Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Senate Hearing Examines Implementation of White House Cybersecurity Initiatives

Senate Hearing on Cybersecurity

Senate Hearing on Cybersecurity

Six weeks ago the National Institute of Standards and Technology released the final version of the cybersecurity framework designed to help critical industries better protect themselves, but according to speakers at a recent Senate panel hearing, there is much work left to be done. 

The success of the framework so far has been attributed to it being developed with deep private sector buy-in, and it’s important to maintain that level of private sector involvement during the adoption process, Phyllis Schneck, deputy undersecretary for cybersecurity at the National Protection and Programs Directorate at the Department of Homeland Security, said last week at a hearing held by the Senate Homeland Security and Government Affairs Committee.

The hearing, “Strengthening Public-Private Partnerships to Reduce Cyber Risks to Our Nation’s Critical Infrastructure,” examined the progress in implementing the White House cybersecurity executive order as well as understanding the challenges facing public-private information sharing programs.

The Department of Homeland Security will play a central role in engaging partnerships, ensuring collaboration between the public and private sectors, and to work with small businesses to improve their security outlook, Schneck said. Much of it is education and teaching general counsels how to look at cyber events and transfer that information accordingly. The framework also helps raise cybersecurity to a business discussion so that the boardroom can look at security as a measure of risk. DHS is staying involved with large companies, and encouraging them to work with their suppliers on security so that smaller companies don’t inadvertently expose larger companies.

“We need to know what utilities see, we need to know what they know and they need to see what we see—so how do we make them comfortable?” Schneck asked.

Executive Order on Cybersecurity

The “most promising joint government/industry outcomes” have been at the strategic level and not at the tactical level, and the framework is a “shining example” of such an effort, said Steven R. Chabinsky, the chief risk officer of CrowdStrike. Chabinsky spoke at the hearing as a cybersecurity expert and not as a representative of CrowdStrike. Successful information-sharing initiatives focus on sharing and co-development of risk management plans and security best practices, as well as conducting joint incident response training exercises, he said.

Good, But Better Information-Sharing Needed

Even so, there is still some gaps in how information sharing is being used and how it can be used to defend critical infrastructure. There has also been successful efforts to collect and disseminate large quantities of time-sensitive data if they are used towards resolving specific, high-risk, continuing problems. The problem is that the focus traditional has been on vulnerability mitigation and less on threat mitigation, Chabinsky said.

Advertisement. Scroll to continue reading.

Information-sharing should focus on raising the costs on the attackers. Government and industry need to develop and implement technologies and policies focusing on threat mitigation aspects of hacker detection, attribution, and punitive response necessary to achieve sustained security, he said.

“If foreign fighter planes were on their way to the United States, everyone would be thankful for a government warning to relocate to a bomb shelter. Perhaps sheltering would last for five minutes, or five hours, or even five days, as the government engaged in aerial combat against the threat. But, in cyber, some foreign economic espionage intrusion campaigns have lasted for over ten years, and industry is not seeing from the government an effective plan to confront, repel, and defeat the intruders,” Chabinsky said.

The cybersecurity decisions relating to critical infrastructure are being left up to “to chance, to prevailing market forces, or to the world community,” Chabinsky said. Much of the focus when designing policies or technology has been on functionality, interoperability, bandwidth, speed, anonymity, and privacy—not security.

“Yet, despite our design choices, network security professionals routinely are being asked to do the impossible in the form of building trusted, impenetrable, dynamic, interoperable networks out of untrusted components, within untrusted environments, using untrusted supply chains, that rely upon untrusted vendors and untrusted users,” Chabinsky noted.

“We should establish public/private partnerships to determine whether trusted networks require a combination of distinct design elements, to include enhanced identity management, maximized intrusion detection and attribution capabilities, and prioritized actions to locate and penalize bad actors,” Chabinsky said.

Liability Protections

Other panel members thought liability protection for companies would encourage participation. Sen. Ron Johnson (R-Wis.) said companies worried about being sued would be less likely to share information, and suggested broader liability protection would ease those concerns. “Right now, it seems to me that we are erring on the side of limited liability protection or no liability protection,” Johnson said. “As a result, we’re not getting the information that everybody believes is absolutely crucial if we’re going to provide cybersecurity.”

The fact that the program was voluntary was important. “We are not asking them to report if they’ve used it or not,” said Schneck. “We don’t force people to lock their doors and, yet, they do.”

However, she acknowledged that “targeted liability protection” would help assure companies that sharing information is not going to hurt them.

Sen. John McCain (R-Ariz.) focused on the lack of coordination between various government agencies and suggested liability waivers would encourage information sharing between companies and the government. Currently, personnel with cybersecurity responsibilities are spread out across different agencies, and the lack of coordination is hurting overall effectiveness.

“If we engage in legislation, which we’ve tried to do without success, I would argue that that has to be part of any legislation that we enact,” he said.

Chabinsky addressed the lack of coordination in his remarks as well.

“There are indications that it is far more common for government agencies to send information to industry sectors without a coordinated approach as to the information’s timeliness, uniqueness, and relevance, and without first obtaining and including industry recommendations on how recipients can best make use of the information and track its utility,” he said. This weakens the impact of information sharing with governments. The volume of indicators and warnings being passed shouldn’t be used to measure the success of the sharing program, but rather the relevancy of the information, he added.

More on the hearing, including a video and transcripts, can be seen online.

Related Reading: The NIST Cybersecurity Framework – Improving Cyber Resilience?

Related Reading: Dysfunctional Congress a Significant Cyber Threat

Related ReadingThe NIST Cyber Security Framework Completely Misses the Mark

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...