DHS well positioned to carry out cybersecurity executive order, says panel
The Homeland Security Department is well equipped to carry out the roll called for it by President Obama's Feb. 12 executive order, said panelists speaking at a March 15 event on Capitol Hill hosted by the Congressional Internet Caucus Advisory Committee.
"I think DHS has moved very, very quickly and will continue to do so," said Michael Hermann, national security legislative assistant for Rep. Jim Langevin (D-R.I.).
Hermann said 50 or 60 drafts of the executive order were circulated on the Hill and among participating departments and agencies.
"While I am sure they set an aggressive timeline, I am also fairly certain that the executive order would not have been issued with something they did not think they could hit," said Hermann.
He said the department has already met with representatives from the Information Sharing and Analysis Center to discuss implementation.
"The protocols, the process, the staffing, the support already exist. As a matter of fact within the communications sector we already have a rough template of how government is going to be executing it, not only with DHS but with some of the other agencies," said Kathryn Condello, director for national security and preparedness at CenturyLink.
"We're very much treating this as a program management kind of objective and at least in the communications sector's case, I think they'll be fine," she added.
Herman said, however, that public-private sector collaboration laid out in the order may not be enough.
"Information sharing doesn't get you nearly all of the threats. You can't view information sharing as a panacea. It just doesn't work," he said.
Information sharing is also the chief concern for Greg Nojeim, senior counsel for the Center for Democracy and Technology. The order addresses information sharing from the government to the private sector, but not from private sector to government. It's the private sector that handles a person's individual communications, he noted.
"We have to ensure that when information is shared, personally identifiable information that is not necessary to describe the threat is not also shared," said Nojeim.
The recently-reintroduced Cyber Intelligence Sharing and Protection Act (H.R. 624) is problematic in that way, said Nojeim.
"To our mind, the way that the legislation currently allows companies, including public facing companies, your ISPs, to share information directly with the NSA, directly with Cyber Command is a problem," he said.
Hermann said he expects CISPA to continue changing.
"I wouldn't be surprised to see some motion on particularly what the definition of personally identifying information is," said Hermann.
- go to the event page (includes speaker information and archived audio)
Napolitano: Cybersecurity executive order only part of the solution
Cybersecurity framework will include controls and metrics
Cybersecurity framework could be mandatory for some companies