In 2015, the Obama administration will make a major push to raise the level of cybersecurity across the nation and improve the ability to disrupt, respond to and mitigate cyber incidents, a senior administration official said today.
On Jan. 20, during his State of the Union address to Congress, President Barack Obama will announce cybersecurity initiatives designed to shore up legislative gaps that he, cabinet members and senior military officials have warned are hampering the nation’s security in cyberspace, the official said.
This afternoon, on a background call with reporters, the senior administration official discussed highlights of the president’s proposed cybersecurity initiatives.
The administration's cyberspace priorities, the official said, include protecting the nation’s critical infrastructure, improving the ability to identify and report cyber incidents, engaging with international partners to promote Internet freedom, securing federal networks and shaping a cyber-savvy workforce.
The Growing Threat
“The events over 2014, from breaches of major retailers to intrusions into federal networks, the major vulnerabilities like Heartbleed, [and] the destructive and coercive attacks on Sony Pictures Entertainment, highlight the growing threat we face in cyberspace,” the official said.
In November, Navy Adm. Michael S. Rogers, commander of U.S. Cyber Command and director of the National Security Agency, spoke about cybersecurity at the Reagan National Defense Forum in Simi Valley, California.
Rogers said the lack of a cyberstrategy that along with national defense includes public- and private-sector networks creates a situation in which cyber attackers run little risk by trying to penetrate systems and steal data.
"My concern there is,” the admiral added, “if we're not careful and this trend continues, [it] will encourage nation-states, groups or individuals potentially to … engage in ever-more-escalatory and riskier behavior, and that's not a good thing for us as a nation."
And speaking Jan. 11 on Fox News Sunday with Chris Wallace, Army Gen. Martin E. Dempsey, chairman of the Joint Chiefs of Staff, said the recent hacking of Sony Pictures Entertainment that the U.S. government said came from North Korea shows a need for new cyber legislation.
White House Cybersecurity Summit
Today the official announced that the White House Cybersecurity Summit will be held Feb. 13 at Stanford University in Stanford, California.
Its focus, he said, “will be on the partnership between government and industry, because cybersecurity is an issue the government cannot work alone, and we need a real partnership with industry in order to tackle.”
The president’s legislative proposal includes a section that updates the administration's position on how to improve the sharing of information from the private sector to the government, and within the private sector, the official said.
“Congress had been working for several years on legislation and in fact they were able to pass a few pieces of cybersecurity legislation at the end of 2014,” the senior administration official said, “so we're looking to capitalize on that momentum.”
Cyber Threat Indicators
Specifically, Obama’s information-sharing proposal will authorize companies to share cyber threat indicators such as Internet protocol addresses, date-time stamps, routing information and similar technical data with the government through the Department of Homeland Security National Cybersecurity Communications and Integration Center, the official said.
The proposal, the official added, also will authorize information sharing among private-sector companies through private-sector-led information sharing and analysis organizations.
The official said such organizations will receive targeted liability protection for their information sharing “as long as companies take reasonable steps to remove irrelevant personally identifiable information from what they share, and then comply with reasonable privacy guidelines that are laid out by the attorney general.”
Liability protection focuses on the act of sharing cyber threat indicators, the official said, and the legislation defines these “as the bits of information you need to identify malicious reconnaissance, a message for defeating a technical control, a message for causing a user to inadvertently defeat a technical control, malicious command and control, or some combination of those things.”
The Homeland Security secretary “will govern the back end of information sharing once that information comes to the government,” he added.
Information-Sharing Guidelines
The proposal also requires the secretary of Homeland Security and the attorney general to develop guidelines for the use, receipt, retention and destruction of information received through this channel, the official said.¬¬
In terms of law enforcement, he added, the shared information could only be used to look at cybercrimes, major threats to minors or threats of bodily harm, and it can’t be used for regulatory purposes inside the government.
The senior administration official said the proposed legislation requires that DHS share the information it receives from the private sector in near-real time with other federal agencies.
“We are working to make the information flows happen at a speed and with sufficient depth that we can effectively generate what I think of as a weather map for cyberspace,” he said, “so we’ll know and have some visibility into what is happening to us in cyberspace writ broadly.”
Filling the Gap
In 2011, the Obama administration submitted to Congress proposed cybersecurity legislation that Congress wasn’t able to fully enact, the official said, and Obama used executive orders to fill critical gaps.
In March 2013, Executive Order 13636, for example, focused on government to private sector information sharing, he added.
“EO 13636 made the default position of the federal government that we’d share information with the private sector when we see a threat to a private sector company. The president said in that [executive order] to make the information flow more relevant, more timely and more robust. So we've been working to put that into place,” the official said.
The part of the process that requires legislation now, he added, is the flow of shared information from the private sector to the government “because of concerns industry has raised related to the need to protect them from liability for that sharing.”
The legislative piece that directs industry-to-industry information sharing through industry-led information sharing and analysis organizations also is new since the 2011 legislative cyber proposal, the official said.
A More Refined Framework
The legislative update, the official said, “is much more clearly articulated and provides a much more refined framework that represents the results of all the work [we’ve done] with Congress over the past almost four years now, and work with the private sector and how the cyberspace ecosystem has evolved. All of that has informed our thinking as we developed this legislative proposal.”
The official said the Obama administration is committed to working with federal and domestic partners, and with partners around the world, to improve cybersecurity.
“Citizens should have an expectation that we will work toward and continue to improve cybersecurity … to protect people's information,” he said, adding that no one should expect 100 percent security, “but clearly we can raise our level from where we are now to something substantially better.”
As an administration, the official added, “we're going to do everything we can to improve information sharing and to raise that baseline level of cybersecurity across our critical infrastructure.”
(Follow Cheryl Pellerin on Twitter: @PellerinDoDNews)
Â