Government Shutdown Could Delay Release of Preliminary NIST Cybersecurity Framework
Release of a preliminary version of the National Institute of Standards and Technology-facilitated Cybersecurity Framework will “inevitably” be delayed if an overall government shutdown occurs, said White House Cybersecurity Coordinator Michael Daniel at a Billington cybersecurity conference Wednesday. A shutdown could occur Oct. 1 if Congress and President Barack Obama can’t agree on a continuing budget resolution. A shutdown would furlough all but essential federal employees, including NIST staff working to finalize the preliminary framework, Daniel said. Obama’s cybersecurity executive order requires NIST to release the preliminary framework for public comment by Oct. 10 (WID Feb 14 p1). Delay of the preliminary framework’s release would be one of the many “bad things” to result from a government shutdown, but “ultimately we'll get there and get it published,” Daniel said. The cybersecurity summit also touched repeatedly on fallout from the leaks of information on the National Security Agency’s controversial surveillance tactics.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Daniel said implementation of Obama’s cybersecurity order has gone “incredibly well” and that he is “pleased” with the level of industry participation in the framework development process. More than 1,500 people participated in the four framework development workshops NIST has already held, NIST Director Patrick Gallagher told the Billington conference. NIST has “essentially” completed the process of drafting the preliminary framework -- it will shortly go through the clearance process prior to its public release, he said. An additional framework development workshop is set for Nov. 14-15 at North Carolina State University in Raleigh.
A government shutdown “shouldn’t [have] any major impact” on the release of the framework, Gallagher told us, speaking at another cybersecurity summit at the U.S. Chamber of Commerce Wednesday. “The one advantage of an industry-led process is you did all the work,” he said. “In this case, since the focus is really on supporting industry’s effort, I don’t see any major obstacles.” He said NIST doesn’t want a shutdown, calling it “highly disruptive.” He applauded NIST and the industry for meeting the aggressive timeline to develop the framework without adding any additional staff. The next step for cybersecurity is implementing the Cybersecurity Framework, Gallagher said. “Framework on paper is not enough,” he said.
James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy Program, told us he believes “it’s pretty much done, and while it needs a lot of work, the shutdown shouldn’t affect that."
Other areas of the executive order’s implementation have also progressed, Daniel said at the Billington conference. The Department of Homeland Security has identified what it considers to be “critical” infrastructure, he said. The agency will not publicly release the critical infrastructure list, but is working with identified owners and operators, Daniel said. Non-legislative efforts to improve information sharing are also advancing, he said. Those provisions include accelerating security clearances for critical owners and operators and expansion of DHS’s Enhanced Cybersecurity Services program. Daniel said at the U.S. Chamber event that several initiatives still require legislative action. An executive order can only tell federal agencies what to do, he said, and “we still need to get to a point where we can help clear away some of the barriers for getting information back from the private sector to the federal government.” Legislation is also needed to update certain standards for protecting government networks, he said. “The need is still there. I think that this is something the White House is committed to working on with Congress."
NIST will also continue to work with the NSA, Gallagher said at the Billington conference, saying NSA has a “deep reservoir of knowhow in cybersecurity activities” because of its work protecting federal networks. NIST’s collaboration with the NSA “is not a problem,” despite the outcry that resulted from the leak of documents indicating the NSA persuaded NIST in 2006 to adopt its version of the Dual_EC_DRBG standard, which included vulnerabilities that critics believe could be used for NSA hacking and foreign surveillance (WID Sept 9 p5). NIST is a neutral body that works with industry to reach a consensus on standards, so a lack of trust in the process could weaken NIST’s efficacy, Gallagher said. NIST has since reopened the standard for public comment (WID Sept 11 p1). The agency is also “redoubling” its transparency efforts to ensure widespread confidence that “our technical work stands on its own merits,” Gallagher said.
NSA Director Keith Alexander said at the Billington conference Wednesday that Congress must enact legislation to make it easier for the government and industry to share information on cyberthreats. The House and Senate Intelligence Committees remain interested in enacting information sharing legislation -- which is critical to achieving the objectives of President Barack Obama’s cybersecurity agenda, Alexander said. “No single public or private entity has all the required knowledge,” he said. “We have to work together.” House Intelligence Committee Chairman Mike Rogers, R-Mich., said at the Chamber of Commerce conference that he has not given up on the controversial Cyber Intelligence Sharing and Protection Act, adding that he believes he can reach a deal with Senate Intelligence Committee Chairwoman Dianne Feinstein, D-Calif., if she is able to get a companion information sharing bill through the Senate. (See separate item in this issue.)
Industry and government leaders need to help “get the facts out” on controversial U.S. surveillance programs amid the uproar caused by “sensationalized reporting,” Alexander said. And industry must continue to work with the government because industry support is “critical to defending this country” from a cybersecurity standpoint, he said. Alexander is also commander of the U.S. Cyber Command and chief of the Central Security Service. Communications industry actors had “taken a beating” over their cooperation with court orders requiring them to turn over bulk records -- “and that’s wrong,” Alexander said.
Alexander said that the NSA was not “listening to Americans’ phone calls and reading their emails,” saying the agency had examined metadata for only 300 phone numbers during 2012. The metadata, collected in accordance with Section 215 of the Patriot Act, contained “no names, just numbers,” Alexander said. “That’s it. That’s all we asked for.” That data was crucial to the government’s ability to “connect the dots” on potential threats -- which became critical after 9/11, he said. The collected data had also been critical in preventing the U.S. from experiencing the same sorts of recent terrorist attacks that had killed more than 950 people in Afghanistan, Iraq, Kenya, Syria and Yemen, Alexander said.
Alexander’s remarks came just before he was set to attend a classified briefing Wednesday with the Senate Judiciary Committee. Committee Chairman Patrick Leahy, D-Vt., said Tuesday that he believes “Section 215 bulk collection of Americans’ phone records must end” (WID Sept 25 p4). Sens. Ron Wyden, D-Ore., and Rand Paul, R-Ky., were also planning to introduce legislation Wednesday targeting reforms to the surveillance programs. Alexander will also testify Thursday at a Senate Intelligence Committee hearing on the surveillance programs. (jphillips@warren-news.com),