As time runs out for Congress to pass cyber legislation before next year, White House officials are looking for ways around Capitol Hill's inability to enact policies to secure government networks and critical infrastructure.

The executive branch is accelerating efforts to implement cybersecurity within federal agencies and in the sectors responsible for critical infrastructure, including the financial and energy industries. The White House's top cybersecurity official said it's not more power the Obama administration is after — it's getting the many organizations involved to head in the same direction.

"A lot of it's about the soft power and the way you work within the bureaucracy and the different agencies to get them to align policy," Michael Daniel, White House cybersecurity coordinator, said Oct. 9 at an event held by the Center for National Policy and Christian Science Monitor in Washington. "I think you can be very effective in that space as long as you understand how that space operates."

Daniel cited Office of Management and Budget's updates to the Federal Information Security Management Act, which he said continue to tie together government mandates with the cybersecurity framework released earlier this year by the National Institute of Standards and Technology. He also noted ongoing outreach to agencies in a bid to synchronize federal cybersecurity efforts, and said the framework — which continues to undergo development — will soon include additional guidance specifically for use by federal agencies.

"I think agency CIOs are getting tired of me coming to talk to them about using the framework inside their agencies, but that's the direction we're moving in," Daniel said. "We're bringing those principles into how we manage the federal government's own cybersecurity and in fact we're developing an overlay for the federal government that's related to the framework."

Daniel and other cybersecurity experts also agree that the White House's Oct. 3 memo directing the Homeland Security Department to scan federal networks for cyber threats is another step in the right direction. The new policy also codifies DHS responsibilities for its federal continuous diagnostics and mitigation (CDM) program, the fiscal year 2015 metrics under FISMA and the cybersecurity cross-agency priority goals for the next year.

"On the government side we need clarification on the laws, statutory clarification of what DHS does," Deputy Undersecretary for Cybersecurity and Communications Phyllis Schneck said at a Washington conference last month. "Everybody remembers Heartbleed. In all of our government cabinet agencies, we wanted to look and make sure that no one was running that version of OpenSSL ... It took the better part of just over a week to get the legal side of some of the agencies to be OK with it while the technical side sweated the bullets knowing that the whole world knew about this vulnerability now and all the wannabes were trying to exercise it."

Strengthened authorities for the government to conduct CDM on its own networks is another way around the cyber stalemate on Capitol Hill, according to Jeff Moss, information security expert and founder of DefCon and Black Hat.

"DHS [has had] authority over dot-gov networks, but they couldn't even scan them, and they were learning more about what's going on in the government by reading private-sector researchers scanning the government. There's such a big disconnect on authorities and capabilities," Moss said at the Oct. 9 event. "Let's get DHS and some of these other agencies taking care of their own business — they don't necessarily need legislation for that."

Share:
In Other News
Load More