DHS, NIST lynchpins helping cyber order succeed

Thursday - 2/14/2013, 6:24am EST

Jason Miller discusses his article on the Federal Drive

Download mp3

The White House's much anticipated Executive Order on cybersecurity depends on a simple premise: How well can the Homeland Security Department and the National Institute of Standards and Technology work with industry. DHS and NIST are the lynchpins to the collaborative effort to create voluntary standards and increase information sharing as called for in the new order and Presidential Policy directive.

Michael Daniel, the White House's cybersecurity coordinator, said the order calls for a "whole of government approach" to securing the nation's critical infrastructure. But DHS and NIST will do the heavy lifting across all three major sections of the strategy.

DHS will have an expanded role, but in many ways it's in addition to what it has been doing for a number of years as opposed to doing new stuff.

"One of the key tasks that need to be done, that is a heavy lift, from a difficulty standpoint, is the identification of critical infrastructure," said Bruce McConnell, a cybersecurity counselor for the National Protection and Programs directorate at DHS. "Section 9 of the order says identify those critical infrastructure entities who own systems and assets which if they were disrupted by cyber attack or incident would create a catastrophic event. We have a list of systems and assets today that we've done for other purposes, but not really focused on the cyber piece of it."

McConnell said a DHS led task force will talk with the critical infrastructure sectors and find out what they think their most critical systems and assets are and how are they being protected today.

DHS is facing several deadlines in the next six-to-eight months and already is hitting the ground running.

Among the requirements for DHS in the EO are to:

  • Develop a description of the relationships in the federal government with the critical infrastructure security and resilience in 120 days.
  • Complete the assessment of public-private partnership model and recommend ways to improve it in 150 days
  • Develop a situational awareness capability for critical infrastructure in 240 days
  • Update national infrastructure protection plan in 240 days

One area where the agency has begun work is around the expansion of the cyber information sharing program, now called the Enhanced Cyber Services program, instead of the Defense Industrial Base (DIB) pilot.

The order stated the goal is to share classified and unclassified cyber threat information with the private sector.

Jane Holl Lute, the deputy secretary at DHS, said the cybersecurity framework NIST will develop is an important piece to the expanding participation in the cyber threat information sharing program.

"These baseline security improvements will better position many firms to participate in the information sharing programs," she said. "For example, we've already begun with the Department of Energy a dialogue with the electricity sector and we look forward to continuing this effort. Similarly, we've been working with the Department of Treasury in the financial sector. And we will continue to work with all of the sector specific agencies and sector coordinating councils that represent industry to develop programs to assist companies with implementing the framework and identifying incentives for its adoption."

Ball in industry's court

McConnell added the information sharing program is open to all companies and DHS will help speed up the security clearance process for people in the company who will receive the information from the government.

"I think we are starting to see interest among the non-Defense industrial base companies in the [information sharing] program," McConnell said. "We are in the early stages, but expressions of interest have been quite positive." NIST and DHS also will work together to create the broad cybersecurity framework to secure critical infrastructure systems . Patrick Gallagher, the director of NIST, said the two organizations signed a memorandum of agreement earlier this week to ensure their efforts are aligned. NIST will continue to act as a convener and use a collaborative approach to pull together the best practices from across the community. The goal is to create a voluntary cybersecurity framework.

"The whole idea here is to empower industry to be responsive. So you have to put the performance goal out there and basically the ball goes entirely into industry's court," Gallagher said. "The extent to which they can provide a very robust framework will provide I think the best answer because it could minimize the need for additional regulatory action or other sort of unilateral action. It could enhance the fact this is being done as broadly as possible so the markets are wide open. So I think in some ways this is the most empowering way I could envision stepping out on this issue."