The Homeland Security Department will take the first step to move from theory to practice under President Barack Obama’s cyber executive order.
DHS’ National Protections and Programs directorate in two weeks will launch a voluntary program for companies to improve the security of their computers and networks.
“We will be launching what we call the voluntary program on Feb. 14, enabling companies of all sizes to follow some basic cybersecurity policies and due care that have been designed through the framework by the best scientists in the private sector and the government that we have. [We are] looking at how we can incentivize companies, again of all sizes, to be more secure, to enable big companies to share their best practices, to drive markets for small to medium to enable economies of scale for companies that are smaller and may not be able to afford to now have very good cybersecurity, [and] to have a cybersecurity policy,” said Phyllis Schneck, the deputy undersecretary for cybersecurity at NPPD, in an exclusive interview with Federal News Radio. “When I say to adopt the framework, that’s to voluntarily either improve your cybersecurity posture, follow some of the recommendations, engage in our website portal, even if it’s just to look at a critical infrastructure resilience review. [There is] no need to report to us, but we want companies of all sizes, the federal government and state and local to be more secure, and we are committed to doing everything we can do get that framework adopted. And that means helping companies not only adopt policy, but drive markets to make good technology.”
DHS will release the new voluntary program shortly after the National Institute of Standards and Technology releases version 1 of the critical infrastructure cybersecurity framework, which is due by Feb. 13.
President Barack Obama issued an executive order in February 2013 detailing steps the government and industry would take together to improve cybersecurity in both sectors.
The General Services Administration and the Defense Department delivered on another Executive Order requirement last week with the release of six recommendations for improving how agencies integrate cybersecurity into federal procurement actions.
Efforts ramped up
NIST, which is acting in a coordinating role to bring together industry, government and academic experts, released an update on Jan. 15 about the progress of the framework.
It said the draft framework issued for comment in December received 202 individual submissions, which accounted for nearly 2,500 separate comments.
“Over the past several months, many stakeholders have suggested that it would be beneficial for NIST to develop and share a roadmap and path forward after the February release of the Cybersecurity Framework, building off the ‘Areas for Improvement’ section of the preliminary framework,” NIST wrote. “NIST is developing such a roadmap that will include areas for further development and harmonization. These may include: authentication; automated indicator sharing; conformity assessment; cybersecurity workforce; data analytics; international aspects; privacy standards; and supply chain risk management.”
While NIST continues its role as convener, DHS is ramping up its efforts to support its part of the executive order. In many ways, the voluntary program builds on existing DHS cyber information sharing efforts.
Schneck, who’s been at DHS since August after spending her entire career in the private sector, said continuing to build a trust relationship with the assorted public and private sector stakeholders is among her top priorities.
“Through the programs that we build, [we] are looking at how we can engage not only our perimeter defense, but our network defense,” she said. “You’ve heard of programs like Einstein at the perimeter, enhanced cybersecurity, which is perimeter security with classified information protecting critical infrastructure in the private sector, and then continuous diagnostics and mitigation, which is an ongoing measurement of network security, which should replace the 50-pound binder which could be a doorstop.”
Schneck said DHS aims to do all this while also protecting privacy and civil liberties, which is why she emphasized the strict voluntary nature of the private sector information sharing programs.
The newest program will include several different options for companies and governments to take advantage of to improve their cybersecurity approaches.
Schneck said one of the overriding goals of the program is to drive the cybersecurity market through innovations so securing systems become more of a commodity than it is today, and therefore more affordable.
“What I’d like to see with the teams is to have wide mass adoption of the voluntary program. Just like we did with the flu where we taught people to wash their hands better, we would like you to protect your networks more carefully so we actually make cyber attacks harder for the adversary,” she said. “That does two things: It makes us safer. It makes us more resilient. We do cybersecurity, and this is very important for us at DHS, for infrastructure resilience to make our way of life safer. The second thing we want to make sure we cover is by removing some of the noise, the common attacks, and simply having better practices, we free up some of the best minds in the world to hunt for the worst adversaries. Those two things together will make us more resilient because we make it less opportunistic.”
Cyber to the boardroom
She said the voluntary program will include a portal resource on the DHS.gov and US-Cert.gov websites. They also will make available a critical infrastructure resilience review form so companies can download, fill it out and see where they rate against the NIST framework.
“What we are hoping this will drive is that when you learn how secure you are or not, when you improve on a security policy or in some cases create one, when you make better practices for cybersecurity internally, you end up taking that to the boardroom as an entity, and that raises the level of cybersecurity consideration,” Schneck said. “What we are also trying to be very cognizant of is that while all of these are good things, companies can’t just do things because it’s good. We want to make sure we have incentives. The White House has mentioned a number of incentives ranging from cyber insurance to tax incentives to grants for which you could apply. We also are working very hard at DHS and hope to have some announcements in the next few weeks on other things that we can offer to companies to make them more secure in conjunction with following some simply policies.”
She added in the end, it’s all about providing ways for companies to innovate and offer services to a wider variety of companies and governments.
The other part of Schneck’s role is overseeing federal cybersecurity efforts. Her priorities include overseeing the DHS implementation of continuous diagnostics and mitigation (CDM) across the government, as well as of the third generation Einstein intrusion detection and prevention software.
She said CDM is part of the broader DHS effort to improve cybersecurity across the board. The agencies running the tools can determine whether the Internet traffic is clean or dirty, giving the users a constant stream of network health data.
CDM in the cloud
Schneck said agencies can choose to share information with DHS and the National Cybersecurity and Communications Integration Center (NCCIC) about the threats they are seeing on their network.
“This is all again based on trust, even at the federal level,” she said. “Trust in our capabilities. Trust in that the view is worth the climb, in sharing information back to us to make everyone more secure and then enabling that information to be used in a civil liberties and privacy promoting way to protect everyone else.”
She said the future of CDM is to extend that model into the private sector, maybe as a cloud service.
Schneck said the end goal for CDM is to change “the culture from compliance to actual security. So now you have a network that is able to monitor its own security to some degree. You always know when certain patches have been set, when certain threats are present, so you can take the minds of your chief information security officers and have them focus instead of constantly worrying about compliance and writing documents, actually have them look at the science of what may be threatening that network, be able to have time to build and have relationships with other federal CISOs and create a human and machine network that is a much better barrier for a witted adversary.”