Officials testify on cyber order progress

futuristic cyberwar

Leaders from the Homeland Security Department and the National Institute of Standards and Technology on July 18 headed to Capitol Hill to report on progress in implementing President Barack Obama's cybersecurity executive order.

In testimonies before Congress and at public events in Washington, officials from both agencies outlined goals that have been met so far, as well as challenges that still remain. The officials also reiterated calls for Congress to take supplemental action through cybersecurity legislation that would bolster efforts currently under way as part of the executive order.

Speaking before the House Homeland Security Committee's cybersecurity subcommittee, officials including Robert Kolasky, director of the implementation task force in the Homeland Security Department's National Protection and Programs Directorate, described enduring efforts in convening workshops with industry, conducting analyses of critical infrastructure, examining acquisition implications and evaluating key partnerships.

Those strategies and others are central pieces of the executive order and the construction of an overarching framework the EO directs. But beyond that, officials stressed, the efforts under way in both government and industry are part of an evolving process that still has a long road ahead.

"Critical infrastructure security and resilience to cyber incidents and other risks [are] an ongoing capability development effort rather than an end state to be achieved on a given date, or via a defined deliverable. All partners in this national effort will need to continue to contribute to its progress over time," Kolasky said in his submitted testimony. "The desired end-state of the critical infrastructure partnership model is an environment in which public and private partners work in a networked manner to effectively and efficiently share information and allocate risk-reduction responsibilities."

Other officials said the EO, combined with a renewed look at existing standards and guidelines, is providing an avenue for cross-agency and cross-sector cooperation that is yielding a path forward that will be both effective at a range of levels and able to keep pace with fast-moving technology and cyber threats.

"What can we use, how can we look at the standards and best practices and how can we build out a framework that addresses these critical infrastructure needs?" asked Donna Dodson, division chief of NIST's computer security division and acting director of the National Cybersecurity Center of Excellence. "We are looking at that from a multi-dimension approach, from the EO perspective all the way down to the operator perspective.

Because cybersecurity needs to be a culture in an organization, not something just the owners and operators do."

Dodson spoke July 18 at FCW's executive briefing in Washington.

The Capitol Hill progress report comes within weeks of two deadlines for deliverables mandated under the EO, due at 120 days and 150 after the order's release. The feedback seems to indicate agencies are making advancements, but that it has not necessarily been an easy road and that much work still remains.

Regardless of what the scorecard shows, the criticality of the EO's success cannot be understated, experts said. The order came after multiple failed attempts at passing cybersecurity legislation – something that remains a glaring shortfall, as there are a number of cybersecurity vulnerabilities only new laws can adequately address.

"For collective action, a lot of people have to agree to act in the same way to achieve an outcome. Right now we can't do collective action because there is a lack of political will, which is too bad because it's the solution," said Jim Lewis, senior fellow at the Center for Strategic and International Studies and senior fellow of CSIS' technology and public policy program.

With legislation still nonexistent – and with no clear timeline for changing that – the EO may be the only way risks to critical infrastructure may be mitigated, and agencies can't afford to wait for a "Plan C."

"The executive order is the single most important thing going on in cybersecurity right now. They started working on it in August of 2012, and it took six months to complete it – not necessarily an encouraging sign," Lewis said. "The EO is the decisive moment for this administration's cybersecurity. They have done a lot of work, come up with good strategies, but this is the make-or-break moment because if the EO is a bust, we will not get another chance until after 2016. This is the 9th inning, we are at bat and it will be very hard to recover from striking out."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group