Cybersecurity Standards Should Avoid Mandatory Requirements, Maintain Efficacy, White House Official Says

The White House is in a “tough space” when it comes to finding a way to make cybersecurity standards effective without making them mandatory, said Andy Ozment, White House senior director of cybersecurity. The administration’s plan has been based on an understanding that “there is reasonable concern that a top-down approach to regulation will be harmful rather than helpful,” he said Thursday. Ozment outlined the White House’s existing priorities for cybersecurity and discussed the legislation the White House has pushed for, at a keynote address to network security professionals at a conference organized by an association called USENIX. He also emphasized to the audience that though the administration was doing all it could to prioritize cybersecurity, real progress could only come through their individual efforts.

President Barack Obama’s February executive order tasked the National Institute of Standards and Technology with consulting with industry to develop a set of voluntary standards for cybersecurity. NIST will hold its final framework workshop Sept. 11-13 at the University of Texas at Dallas, and plans to release a preliminary version of the framework Oct. 10. Its final version is due in February. “There is no appetite for mandatory standards,” Ozment said. “We've tried to thread the needle here. We've tried to say, first, let’s come up with the standard so people can see what we're talking about. … We're moving the ball forward while addressing concerns about unhelpful regulation."

Ozment said the administration has pushed Congress to pass legislation to expand the information sharing capabilities of private sector companies between themselves and with the government. The executive order allowed for information sharing between the government and the private sector (CD Feb 14 p1), but expanding the information flows in other directions will require legislation, Ozment said. The administration has also encouraged updates to the jurisdiction of certain law enforcement authorities to expand their power in the digital world. It’s pushing for separate legislation that would update the authority of the Department of Homeland Security, to allow the government to better protect itself against intrusions in cyberspace, said Ozment. It has also pushed Congress to harmonize existing data breach notification laws, which exist in different capacities in 47 states. The White House wants to extend those protections to every state, and to develop a single national standard, said Ozment.

The White House has also pushed Congress to help it incentivize the adoption of the cybersecurity framework in development at NIST, Ozment said. He emphasized that as part of its executive order, the administration directed the departments of Commerce, Homeland Security and Treasury to report on the feasibility of incentives to encourage industry adoption of cybersecurity practices. The three agencies, which published their reports last week, made nine suggestions for incentives, including for cybersecurity insurance and federal grants, he said. Several of the proposed incentives could require new law, and the White House is considering whether to recommend legislation to encourage those incentives (CD Aug 7 p1) . The Senate Commerce Committee passed last month the Cybersecurity Act to codify NIST’s role in developing a cybersecurity framework (CD July 31 p1) , and the House passed the Cyber Intelligence Sharing and Protection Act, to criticism from Senate Democrats (CD July 22 p5).

Ozment also outlined the White House’s existing priorities for cybersecurity: Protecting critical infrastructure, securing government, engaging internationally, improving incident response and shaping the future. The primary focus has been on increasing and encouraging information sharing, since cybersecurity efforts across the country have disparate levels of sophistication, he said. The White House is also working to improve cyberdefenses across all governmental agencies, he said, some of which are much further along than others. Its international engagement has focused on increased dialogue with both China and Russia, including a series of “confidence building” measures with the Russians regarding cybersecurity, he said. To shape the future, the entire security community must work to develop new, forward-looking priorities and protocols that can give those defending networks better odds against attackers or intruders, said Ozment.

Ozment said security professionals should play a bigger role in the development of cybersecurity standards and in securing critical infrastructure, in a final call to his audience. Network security professionals have an “enormous knowledge” that the effort will require, he said. “We understand that the government is not going to solve this problem. We're all going to solve this problem together,” he said. “And that requires all of you to do your work, to secure whatever it is you're responsible for securing. Until we do all of that, we're not going to make progress.”