DHS revs up its part of the cyber executive order

Friday - 1/31/2014, 4:11am EST

Listen to Jason Miller's full interview with Phyllis Schneck.

Download mp3

The Homeland Security Department will take the first step to move from theory to practice under President Barack Obama's cyber executive order.

DHS' National Protections and Programs directorate in two weeks will launch a voluntary program for companies to improve the security of their computers and networks.

"We will be launching what we call the voluntary program on Feb. 14, enabling companies of all sizes to follow some basic cybersecurity policies and due care that have been designed through the framework by the best scientists in the private sector and the government that we have. [We are] looking at how we can incentivize companies, again of all sizes, to be more secure, to enable big companies to share their best practices, to drive markets for small to medium to enable economies of scale for companies that are smaller and may not be able to afford to now have very good cybersecurity, [and] to have a cybersecurity policy," said Phyllis Schneck, the deputy undersecretary for cybersecurity at NPPD, in an exclusive interview with Federal News Radio. "When I say to adopt the framework, that's to voluntarily either improve your cybersecurity posture, follow some of the recommendations, engage in our website portal, even if it's just to look at a critical infrastructure resilience review. [There is] no need to report to us, but we want companies of all sizes, the federal government and state and local to be more secure, and we are committed to doing everything we can do get that framework adopted. And that means helping companies not only adopt policy, but drive markets to make good technology."

DHS will release the new voluntary program shortly after the National Institute of Standards and Technology releases version 1 of the critical infrastructure cybersecurity framework, which is due by Feb. 13.

President Barack Obama issued an executive order in February 2013 detailing steps the government and industry would take together to improve cybersecurity in both sectors.

The General Services Administration and the Defense Department delivered on another Executive Order requirement last week with the release of six recommendations for improving how agencies integrate cybersecurity into federal procurement actions.

Efforts ramped up

NIST, which is acting in a coordinating role to bring together industry, government and academic experts, released an update on Jan. 15 about the progress of the framework.

It said the draft framework issued for comment in December received 202 individual submissions, which accounted for nearly 2,500 separate comments.

"Over the past several months, many stakeholders have suggested that it would be beneficial for NIST to develop and share a roadmap and path forward after the February release of the Cybersecurity Framework, building off the 'Areas for Improvement' section of the preliminary framework," NIST wrote. "NIST is developing such a roadmap that will include areas for further development and harmonization. These may include: authentication; automated indicator sharing; conformity assessment; cybersecurity workforce; data analytics; international aspects; privacy standards; and supply chain risk management."

While NIST continues its role as convener, DHS is ramping up its efforts to support its part of the executive order. In many ways, the voluntary program builds on existing DHS cyber information sharing efforts.

Schneck, who's been at DHS since August after spending her entire career in the private sector, said continuing to build a trust relationship with the assorted public and private sector stakeholders is among her top priorities.

"Through the programs that we build, [we] are looking at how we can engage not only our perimeter defense, but our network defense," she said. "You've heard of programs like Einstein at the perimeter, enhanced cybersecurity, which is perimeter security with classified information protecting critical infrastructure in the private sector, and then continuous diagnostics and mitigation, which is an ongoing measurement of network security, which should replace the 50-pound binder which could be a doorstop."

Schneck said DHS aims to do all this while also protecting privacy and civil liberties, which is why she emphasized the strict voluntary nature of the private sector information sharing programs.

The newest program will include several different options for companies and governments to take advantage of to improve their cybersecurity approaches.

Schneck said one of the overriding goals of the program is to drive the cybersecurity market through innovations so securing systems become more of a commodity than it is today, and therefore more affordable.

"What I'd like to see with the teams is to have wide mass adoption of the voluntary program. Just like we did with the flu where we taught people to wash their hands better, we would like you to protect your networks more carefully so we actually make cyber attacks harder for the adversary," she said. "That does two things: It makes us safer. It makes us more resilient. We do cybersecurity, and this is very important for us at DHS, for infrastructure resilience to make our way of life safer. The second thing we want to make sure we cover is by removing some of the noise, the common attacks, and simply having better practices, we free up some of the best minds in the world to hunt for the worst adversaries. Those two things together will make us more resilient because we make it less opportunistic."