Government said to be making larger strides in cybersecurity

Leaders at the highest levels of the federal government are moving forward with a range of cybersecurity programs and initiatives, according to a National Security Council official. And while much work remains, the efforts are beginning to bear fruit.

Michael Daniel, special assistant to the president and cybersecurity coordinator at the NSC, highlighted progress in a number of initiatives including short-term, medium-term and long-term plans.

“Right now cyberspace seems to favor the intruder, and this setup makes defense a losing game,” Daniel said Sept. 26 at the INSA Cybersecurity Innovation Symposium in Washington. “We’re pursuing a lot of activities designed to make cyberspace inherently more secure; we’re changing the game to one that’s actually in our favor. There’s a lot we can do in this, and we’ve got a lot of efforts going on.”

The progress is most clearly visible in the coordination between federal agencies, which Daniel noted has improved in recent months.

“It can be hard to quantify, but you can see we’re making progress. Things that used to take prodding now just happen without somebody from [higher] levels asking, requiring and making it happen,” he said. “That’s a real advance.”

One of the more recent programs contributing to the improved coordination is the Cybersecurity Capability and Maturity Model, a public-private partnership that examines and implements the best ways for government to work with the owners and operators of privately owned critical infrastructure in protecting their networks.

The electricity subsector, led by the Energy and Homeland Security departments, has served as a pilot of the model, which is based on sets of questions companies use to assess their cybersecurity posture. The findings help inform investment planning, research and development and other partnership efforts, Daniel said.

“The electricity subsector is currently working with us to build a baseline understanding of cybersecurity capabilities – what’s working and where our resources need to be adjusted,” he said. “So far our experience has been that almost everybody who goes through the maturity model learns something – many of them learn a lot. A lot of companies have learned that things they thought they were doing well actually needed some basic improvements; others actually discovered they already had programs going that sometimes they weren’t even fully aware of.”

Daniel also said the administration is moving forward in implementation of Einstein 3-Accelerated, DHS’ software-based intrusion detection/prevention program for federal networks.

The Defense Department’s voluntary defense industrial base (DIB) information-sharing program for cyber threats is moving ahead as well, Daniel noted. Now split into two areas of focus – cybersecurity information assurance and enhanced cybersecurity services – the programs hinge on private defense companies and DOD sharing information that is both unclassified and classified. Daniel said they are “working to get those programs up and running fully.”

While the efforts represent a good start for the government, there remains a mountain of challenges ahead, requiring multi-tiered and multi-faceted approaches, Daniel said.“ Even if we manage to improve the security of federal networks and improve the cybersecurity of critical infrastructure, I probably won’t be out of a job.”

One specific weakness currently being targeted is incident-reporting management and response, and according to Daniel, there are a number of joint initiatives under way.

“Through a series of initiatives with the intelligence community, law enforcement and government as a whole, we’re trying to improve knowledge of potential adversaries in cyberspace – including how we even identify, characterize and talk about these things, and then how we actually respond,” he said.

Daniel pointed out that earlier this year a national-level exercise focused on cybersecurity highlighted specific areas needing improvement, including clearer authorities for information-sharing and better abilities to identify existing capabilities and systems.

“We’re already extracting some of the lessons learned and working on top mission-critical findings from that,” he said.