By Jason Miller
Thursday – 9/27/2012, 5:33am EDT
The White House is trying to prove the theory behind its draft cyber executive order.
The Obama administration is using two pilot programs to show how cyber information sharing with the private sector could work.
The latest test case is with the owners and operators of the electricity critical infrastructure.
Michael Daniel, the White House’s cyber coordinator, said the Energy and Homeland Security departments are working with companies in the electricity sector to come up with a baseline set of cybersecurity standards.
The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) helps these companies manage their cyber risk.
“The model is really a structured set of questions,” Daniel said at the Intelligence and National Security Association’s Cybersecurity Symposium in Washington Wednesday. “It’s a way for companies that have these assets do a critical examination of their cybersecurity posture, and when they get the answers back to the questions, it will help them inform investment planning, research and planning and other partnership efforts.”
He said the administration is encouraging other sectors to use the publicly available maturity model to develop and adopt similar approaches to assessing their cybersecurity posture.
Instead of legislation
The administration has drafted an executive order detailing how, within its authority, it would improve the information assurance of the nation’s critical infrastructure, such as the power grid and financial industries. The White House is considering the executive order after attempts to get Congress to agree to comprehensive cyber legislation have fallen short so far.
Where Congress and the administration couldn’t come to terms, Daniel said the electricity pilot has produced definite results.
“Almost everybody who goes through the maturity model learns something, and many of them have learned a lot,” he said. “A lot of the companies have learned things they thought they were doing well, but they actually need to make some of improvements in. And others discovered they already had programs going they weren’t fully aware of. It’s really been a very educational experience for everyone involved on both the government and the private sector side.”
Daniel added the success of the pilot has led for the electricity sector pushing on its own at the local and state level.
“That’s really cool from my perspective,” he said.
Daniel didn’t specifically mention the potential of a cyber executive order, but the pilot is trying to show how a collaborative and industry led approach to creating cyber standards could work.
Terry Roberts, who is the chairwoman of INSA’s cyber council, said the electrical grid makes sense to show how collaboration over cyber standards could work.
“This is a very complicated area that not everyone has the same basis of understanding, the technical expertise and the operational team in place,” Roberts said. “So by discussing your respective issues that you are experiencing, and then there could be assistance from another company to evaluate what has occurred, help you put the right processes and technologies in place and basically you are trying to raise the bar for everyone so that there’s a foundation of security and assurance capability that exists across the board.”
She said many of these standards are ensuring basic cyber hygiene is followed.
Following in steps of the DIB
Roberts said the pilot also builds on the information sharing analysis centers (ISACs). She said ISACs are industry driven, but cooperative by nature with DHS helping bring everyone together.
Before the electricity sector pilot, the Defense Department led a program, called the Defense Industrial Base (DIB), to give 20 companies the opportunity to use two-way sharing of cyber threat and vulnerability data with the federal government at the unclassified or classified levels. The pilot program started in 2007.
DoD issued a sole source justification on FedBizOpps.gov to extend its contract with Booz Allen Hamilton for two more years to support the program. Under the $9.8 million deal, the company will continue to support the unclassified and classified approaches to sharing cyber threat data with more than 2,600 cleared contractors for a total of more than 15,000 users.
Rep. Mike Rogers (R-Mich.), chairman of the Intelligence Committee, said the DIB pilot and similar programs are hamstrung by liability issues from making real and sustained progress.
“Currently, there is no protection for sharing so it happens very minimally, which is why the DIB project is even feasible. Can we share in real time zeroes and ones, if you will, with companies to stop malicious code from entering into those systems?” he said. “Here’s the great news, the DIB project said, ‘yes you can.’ However if you are going to take that sheet and spread it out over all the private sector, you have to have legal protections, and they can’t get access to classified information. We have to legally create a way for that to happen. Without that, that’s why it’s not happening.”
Rogers said the lack of regulation is not the reason why critical infrastructure companies are struggling to protect their systems.
Share first, regulate second
Rogers said the government needs to give owners and operators the threat information first and then see where regulation may be needed.
Some in the Senate and administration initially tried to take a regulatory approach to protecting critical infrastructure networks. But after receiving push back from industry and other lawmakers, moved closer to a voluntary structure.
Rogers said a regulatory approach will not work because of the process is too slow.
Instead, Rogers and Rep. Dutch Ruppersberger (D-Md.), ranking member of the Intelligence Committee, introduced the Cybersecurity Intelligence and Sharing Protection Act (CISPA), which the House passed.
The 13-page legislation requires the Director of National Intelligence to create a process to share classified cyber data with properly cleared private sector individuals. The only information that can be shared both ways is cyber or national threat information, which is a key point of the bill.
The White House doesn’t support it and the bill hasn’t gotten any legs in the Senate.
Rogers said the bill is far from dead. He and Ruppersberger are reaching out to the Senate to see what their options are after the election. Rogers said after the election there is an opportunity to drum up more support for CISPA.
“There is a way to do this. I hope at the end of the day we do a little small step that I think will make an immediate impact, and then go and see if we need big regulatory structures to tell business exactly how to set up and protect their networks,” he said. “I don’t want a whole bunch of compliance people hired to figure out how you comply with what the government just told you to do. I want you to hire cybersecurity analysts and experts to stop what’s coming at you. And that’s the different philosophies we are wrestling with.”