Implementation of Cybersecurity Executive Order Largely On Hold During Shutdown

NIST’s work on a preliminary version of the framework was already largely complete by late September, when White House Cybersecurity Coordinator Michael Daniel said the framework’s release would inevitably be delayed by a shutdown (WID Sept 26 p1). The executive order had mandated NIST release the preliminary framework for public comment by Thursday. NIST appeared to be “happy with the new draft” it submitted for pre-release clearance, said James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy Program. “God knows it needs tweaking though.” About 8 percent of NIST’s 3,143 staff are exempted from furloughs under the shutdown, with those exempted working on critical agency functions such as the National Vulnerability Database and the NIST atomic clock, said the Department of Commerce’s “pre-decisional” shutdown contingency plans (http://1.usa.gov/1bhyBCe). Lewis said he hopes NIST staff might “have a brainstorm and come back and do a bit of redrafting, but overall this won’t have much of an effect."

Consortium for Cybersecurity Action Director Tony Sager believes the shutdown could still “put a crimp” on the Cybersecurity Framework because it was so critical that NIST release the preliminary framework for public comment by the original deadline, said the ex-chief operating officer for the National Security Agency’s Information Assurance Directorate. “NIST was already under a difficult time schedule to get this done.” DHS’s role in implementing the framework and developing threat models is “also on a complete hold, but none of that is as time-sensitive as getting the framework right,” Sager said. Other organizations will meet independently of the NIST process to “chew through how to shape this, but only NIST can get everyone in the same room,” he said. “The shutdown has to get out of the way before things start in earnest."

Progress on the framework “is not going to be appreciably delayed or impeded” beyond the date the shutdown ends, said Internet Security Alliance President Larry Clinton. “NIST’s staff managed to get a lot of work on this done well ahead of schedule.” Clinton said the “lion’s share” of the preliminary framework appeared in a draft NIST released in late August to allow for revisions following the agency’s fourth framework development workshop (WID Aug 30 p1).

The effect on other provisions of the executive order is “another story,” Clinton said. “The real power behind the executive order isn’t the framework -- that’s comprised of material everyone already knows.” The most important piece is the creation of effective incentives to encourage industry adoption of the framework -- and the shutdown’s effect on agencies’ creation of an incentives package could be “particularly traumatic,” Clinton said. Commerce, DHS, DOD, Treasury and the General Services Administration have already sent the White House recommendations on the feasibility of incentives, “but that work is nowhere near as advanced as the technical framework stuff” -- and that work stopped completely when the shutdown began last week, Clinton said. “Without incentives, the framework is basically an engine without any gas to make it run.”

The shutdown will likely slow down the process of identifying incentives, but the private sector will continue to have that discussion on its own, said former Deputy Assistant Secretary of Defense-Cyber Policy Bob Butler, a non-resident senior fellow at the Center for a New American Security. Butler is also chief security officer at data center provider Io and has been a consultant for DOD, the Air Force Scientific Advisory Board and other cybersecurity organizations. “The private sector will continue to bring all sorts of ideas to the table, but we won’t be likely to have the back and forth until the government is fully back in place,” he said.

Implementation of the executive order “for the most part is shot to hell” during the delay, even in agencies that still have many non-furloughed employees, said Information Systems Security Association President Ira Winkler. “There’s way too much work to be done to satisfy the executive order in the first place,” he said. “If you assume that by default you have 40 percent less people implementing something potentially new, you can pretty much expect nothing is going to be done towards the end because if you only have 60 percent of the people left, that 60 percent of the people have to perform basic functions. They're only supposed to be doing essential things. You're functioning on keeping your head above water, you're not looking to make progress."

