In the absence of comprehensive cybersecurity legislation, the White House is once again considering what more it can accomplish to secure critical systems through the executive branch.
Specifically, the Obama administration is considering how it can encourage the creation of information sharing organizations similar to the Information Sharing and Analysis Centers, said White House homeland security and counterterrorism adviser Lisa Monaco. These centers were established to improve the security of U.S. infrastructure by enhancing interaction among various sectors and with the government.
“It is regrettable that we won’t have cybersecurity legislation done in this Congress, Monaco said at a Dec. 9 conference hosted by Bloomberg and Symantec. “Short of the Congress acting, we are going to do everything we can as an executive branch to address [the] issue.”
Days later Congress passed several cybersecurity bills that address some of the issues raised by the White House and others. Read more here.
Monaco noted that President Barack Obama has already taken executive action to address the growing cyberthreat. In February 2013, the president issued an executive order on improving cybersecurity of the nation’s critical infrastructure. Among other things, the order called for the National Institute of Standards and Technology to create a cybersecurity framework. The voluntary framework was released in February and promoted to industry to encourage its broad adoption.
“I think we are seeing good traction, [but] I think we have to see more,” Monaco said of the framework’s adoption by private companies.
While the White House is considering what can be accomplished through an executive order, cybersecurity legislation is needed to support greater information sharing and provide liability protection for companies.
When Cyberattacks Turn Destructive
As the volume, frequency and intensity of cyberthreats increase, Monaco’s biggest fear is intrusive threats turning destructive. She called cyber “one of the gravest national and economic security threats we face.”
The worst case is a successful attack against the power grid and the industrial-control systems found in critical infrastructure, she said. Those are the types of situations that agencies and partner organizations prepare for and conduct exercises around.
“Over last year we’ve all had to deal with something beyond the malicious actor,” Monaco noted. “Think of things like Heartbleed or Shellshock, exploitable vulnerabilities.”
Federal agencies were in the same position as private companies and forced to respond to those vulnerabilities. Unless cybersecurity is elevated to the leadership level, “we won’t prove as nimble as we need to be,” she cautioned.
Cybersecurity must be treated as an executive-suite issue, Monaco stressed. It can’t be relegated to the CIO and should not be the sole purview of IT professionals.
“We in government need to practice what we preach,” she said.