The new Cybersecurity National Action Plan announced Tuesday by the White House aims at protecting federal agencies from cyberattacks, an urgent need dramatized by the ransacking of the Office of Personnel Management’s aged computer systems by hackers two years ago.
Fully aware that the Obama administration is writing its last chapter, officials created the plan to cap off prior cybersecurity actions and to leave a blueprint for the next president.
Michael Daniel, special assistant to the president and cybersecurity coordinator, said at a New America Foundation event yesterday that the raft of cyber initiatives represents a "capstone effort" from the Obama administration.
A range of experts asked to assess the plan agreed that it addresses a crucial need to modernize civilian information systems, some dating back to the 1970s, that may be virtually indefensible because of vulnerable technologies. The plan asks Congress for $3.1 billion to replace these legacy information systems rather than apply further patches.
"The intention is very much to get the federal house in order and partner with the private sector on things that are owned there," said Ryan Gillis, vice president of government policy at Palo Alto Networks Inc. and former director of cybersecurity policy at the National Security Council.
Paul Stockton, managing director of Sonecon LLC and former assistant secretary of Defense for homeland defense, cautioned, however, that the new plan’s potential value for critical infrastructure sectors hinges on improving the transfer of cyberdefense advances in government to the private sector.
"I believe the president’s plan creates important new opportunities for progress — if, and only if — these initiatives are effectively implemented," he said.
Looping in the private sector
While the plan properly focused on research on defending federal systems, he said, "there should be a commitment from the beginning that these research and development efforts will be shared with the private sector to the greatest extent possible, including owners of the power grid, water utilities and other critical infrastructure," he said.
The Cybersecurity National Action Plan (CNAP) announced Tuesday creates the position of federal chief information security officer, to lead cyber policy planning throughout the federal government. The departments of Homeland Security, Energy and Commerce are to create a National Center for Cybersecurity Resilience, a test laboratory where, for instances, replicas of the power grid could be hit with cyberattacks.
The plan also will create a Commission on Enhancing National Cybersecurity made up of leaders from strategy groups, business, government and Congress that would recommend long-term policies to strengthen cyberdefenses in government and the private sector.
The administration also intends to release a policy by this spring for national cyber incident coordination with a rating system for evaluating the severity of cyber incidents.
The CNAP plan "looks like a good step. It shows a continuing maturity on the government’s part on what cybersecurity looks like. From an initial read, there is a lot of symbiosis — things we can do with them, and they can do with us," said Scott Aaronson, senior director for national security policy at the Edison Electric Institute, representing investor-owned utilities.
Aaronson said the plan should give another push to better sharing of sensitive cyberthreat information between government and the energy sector.
"We have seen a willingness on government’s part to engage regularly, and more openly, with the owners and operators of critical infrastructure," Aaronson said, citing examples like the analysis of the Ukraine power blackout in December.
"That said, you see a recognition by the White House that it can always be better. There are still organizational issues; there are silos; there are clearance issues that inhibit completely free flow of that information," Aaronson said.
"This is a leadership moment for President Obama to crystallize the importance of managing cyber risk. This doesn’t harm what the energy sector is doing. It’s a bit of a different focus," said Evan Wolff, an attorney with Crowell & Moring who was a senior adviser at DHS.
"There will be benefit to the energy infrastructure through improving incidence response, federal R&D and improving the cyber workforce, which is often shared between industry and government," Wolff said.
The new White House plan lands on top of a large structure of federal cybersecurity actions created since 2009.
The new plan did not "spring forth like Athena without any foundation," said the White House’s Daniel yesterday, citing President Obama’s February 2013 executive order on critical infrastructure protection as one example.
That led to development of the National Institute of Standards and Technology’s (NIST) voluntary Framework for Improving Critical Infrastructure Cybersecurity, now used by many electric utilities to gauge the effectiveness of their own security programs (EnergyWire, Dec. 11, 2015). "In effect, we are doubling down on what we’ve been doing and are trying to accelerate it because of the growth in the threat," Daniel said.
The new announcements did not simplify the policy map overall. There are new cyber agencies in the Department of Homeland Security and the Director of National Intelligence’s office.
DOE has launched its program to coordinate cybersecurity research at the national laboratories and already operates a grid test bed at the Idaho National Laboratory. DHS has a program to commercialize ready-for-market advanced cybersecurity tools. Meanwhile, this month, the Commerce Department opened an expanded National Cybersecurity Center of Excellence, a public-private research and development partnership to bring together industry and government experts from NIST on high-priority cybersecurity challenges.
Cybersecurity for the power grid is governed by mandatory regulations now in their sixth version, developed by the industry-led North American Electric Reliability Corp. and approved by the Federal Energy Regulatory Commission. The Electricity Sub-sector Coordinating Council brings together grid CEOs for top-level government cyberthreat briefings. DOE’s Cybersecurity Capability Maturity Model stands along with the NIST cybersecurity framework as a voluntary best practice document.
Congress issued its own directives last year in the Cybersecurity Security Information Sharing Act, which appoints DHS as the threat information sharing center between government and business. It was designed to give businesses incentives for sharing threat information and new authority to the secretary of Energy to deal with grid emergencies, including a major cyber and terrorist attack.
Whether or not this week’s additions to the nation’s cyberdefenses add strength or complexity, one senior official said planning and preparation cannot be allowed to go backward.
"We are playing a very difficult game, and one in which the adversaries seem to be getting stronger and stronger," said Ed Felten, deputy U.S. chief technology officer at the White House, speaking yesterday. "So it’s important that, as well as dealing with the more immediate needs that we face, that we’re laying the foundation to play a better game in the future."