Programs meant to improve information sharing between the government and the private sector on cyberthreats will all slow down -- in part because they too are somewhat dependent on development of the Cybersecurity Framework, Butler said. DHS’s National Protection and Programs Directorate, which contains most of the agency’s cybersecurity programs, will operate with 57 percent of its normal staff throughout the shutdown -- 1,617 out of 2,835 employees. Exempted NPPD employees either are presidential appointees, law enforcement officers, or essential to life safety and property protection, or they receive their salary from non-appropriations funding, said DHS’s shutdown contingency plan (http://1.usa.gov/1fDx8Ih). The executive order tasked DHS to expand its experimental Enhanced Cybersecurity Services program so all critical infrastructure sectors could receive classified cyberthreat information. Butler said that “much of the prep work is in place, but there are a lot of things that still need to take place to make the expansion legally compliant."

Work on other DHS cybersecurity programs, such the Critical Infrastructure Partnership Advisory Council Cross Sector Enduring Security Framework, are also on hold, experts said. The department’s National Cybersecurity & Communications Integration Center and the U.S. Computer Emergency Readiness Team had become more active in recent months, “but that was so new that I think that turning it off temporarily doesn’t have that major of an effect,” Lewis said. “People hadn’t relied on them, but everyone tells me it had gotten better. So we're no worse off now than we were, say, in August 2012.” DHS’s Cyber Skills Task Force had just begun implementing mechanisms to “define and plan” for a more cybersecurity-literate workforce, so now is “not a great time to be stopping that,” Sager said. The shutdown could also delay the funding of existing cybersecurity contracts within DHS and other agencies, Butler said. The recently awarded $6 billion Continuous Diagnostics and Mitigation contract is one of several programs encountering delays due to the shutdown, he said.

The intelligence agencies and DOD had largely managed to avoid the shutdown, with most furloughed DOD workers expected to return to work this week after Secretary of Defense Chuck Hagel ordered their recall. DOD and Department of Justice lawyers “concluded that the law does allow the Department of Defense to eliminate furloughs for employees whose responsibilities contribute to the morale, well-being, capabilities and readiness of service members,” Hagel said in a statement.

Several members of Congress expressed concerns at a Politico event Tuesday about the shutdown’s impact on cybersecurity readiness. House Homeland Security Committee Chairman Michael McCaul, R-Texas, said the furloughing of nearly half the country’s cybersecurity professionals “puts the country at risk.” House Intelligence Committee Chairman Mike Rogers, R-Mich., said the intelligence community had furloughed more people than was strictly necessary under existing rules. “You can’t take that many people out of the work the intelligence community does and not have an impact,” he said. “Given the threat matrix we face today, we need to work quickly.” House Intelligence ranking member Dutch Ruppersberger, D-Md., said one contractor had told him the contractor was losing $20 million per day under the shutdown. Rep. Tammy Duckworth, D-Ill., who sits on the House Armed Services Committee, said the situation was “dire.” The shutdown is “a great time to launch a cyberattack, because the folks who would be detecting attacks are on furlough and not allowed to do their jobs,” she said.

Lawmakers also said the debate surrounding the shutdown and the debt ceiling would negatively affect the timeline for passing cybersecurity legislation. The debate over funding the government “is sucking the oxygen out of the room, if you will, in D.C. and on these other issues,” McCaul said. Senate Intelligence Committee ranking member Saxby Chambliss, R-Ga., said he’s hopeful the Senate could still pass an information-sharing bill like the House-passed Cyber Intelligence Sharing and Protection Act (CISPA), and his House counterparts, Rogers and Ruppersberger, agreed. But a slew of other private sector officials and several public officials, including Duckworth, House Armed Services member Mac Thornberry, R-Texas, and House Intelligence member Adam Schiff, D-Calif., expressed strong doubt that any such bill would move this year.

NSA Director Keith Alexander, also commander of U.S. Cyber Command, said the shutdown would do the most damage to the morale of the cybersecurity workforce. He and the other public officials said recruitment in that workforce is already disadvantaged by the allure of the private sector, and delays and furloughs don’t do anything to improve that. “Cutbacks, the furloughs and the uncertainty -- it’s really hurt morale,” Duckworth said. Thornberry said that living from continuing resolution “to C.R. makes it a difficult environment to recruit people.”