Oversight

Officials testify on cyber order progress

futuristic cyberwar

Leaders from the Homeland Security Department and the National Institute of Standards and Technology on July 18 headed to Capitol Hill to report on progress in implementing President Barack Obama's cybersecurity executive order.

In testimonies before Congress and at public events in Washington, officials from both agencies outlined goals that have been met so far, as well as challenges that still remain. The officials also reiterated calls for Congress to take supplemental action through cybersecurity legislation that would bolster efforts currently under way as part of the executive order.

Speaking before the House Homeland Security Committee's cybersecurity subcommittee, officials including Robert Kolasky, director of the implementation task force in the Homeland Security Department's National Protection and Programs Directorate, described enduring efforts in convening workshops with industry, conducting analyses of critical infrastructure, examining acquisition implications and evaluating key partnerships.

Those strategies and others are central pieces of the executive order and the construction of an overarching framework the EO directs. But beyond that, officials stressed, the efforts under way in both government and industry are part of an evolving process that still has a long road ahead.

"Critical infrastructure security and resilience to cyber incidents and other risks [are] an ongoing capability development effort rather than an end state to be achieved on a given date, or via a defined deliverable. All partners in this national effort will need to continue to contribute to its progress over time," Kolasky said in his submitted testimony. "The desired end-state of the critical infrastructure partnership model is an environment in which public and private partners work in a networked manner to effectively and efficiently share information and allocate risk-reduction responsibilities."

Other officials said the EO, combined with a renewed look at existing standards and guidelines, is providing an avenue for cross-agency and cross-sector cooperation that is yielding a path forward that will be both effective at a range of levels and able to keep pace with fast-moving technology and cyber threats.

"What can we use, how can we look at the standards and best practices and how can we build out a framework that addresses these critical infrastructure needs?" asked Donna Dodson, division chief of NIST's computer security division and acting director of the National Cybersecurity Center of Excellence. "We are looking at that from a multi-dimension approach, from the EO perspective all the way down to the operator perspective.

Because cybersecurity needs to be a culture in an organization, not something just the owners and operators do."

Dodson spoke July 18 at FCW's executive briefing in Washington.

The Capitol Hill progress report comes within weeks of two deadlines for deliverables mandated under the EO, due at 120 days and 150 after the order's release. The feedback seems to indicate agencies are making advancements, but that it has not necessarily been an easy road and that much work still remains.

Regardless of what the scorecard shows, the criticality of the EO's success cannot be understated, experts said. The order came after multiple failed attempts at passing cybersecurity legislation – something that remains a glaring shortfall, as there are a number of cybersecurity vulnerabilities only new laws can adequately address.

"For collective action, a lot of people have to agree to act in the same way to achieve an outcome. Right now we can't do collective action because there is a lack of political will, which is too bad because it's the solution," said Jim Lewis, senior fellow at the Center for Strategic and International Studies and senior fellow of CSIS' technology and public policy program.

With legislation still nonexistent – and with no clear timeline for changing that – the EO may be the only way risks to critical infrastructure may be mitigated, and agencies can't afford to wait for a "Plan C."

"The executive order is the single most important thing going on in cybersecurity right now. They started working on it in August of 2012, and it took six months to complete it – not necessarily an encouraging sign," Lewis said. "The EO is the decisive moment for this administration's cybersecurity. They have done a lot of work, come up with good strategies, but this is the make-or-break moment because if the EO is a bust, we will not get another chance until after 2016. This is the 9th inning, we are at bat and it will be very hard to recover from striking out."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above