Federal Efforts to Address Cybersecurity Aren’t Enough, Congressman, Federal Officials Say
Substantial progress on cybersecurity might require a “cyber Pearl Harbor,” said Rep. Gerry Connolly, D-Va. Fully addressing the cyberthreat “will require a cyber Pearl Harbor, for the public to fully understand and get mobilized to respond,” he said Wednesday. “If we do have a cyber Pearl Harbor, where something terrible happens because of this vulnerability, the public reaction is going to be very strong. And then federal intervention will be inevitable. We won’t be talking about voluntary standards” anymore, he said on a panel organized by technology media company Fedscoop.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Cybersecurity threats won’t disappear simply because the federal government takes action, Connolly said. “As long as we have technology … those who are seeking to break into databases, whatever their motivation may be, are always going to develop a way to break in, and we're always going to have to be investing in preventing, mitigating, catching [them].” Connolly, ranking member of the House Oversight Technology Subcommittee, urged refocusing the federal government on cybersecurity. He criticized the Senate for failing to find consensus on the cybersecurity issue at the same time House colleagues were able to pass several pieces of cyber legislation.
Even the framework the National Institutes of Standards and Technology team is developing under President Barack Obama’s cybersecurity executive order won’t fully solve the problem, said Chuck Romine, director of the IT laboratory at NIST. The order, issued in February, set requirements for improvements to the cybersecurity of critical national infrastructure through voluntary, collaborative efforts between the federal government and private companies operating critical infrastructure, like banks and other major institutions (CD Feb 14 p1). “You can’t imagine that we will issue a framework and we will be finished and that’s the end of the story,” said Romine. “This is going to be an ongoing process, a living document, a living set of standards that must evolve as the threat space evolves. I don’t think NIST is going to be done, or the federal government as a whole is going to be done at the end of 240 days or 365 days. It’s going to be an ongoing process.”
Part of the delay in addressing cybersecurity may be the structure of the federal government, which “is not well organized, in my opinion, to meet this threat,” Connolly said. There are at least 250 people with the title of chief information officer across top agencies, but “no one is quite empowered to be responsible, to make cogent decisions in a timely fashion. The system is almost designed to make sure that doesn’t happen.” Congress is “definitely to blame,” he said. “We've got 50 different statutes that address cybersecurity in some fashion, none of which have been updated in 11 years, although a lot has happened in 11 years. We've got to have more focus in the federal government if we want to be effective.”
One way to address the structural difficulties is to change the way the government approaches the issue, said Michael Daniel, special assistant to Obama and cybersecurity coordinator for the National Security Staff in the Executive Office of the President. Rather than think of cybersecurity as a defense program akin to those run by the Department of Defense or Homeland Security, the government needs to look at different approaches, he said. Terms and concepts like geography and border control still matter in cyberspace, but they have far different meanings, he said. “The notions of border control and border access and the roles that we've assigned there don’t map well into cyberspace.” Everyone on the Internet is essentially operating at the “border,” said Daniel. He suggested instead a program modeled on the National Weather Service, through which the federal government could “forecast” coming cyberstorms for citizens and public officials by integrating information from both the private and public sector. In the same way that the government doesn’t respond to every storm that hits the country, it could decide how to respond to cyberthreats.
The medical community could offer still further solutions, Daniel said. Malware spreads much like germs in a biological system, and approaches like medicine’s inoculation and quarantine could offer substantial protections for preventing the spread of cyberviruses, he said. Models like those “may be much more effective in how we think about what the federal governments role in cyberspace should be,” he said.
Daniel is nevertheless increasingly confident of government’s ability to address ongoing cyberthreats, he said. Cybersecurity has increasingly occupied the public consciousness, and that new focus will only improve the government’s ability to respond to threats, he said. “Our ability, and the focus we're seeing on this issue -- the kind of focus Congress is putting onto the issue, the fact that it’s moving out of the realm of essentially the techno-geeks and into the boardrooms, into the C-suites and the corporate world and into the realm of the deputy secretary and secretary level within the government -- all of those are actually very good trends, because people are beginning to take this seriously."
Connolly agreed: “In American history, when we have decided to focus on a challenge, we have a very high success rate. We marshaled talent, resources, we had a clear mission and we succeeded.” The same is possible in cybersecurity, he said. “That is something we can do something about, to help [the federal government] in its efforts. Refocus the federal government in a much more cogent, targeted fashion. And if we do, I think we can actually make a very appreciable difference, positively.”