Six weeks into the implementation of the White House’s framework to help protect the nation’s critical infrastructure, federal officials say they are seeing progress, but also areas that need help from Congress.
Despite initial skepticism from industry, the National Institute of Standards and Technology and the Homeland Security Department are figuring out how to keep the private sector engaged and participating in improving cybersecurity.
“How do we continually, in a phased approach, maintain the private sector’s involvement as we do the adoption? We will learn. We’re putting all our resources out to the private sector. We are not asking them to report if they’ve used it or not,” said Phyllis Schneck, deputy undersecretary for cybersecurity at the National Protection and Programs Directorate at DHS. “We want to look at our outreach, study our metrics and stay involved with large companies. And [we’re] asking their suppliers to be more secure, so that when you connect to a smaller company, you don’t endanger the larger company. … A lot of basic cyber hygiene and guidelines that are mentioned in this framework could have prevented a lot of the attacks that we’ve seen thus far.”
Schneck came to DHS from the private sector six months ago. She witnessed phase one of building the cyber framework from the industry perspective.
“The success of this, as I saw in the first phase from the private sector, comes from the fact that the private sector is very bought-in,” she said. “They know that they designed this thing with us, with NIST. They have a lot of trust in that. So, we want to maintain their input as we build how we rate the success.”
Every company has a different level of awareness in terms of cybersecurity. Schneck said small businesses may pose the biggest threat to the security of all companies.
“Small to medium business, that’s a huge risk. These are companies that have no idea, in many cases, that they have something to protect, and yet they are connecting to everyone else, making the rest of us less secure with very small budgets,” said Schneck.
She emphasized the importance of building a culture of cybersecurity.
“Many in the field say that there are two kinds of companies and entities right now: those who know they’re compromised and those who don’t,” Schneck said. “So the issue is, how do we raise cybersecurity to a business discussion? I think the framework and the voluntary program will get it to the boardroom, because it becomes part of the risk. We don’t force people to lock their doors and, yet, they do. So, this is part of a culture of security that has been talked about for 12 years.”
While DHS and NIST are trying to build the partnership, Congress needs to address liability protection for companies.
Sen. Ron Johnson (R-Wis.) said fear of legal entanglements may be hindering participation. He pushed for broader liability protection, saying the less likely a company is to be sued, the more likely it is to share information.
“Right now, it seems to me that we are erring on the side of limited liability protection or no liability protection,” he said. “As a result, we’re not getting the information that everybody believes is absolutely crucial if we’re going to provide cybersecurity.”
Schneck said companies want to know that reporting to the government is not going to hurt them in some way. She said the more comfortable the private sector is with the relationship, the more information will come in. She said the administration’s plan for targeted liability would be helpful.
“I think that the targeted liability protection that the administration is looking at right now would help us because it would protect companies in the instances defined to share information, and they wouldn’t get hurt by that and wouldn’t be liable, nor would their shareholders,” she said. “It wouldn’t be so broad that it threatens — even the perception of threatening — our privacy and civil liberties, because we are fighting to protect our way of life. So, it’s a balance.”
She also offered a word of caution.
“We need the experts from the science side, the legal side, the administration to find that balance. Because we don’t want to err on the side of not honoring the privacy and civil liberties that we are all here to fight to keep,” Schneck said.
What about the workforce?
DHS and NIST also must address workforce issues, as finding the people to do the cyber work hasn’t been easy, officials say.
The federal hiring process is lengthy and complex, and salaries are lower than those in the private sector — all of which make it challenging to maintain a quality cyber workforce.
Schneck said she believes the mission can make up for the pay in cases like her own.
“What we need is more people like the ones we have [and] some more technical resources like what we have in our US CERT. Because, more and more we have those teams who fly off and have people respond to attacks. We need to have more of that. There’s a spectrum of skill sets. We need the cybersecurity experts; we need folks who are skilled at analytics, policy people and that combination of talent. … I believe our mission can meet what other salary offers can meet in a different way.”
“Well, it’s my conclusion after looking at where different personnel assigned to cybersecurity responsibilities are spread throughout the federal government. … Frankly, I don’t see the coordination between those different agencies of government that I think would increase dramatically our effectiveness,” he said. “If we engage in legislation, which we’ve tried to do without success, I would argue that that has to be part of any legislation that we enact. If you view this threat with the gravity that many of us do now, it may require reorganization such as we carried out after 9/11. … One thing we do agree on, this thing is going to get worse before it gets better.”
Elsewhere on the Hill Wednesday, Rep. Henry Waxman (D-Calif.) and Sen. Edward Markey (D-Mass.) introduced companion versions of the Grid Reliability and Infrastructure Defense (GRID) Act.
It would provide the Federal Energy Regulatory Commission (FERC) with the authority to address threats and vulnerabilities on the electric grid.