By Geoff Fein and Calvin Biesecker
Citing the economic and national security challenges the nation faces from cyber threats, President Obama Friday rolled out the long-awaited 60-day review of the government’s efforts to defend the country’s information and communications infrastructure.
The efforts to secure the nation’s information highway will require that the private sector be a full partner in the endeavor, the president said.
“Let me be very clear, my administration will not dictate security standards for private companies,” Obama said during a White House ceremony unveiling the cyberspace review.
“On the contrary, we will collaborate with industry to find technology solutions that ensure our security and promote prosperity,” he added.
Larry Clinton, president and chief executive officer of the Internet Security Alliance, gave the president praise for making it clear the government was not going to dictate what the private sector needs to do.
“I give him an A-plus for his very clear rejection of the notion that the government’s role ought to be to dictate security standards to the private sector,” Clinton told Defense Daily Friday. “He went out of his way to say we are not going to do that…we are going to work collaboratively with industry. And, if you go into the report, he is very clear about the need to improve market incentives for the private sector to adopt technologies and policies to improve cyber security.”
That approach speaks to a sophisticated understanding of the complicated and 21st century sort of problem we have that needs to be dealt with in a novel and enlightened approach, he added.
Additionally, the president will soon appoint a new Cybersecurity Coordinator to orchestrate and integrate all cybersecurity policies for the government. That person will advise the president on all matters relating to cybersecurity.
While Obama did not name a choice for the new position, Clinton noted that the president made it clear the role the coordinator will have in the administration.
“I think it’s a critical issue that he was very clear that this person will have feet both in the National Security Council and the National Economic Council,” he said.
“That is a very sophisticated and insightful decision in my opinion. Cyber security is not just a straight up security issue. The Internet is woven into everything.”
The president has established the protection of the networks that we rely on for our national and economic security, public health, and public safety as a national asset and a national priority, Robert Dix vice president, Government Affairs Critical Infrastructure Protection Juniper Networks, Inc., told Defense Daily Friday.
“That there’s at least a course that has been set that permits us, in my opinion, at least to move from primarily a reactive mode to at least having an opportunity to move the approach to include a proactive element of detection, prevention, response, and mitigation to cyber events…from that standpoint I think it was a huge step forward,” Dix said. “I think that the presentation made by the president today was a demonstration of his commitment and his knowledge of the subject.”
The private sector has now been provided a blueprint and challenged to work together with the public sector, Dix added.
“I think many of us in the private sector, and many stakeholders, as well as our friends in government, are ready to move forward with action,” he said.
Additionally, Dix said the president’s indication that the private sector and particularly the owners and operators of the critical infrastructure need to be full partners in this effort is “important and refreshing.”
Cyber security has been focal point for more than a decade, Zalmai Azmi, senior vice president for Strategic Law Enforcement and National Security Programs at CACI International [CAI], told Defense Daily. “I think this is the first time that we see [an] administration taking the lead on this and moving forward as aggressively as possible.”
He said Obama understands that cyber security is a complex problem, which is why it requires attention and collaboration across all sectors: federal, state, local and private.
Azmi, who previously was the chief information officer at the FBI, cautioned that the report is at a high level and there’s still difficult work ahead in planning and strategy, which then has to be executed.
“The devil is in the details,” Azmi said.
He also likes the creation of a policy czar in the White House to coordinate the activities of the different agencies, which is “really critical,” although again it remains to be seen how it will be done.
Lawmakers too chimed in Friday with their read of the president’s proposals.
“First, I must commend the president for making this 60-day cyber review a priority in his young administration. This quick action should serve as a clear indication to both the public and private sector of how serious this issue has become for our nation,” Rep. Jim Langevin (D-R.I.) said in a statement.
“Working as the co-chair of the Center for Strategic and International Studies – Commission on Cyber Security for the 44th Presidency in 2008 served to further increase my belief that cyber security is among the most serious economic and national security challenges we will face in the 21st century. Our nation must respond vigorously to threats against our cyber infrastructure.”
The 38-page review, led by Melissa Hathaway, acting senior director for cyberspace on the National Security Council, had been slated for release a few weeks ago. With its release, government, private sector, lawmakers and the public can now see the range of actions the administration plans to pursue.
Among those are:
- Ensuring an organized and unified response (to include state and local governments) to future cyber incidents.
- Strengthening the public/private partnership.
- Continuing investment in cutting-edge research and development necessary for the innovation and discovery needed to meet the challenge.
The report acknowledges that the federal government cannot succeed in securing cyberspace if it acts alone. “Government and industry leaders both nationally and internationally will need to delineate roles and responsibilities, integrate capabilities, and take ownership of the problem to develop holistic solutions,’ the report said.
In partnership with the private sector, the government will need to “develop global standards, expand the legal system to combat cyber crime, continue to develop and promote best practices and maintain stable and effective Internet governance,” according to the report.
Businesses need effective means to share detection methods, information about breaches and attack methods, remediation techniques, and forensic capabilities with each other and the federal government,” the report said.
Government can assist by considering incentive-based legislative or regulatory tools to foster an environment that facilitates and encourages partnership and information sharing, the report added.
There also needs to be a review of potential barriers that could impede any public-private partnership. For example, the report noted: “some in industry are concerned that the information sharing and collective planning that occurs among members of the same sector under existing partnership models might be viewed as ‘collusive’ or contrary to laws forbidding restraints on trade. Industry has also expressed reservations about disclosing to the federal government sensitive or proprietary business information, such as vulnerabilities and data or network breaches.”