Bob Dix, vice president of global government affairs and public policy at Juniper Networks, recently answered some questions from FedTech Magazine managing editor David Stegon about the White House’s Cybersecurity Framework on its first anniversary.
Dix also discusses a number of other current cybersecurity issues and themes and suggests ways the government can help the private sector defend its networks.
FEDTECH: How has the White House’s Cybersecurity Framework helped improve federal cybersecurity?
DIX: The framework has contributed to moving the needle on improving our national cybersecurity and resilience profile.
The effort itself was demonstrative of how the public and private sectors can work together collaboratively to achieve an outcome that will benefit stakeholders across the country.
While the information contained in the framework itself is not new, it does provide an approach for a common lexicon and gathers together a series of standards and best practices into a “toolbox” that companies of all sizes can reference when developing or enhancing their own cybersecurity risk-management program.
FEDTECH: How could the framework improve?
DIX: The framework would benefit from three additional elements that are important to improving overall cybersecurity risk management.
First is the development and implementation of a comprehensive and sustained national education and awareness campaign to help teach cyberspace users of all levels of sophistication about how to better protect themselves in cyberspace.
With limited resources, and recognizing that it is simply not possible to protect everything all of the time, individuals and businesses of all sizes and sophistication need to better understand what investments will provide the greatest protection in their own environment.
Second, there is wide acknowledgement that cost is a key consideration when making risk-management investment decisions, whether that is cybersecurity or physical security.
Accordingly, following through on a series of incentives that may address the challenges of cost will be an important discussion to pursue with the White House, Congress and the stakeholder community.
Third, and another key element of risk-management decision-making, is knowledge of threat.
It is imperative that meaningful steps are taken to improve bidirectional information-sharing about threats, vulnerabilities and consequences to achieve timely, reliable and actionable situational awareness necessary to inform that risk-management decision-making process in industry and government.
FEDTECH: A new federal cybersecurity center is being built. What role will it play in protecting government networks?
DIX: The role and impact of the newly proposed Cyber Threat Intelligence Integration Center (CTIIC) is unclear at this time.
It has been characterized that this new entity will be embedded in the portfolio of the Director of National Intelligence and will provide cyber threat analysis to government cybercenters and cyber-related organizations.
Available information would suggest currently that there is no plan to include representation from the private-sector critical infrastructure community in the analysis activity.
FEDTECH: How will the center fit in with other federal cyber efforts?
DIX: When the Department of Homeland Security launched the National Cybersecurity and Communications Integration Center (NCCIC), in 2009, it was represented that the NCCIC would become a joint, integrated, public–private operational capability. It would include information-sharing, analysis, and collaboration to achieve timely, reliable and actionable situational awareness to improve detection, prevention, mitigation and response to cyberevents that may become incidents of national or global consequence.
In more than five years of existence, the NCCIC remains a series of one-off engagements that are not joint, integrated, cross sector or scalable, and the result has been more of an information-push effort, with success being described by DHS as the volume and number of threat indicators that have been shared with stakeholders.
However, the missing ingredient has been the necessary analysis to identify the most prevalent cyberevents, and what protective measures — had they been in place — may have prevented or reduced the impact of that event.
The creation of yet another government-driven entity, in addition to the seven government cybercenters, would suggest an affirmation by the White House that the NCCIC has not proven successful in delivering the capability anticipated when it was established.
FEDTECH: Major breaches keep occurring in the private sector. What can government do to help avoid that type of intrusion?
DIX: First and foremost, the government needs to stop its ongoing campaign of blaming the victims. While there is always room for improvement in private sector cyber risk management, defending against sophisticated nation state actors can present a unique challenge.
It has been reported that through forensic investigations conducted following the recent high profile breaches, which have received significant media attention, a number of those attacks are believed to have been perpetrated by nation state actors.. Never before in our history have private-sector companies been expected to singularly defend themselves against attacks from nation-state actors.
The president, members of his administration, Congress, leaders across industry and academia and other stakeholders have elevated the discussion about cybersecurity risk management to a national level, which is an important and necessary step.
Following that up by executing on a key element of President Obama’s national cyberspace policy review from 2009, which established a near-term action item to “initiate a national public awareness and education campaign to promote cybersecurity,” will help educate cyberspace users of all levels of sophistication, including small business and large enterprises, on how to better protect themselves in cyberspace.
Roughly 80 percent of exploitable vulnerabilities in cyber are the result of poor or no cyber hygiene. Raising the bar of protection by teaching users about basic measures will make attacks more difficult and more expensive for the bad guys.
FEDTECH: How should the government work with the private sector?
DIX: It is imperative that the government address the barriers and impediments to sharing timely and actionable threat intelligence and information with the private sector in order to support informed risk-management decision-making.
Legislative initiatives in Congress that have been passed by the full House of Representatives or approved by a major Senate Committee, but never brought to the floor for a vote, have not been embraced by the administration.
Providing liability protection to companies that voluntarily provide information, so that information is not then used against them in some enforcement action or litigation, is a key element to improving bidirectional information-sharing to achieve timely, reliable and actionable situational awareness while protecting privacy and civil liberties.
Addressing such challenges requires a legislative remedy, and it is important to move forward as soon as possible with this approach that enjoys broad bipartisan support.