Collaborative and Cross-Cutting Approaches to Cybersecurity

As I reach the end of my first two months as Cybersecurity Coordinator, I wanted to highlight a few of the Administration’s recent accomplishments working in partnership with the private sector, and also preview some of our future activities. Some of the Government’s cybersecurity activities are already high-profile, like the recent National Level Exercise or our push for comprehensive cybersecurity legislation, but there is also substantial activity occurring outside of the spotlight. Both are needed if we are going to address the serious threats we face in cyberspace and capitalize on the exceptional opportunities cyberspace presents for governments, individuals, and U.S. businesses. 

Like many tough issues, cybersecurity is a cross-cutting problem, affecting not only all Federal agencies, but also state and local governments, the private sector, non-governmental organizations, academia, and other countries. It is a national security, homeland security, economic security, network defense, and law enforcement issue all rolled into one. As a result, it takes a truly cross-cutting response to address the problem, with the public and private sector working collaboratively. Within the government and the private sector, many organizations will need to work together in new and sometimes initially uncomfortable ways.   We will also need a combination of technical, policy, and legislative tools to respond. 

Let me highlight a few recent initiatives where voluntary, cooperative actions are helping to improve the nation’s overall cybersecurity:

• The Defense Industrial Base (DIB) Cybersecurity/Information Assurance (CS/IA) program helps companies protect critical information related to Department of Defense programs and missions. The government shares cybersecurity threat and mitigation information with DIB companies, and in turn, DIB companies can report known intrusions. 
• The National Strategy for Trusted Identities in Cyberspace (NSTIC) seeks an "Identity Ecosystem" where individuals will soon be able to choose from a variety of more secure, convenient and privacy-enhancing technologies in lieu of passwords when they log in to different websites. The initial meeting of the Identity Ecosystem Steering Group, the private sector-led body that will help develop Ecosystem standards and policies, is happening next week.
• The Electric Sector Cybersecurity Capability Maturity Model helps firms in the electric sector evaluate and strengthen their cybersecurity capabilities; it also enables the prioritization of network protection investments. This White House-initiated effort, led by the Department of Energy and in coordination with Department of Homeland Security, provides valuable insights to inform investment planning, research and development, and public-private partnership efforts in the electric sector.
• In End-User Cybersecurity Protection, the government is participating in four linked initiatives across the IT industry, law enforcement, the financial sector, and government to counter the threat of malicious software – known as ‘bots.’ This voluntary, public-private effort ties together the capabilities of different sectors to identify compromised computers and help their owners fix them.

You likely already know that we are also working with Congress to update cybersecurity legislative authorities. There are many things that the Executive Branch can do with existing authorities, including some of the programs I just discussed. But, there are some things that require Congressional action. In particular, we urgently need legislation that enables both enhanced information sharing and the collaborative development of cybersecurity standards for the nation’s core critical infrastructure. The information sharing component is critical – government and the private sector both need access to more information than they currently have, under a framework with robust privacy protections. But information sharing alone is not enough. Our critical infrastructure is fundamental to our economy and our national security. This infrastructure needs hardened and resilient networks to cope with the threats emanating from cyberspace; one necessary component of this hardening is the adoption of minimum security standards. These standards must be developed in concert with industry and not be overly burdensome, but it will take incentives only available through legislation to make such a process viable.   

This ongoing work lays an excellent foundation, but there’s more to be done. We will need to continue our efforts to make federal networks more secure and improve our ability to assist the private sector in protecting critical infrastructure. We must upgrade our ability to identify, categorize, and respond to threats in a timely and effective manner. We have to engage internationally with our partners, ensuring that the Internet retains its multi-stakeholder, open nature and remains an engine for economic growth. And we need to help shape the future of cyberspace, working towards a time when our computers and networks are secure right out of the box. 

I look forward to this challenging work and the ongoing conversations needed to achieve our goals. 

Michael Daniel is the White House Cybersecurity Coordinator.