Oct 02 2014

Heartbleed and Shellshock Test Government Information Sharing

White House Cybersecurity Coordinator Michael Daniel explains how federal and state governments have responded jointly to these security weaknesses.

High-profile security vulnerabilities such as Heartbleed and Shellshock have become a training ground for federal, state and local governments to hone their information sharing capabilities, according to a White House official.

Speaking at a kickoff event Wednesday for National Cybersecurity Awareness Month, Cybersecurity Coordinator Michael Daniel recalled the collaborative effort between federal and state governments in responding to Heartbleed.

Daniel said the Multi-State Information Sharing and Analysis Center (MS-ISAC) received critical updates about the Heartbleed bug from partners in the Department of Homeland Security’s 24/7 cybersituational awareness center. The MS-ISAC, which describes itself as “the focal point for cyber threat prevention, protection, response and recovery for the nation's state, local, tribal and territorial (SLTT) government,” gave the White House daily updates on the status of remediating the vulnerability of state networks. That data was incorporated into reports to Daniel’s boss, the assistant to the president for counterterrorism and homeland security, and to the chief of staff’s office.

This collaboration worked quite well, and now with Bash and Shellshock, we’re getting an opportunity to practice even more,” Daniel said, adding that he wants to extend those partnerships to tackle other cybersecurity-related problems.

Gauging Success of the Cybersecurity Framework

High on the administration’s list is protecting the nation’s critical infrastructure, much of which is owned by the private sector. There are also public utilities operated by state and local governments, which makes securing critical infrastructure a shared responsibility.

Daniel encouraged governments to consider the “whys” of cybersecurity. They should know what information they want to protect, why they want to protect it and who they want to protect it from. For certain government data, the focus isn’t preventing people from seeing data but rather preventing them from altering data. That profoundly shapes how agencies do their jobs, Daniel said.

Too often, organizations and governments do a poor job of identifying these facts up front, he noted. The National Institute of Standards and Technology released the first iteration of the Cybersecurity Framework in February to address that problem.

As NIST prepares to update the framework, Daniel stressed the need for organizations in government and industry that have adopted the framework to provide their input. How are people using the framework? How has it worked, and where has it fallen short?

“I have long argued that we will know that the framework has been truly successful and adopted when people begin using it for things that we never even dreamed possible,” he said.