“Well, that was a little sobering,” said Nigel Ballard, Intel’s director of federal marketing, after hearing these, and other, obstacles the U.S. must face to address cybersecurity. Ballard was moderating a panel discussion on cybersecurity at FedTalks 2013 on June 12, where representatives from the White House, Congress and federal government converged to give their thoughts on how to effectively address cybersecurity.
It will take more than executive action from President Barack Obama, the panelists said. The way the government and the public think about cybersecurity must change, and structural shifts must occur before any real progress can be made.
“You can’t imagine that we will issue a framework and we will be finished and that’s the end of the story,” said Chuck Romine, director of the IT Laboratory at the National Institute of Standards and Technology. “This is going to be an ongoing process, a living document, a living set of standards that must evolve as the threat space evolves.”
Most important, people are taking notice, said Michael Daniel, special assistant to the president and cyber coordinator on the White House’s national security staff.
“Our ability, and the focus we’re seeing on this issue — the kind of focus Congress is putting onto the issue, the fact that it’s moving out of the realm of essentially the techno-geeks and into the boardrooms, into the C-suites and the corporate world and into the realm of the deputy secretary and secretary level within the government — all of those are actually very good trends,” Daniel said.
But there are more than a few hurdles the U.S. must clear before an agile, cogent strategy emerges. Rep. Gerry Connolly, D-Va., called out Congress.
“Congress has passed nothing substantive on cybersecurity since 2002,” he said, referencing the Cybersecurity Enhancement Act of 2002, embedded in the Homeland Security Act, which founded the National Cyber Security Division.
Not that Congress hasn’t made attempts since then. The House has passed numerous bills on the issue in the last two years — including another “enhancement act” to assess cyberthreats to critical infrastructure, and an Internet activity information-sharing bill, CISPA — only to see them die in the Senate. The Senate has made its own attempts, but failed each time to muster enough votes.
Outside Congress, federal agencies have done themselves few favors with a fragmented leadership structure unable to nimbly respond to cyberattacks.
“The federal government is not well organized to meet this threat,” Connolly said. “If you look at the top agencies, we have 250 people called CIO. That means we’re doing this,” Connolly crossed his arms, pointing in two different directions. “No one is quite empowered to be responsible, to make cogent decisions in a timely fashion. The system is designed to make sure that doesn’t happen.”
And the public might not pressure the government to change this structure until “a cyber Pearl Harbor,” Connolly said. “If we do have a cyber Pearl Harbor, where something terrible happens because of this vulnerability, the public reaction is going to be very strong,” he said. “And then federal intervention will be inevitable. We won’t be talking about voluntary standards anymore.”
More than public pressure, though, the federal government needs different paradigms through which to view its cybersecurity approach. Currently, we map military concepts onto our protection of cyberspace. Foreign cyberattacks are akin to foreign nations invading U.S. territory in this analogy, which, to a degree, is relevant. We have a physical military presence dedicated to cyberspace defense. Foreign actors are targeting the U.S. But that shouldn’t necessarily militarize cyberspace itself, Daniel said.
“Mapping our models from the physical realm into cyberspace can be challenging,” he said. “The geography and sovereignty concepts still matter in cyberspace. All those servers and boxes exist somewhere, but concepts like ‘near’ and ‘far’ and ‘the border’ have different meanings.”
In cyberspace, countries have no interior to defend: “We all live at the border,” Daniel said.
Which requires new paradigms — or “models” as Daniel said — to think about how the government responds to cyberattacks. Daniel mentioned two possibilities: the disaster management model and the public health model.
Take natural disasters. The Federal Emergency Management Agency combines weather data from both the public and private sector to forecast the risk of a weather pattern turning into a disaster that would require FEMA to intervene. The organization does not respond to every potentially dangerous weather pattern, or every storm, tornado and hurricane. There is a bar (admittedly, a moving one) to determine whether the risk or severity of an event merits FEMA intervention.
“Do we want the federal government to have something like that in cyberspace, where we can integrate the information from private sector and government and give you a ‘forecast’ for what’s coming?” Daniel asked.
Or consider the way the Centers for Disease Control and Prevention respond to virus outbreaks. The agency determines whether people should be vaccinated, quarantined, and how serious these requirements should be. How contagious is the virus? How fatal is the virus? How available is a potential cure? CDC considers numerous factors to determine its response.
“If you look at how malware spreads, it mimics biological systems if you think about its terms of inoculation and quarantine and how much do you need to vaccinate,” Daniel said.
Natural disaster responses and public health crisis responses aren’t necessarily the right models to apply to cybersecurity, Daniel said, but they do expand the narrow way the government and public think about cybersecurity.
Chuck Romine mentioned workshops NIST had been holding since the president’s Feb. 12 executive order to both outline the cybersecurity problem for others, and refine its own best practices. It’s exactly what Daniel was encouraging the government to do: change your mindset.
“We don’t have to keep playing that same game,” Daniel said. “We can change how we think about it. One of the basics of security hasn’t changed in 25 years, that’s username and password —” he added, before Connolly cut in. “Not mine,” he said, “you have to know my mother’s maiden … whoops.”