Melissa Hathaway likes to use a simple story to illustrate why the federal government and industry need to come together to develop a resilient infrastructure strategy.
The acting senior director for cyberspace in the National Security and Homeland Security Councils says as agencies prepared for the April 1 launch of the Confikr worm, the coordination across the government was less than adequate.
“What if Confikr had taken down parts of the communications infrastructure that was critical to business or government?” says Hathaway Tuesday at the Symantec cybersecurity conference in Washington.
She asks what process is in place to bring the infrastructure back up or to have back up plans to make sure the networks are resilient? “Some estimate that Confikr infected one in five computers used by businesses,” she says. “And millions more worldwide are infected.”
Hathaway says the government’s preparation for Confikr shows why more has to be done to ensure threats and attacks do not take down entire sectors of the country.
To that end, the Obama administration has begun developing a national resilient infrastructure strategy.
“We will be looking at the policies; we will be looking at the threats; and we will be looking at the different areas that need to be addressed as part of a broader incident response plan,” she says. “We have come up with the draft chapters and we want to ask industry for help to understand their concerns or challenges.”
Hathaway says her office will work with the federal Chief Technology Officer Aneesh Chopra to set up a wiki to give vendors a place to offer ideas and comment.
The administration expects a draft of the strategy to be ready by the fall for vendor comments, and a final plan by Dec. 31.
Along with a resiliency strategy, Hathaway says her office also is focusing on international issues.
She says there are at least 20 international venues deciding on the future of information and communication infrastructure.
“What is cyber crime?” she asks. “What is cyber terrorism? There is no common view that is held by all or many countries.”
That is because, she says, there are no international laws or rules for cyberspace.
“Until we get to what a common view is of what is all of our responsibilities to protect and secure, we won’t necessarily get to norms of behavior of what is a crime convention or what is an act of war or armed attack,” she says. “It is something very important to get to resolution in the near term.”
She says there also isn’t a clear understanding of what is an armed attack? And what are legal regimes around that? It also is unclear how to verify or validate who is responsible.
The administration also must understand international issues to help American companies remain competitive globally. Additionally that means addressing U.S. laws.
Hathaway says the public and private sectors must do a better job sharing information and partnering to keep the infrastructure safe.
She says certain perceptions such as the how the Freedom of Information Act applies to information about threats or anti-trust concerns about sharing vulnerabilities must be addressed.
“We are trying to get a comprehensive view of all the different pieces of legislation that have been introduced on the Hill and work with Congress just to address those,” she says. “Then it will take much longer to come up with a more comprehensive legislative landscape.”
She adds that administration attorneys are working on vendor liability concerns and it may be one area that would require a legislative fix.
And as for when the White House will name a cyber coordinator, Hathaway says in a coming of weeks.
“The President and presidential appointment staff are actively working to find and interview the right candidates and they are aggressively pursuing that,” she says.
Hathaway adds that the White House also is reviewing possible candidates for the civil liberties position in the cyber coordinator’s office.