House will tell the critical infrastructure sector specific agencies it controls to match up the results with the cyber rules they already have in place for their regulated industries.
“We want them to look at the framework and ask whether their existing regulations are sufficient. If the answer is yes, great. There’s no need to redo or undo good work that’s already been done at places like the Nuclear Regulatory Commission,” he said. “On the other hand, if they identify there are gaps, then we’ll ask them to propose new regulations. If they do that, they’ll follow the normal regulatory process for notice and comment, so there won’t be any surprises.”
But there are also regulatory agencies the White House has no control over and aren’t subject to executive orders. Ozment said the White House is requesting that those independent agencies follow the same process.
Tom Temin is the host of The Federal Drive, which airs from 6-8 a.m. on 1500 AM in the Washington, D.C. region and online everywhere. Tom has 30 years experience in journalism, mostly in technology markets. Before coming to Federal News Radio, he was a long-serving editor-in-chief of Government Computer News and Washington Technology magazines.