Officials testify on cyber order progress

Leaders from the Homeland Security Department and the National Institute of Standards and Technology on July 18 headed to Capitol Hill to report on progress in implementing President Barack Obama's cybersecurity executive order.

In testimonies before Congress and at public events in Washington, officials from both agencies outlined goals that have been met so far, as well as challenges that still remain. The officials also reiterated calls for Congress to take supplemental action through cybersecurity legislation that would bolster efforts currently under way as part of the executive order.

Speaking before the House Homeland Security Committee's cybersecurity subcommittee, officials including Robert Kolasky, director of the implementation task force in the Homeland Security Department's National Protection and Programs Directorate, described enduring efforts in convening workshops with industry, conducting analyses of critical infrastructure, examining acquisition implications and evaluating key partnerships.

Those strategies and others are central pieces of the executive order and the construction of an overarching framework the EO directs. But beyond that, officials stressed, the efforts under way in both government and industry are part of an evolving process that still has a long road ahead.

"Critical infrastructure security and resilience to cyber incidents and other risks [are] an ongoing capability development effort rather than an end state to be achieved on a given date, or via a defined deliverable. All partners in this national effort will need to continue to contribute to its progress over time," Kolasky said in his submitted testimony. "The desired end-state of the critical infrastructure partnership model is an environment in which public and private partners work in a networked manner to effectively and efficiently share information and allocate risk-reduction responsibilities."

Other officials said the EO, combined with a renewed look at existing standards and guidelines, is providing an avenue for cross-agency and cross-sector cooperation that is yielding a path forward that will be both effective at a range of levels and able to keep pace with fast-moving technology and cyber threats.

"What can we use, how can we look at the standards and best practices and how can we build out a framework that addresses these critical infrastructure needs?" asked Donna Dodson, division chief of NIST's computer security division and acting director of the National Cybersecurity Center of Excellence. "We are looking at that from a multi-dimension approach, from the EO perspective all the way down to the operator perspective.

Because cybersecurity needs to be a culture in an organization, not something just the owners and operators do."

Dodson spoke July 18 at FCW's executive briefing in Washington.

The Capitol Hill progress report comes within weeks of two deadlines for deliverables mandated under the EO, due at 120 days and 150 after the order's release. The feedback seems to indicate agencies are making advancements, but that it has not necessarily been an easy road and that much work still remains.

Regardless of what the scorecard shows, the criticality of the EO's success cannot be understated, experts said. The order came after multiple failed attempts at passing cybersecurity legislation – something that remains a glaring shortfall, as there are a number of cybersecurity vulnerabilities only new laws can adequately address.

"For collective action, a lot of people have to agree to act in the same way to achieve an outcome. Right now we can't do collective action because there is a lack of political will, which is too bad because it's the solution," said Jim Lewis, senior fellow at the Center for Strategic and International Studies and senior fellow of CSIS' technology and public policy program.

With legislation still nonexistent – and with no clear timeline for changing that – the EO may be the only way risks to critical infrastructure may be mitigated, and agencies can't afford to wait for a "Plan C."

"The executive order is the single most important thing going on in cybersecurity right now. They started working on it in August of 2012, and it took six months to complete it – not necessarily an encouraging sign," Lewis said. "The EO is the decisive moment for this administration's cybersecurity. They have done a lot of work, come up with good strategies, but this is the make-or-break moment because if the EO is a bust, we will not get another chance until after 2016. This is the 9th inning, we are at bat and it will be very hard to recover from striking out."