Federal incident response in cyberspace still an open question, says White House official


While the federal government's primary goal is to help the private sector help itself in the area of cybersecurity, some cyber incidents do warrant a federal response, said White House Cybersecurity Coordinator Michael Daniel  during a Feb. 28 address at the RSA Conference in San Francisco.

Daniel said this fact begs the question: When does a private-sector cyber incident trigger government involvement?

"I don't have the answer to that question just yet," said Daniel.

"But what I can say is that once we decide that a federal response is warranted, there's still a broad spectrum of actions we could potentially take," he added.

Government response could take the form of more intense information sharing and technical assistance from the FBI and the National Security Agency, said Daniel. The State Department could use diplomatic action to "call upon countries to stop this activity," or the U.S. Computer Emergency Readiness Team could work with other CERTs to have foreign infrastructure leveraged by attackers shut down, he suggested.

"And if warranted by a cyber incident's effects, the president might call on the U.S. military to take action," said Daniel.

He added that the White House hopes to expand the tools, both digital and physical, the president can use to respond to cyber attacks.  

"The government's responses will be cautious and incremental," said Daniel because network owners are better situated to defend their own networks and the "risk of misattribution, miscalculation, and escalation in cyberspace are very real."

"We don't want our response to something annoying to harm our relationships with other nations or worse, result in physical conflict," said Daniel. "We don't want to create a truly unstable 'new normal,'" he added.

In addition to speaking about federal intervention in cyber incidents at RSA, Daniel used the conference to highlight a status report on agency cybersecurity efforts recently posted (.pdf) online by the White House.

"This incremental step is an important one in providing transparency and driving results for improving the security of federal systems and information," wrote Daniel in a March 7 White House blog post.

An apples-to-apples comparison of cybersecurity "Cross Agency Priority" scores from fiscal 2012 Q4 to fiscal 2013 Q1 is difficult, however, due to a shift to new metrics and a move to Trusted Internet Connection 2.0 architecture from last year to the current year.

The status update looks at agency progress in the areas of continuous monitoring, strong authentication and trusted internet connection consolidation, among others. According to the document, four of the 14 milestones due by Fiscal 2013 Q2, are already complete. The remainder are expected by March 31. Goals outstanding at the time of the report's publication include the requirements that:

  • The General Services Administration develop an education and awareness document focused on communicating the value of personal identity verification, or PIV, card usage. This document is to be crafted with input from the Homeland Security Department and the National Institute of Standards and Technology.
  • DHS develop a federal network resilience risk assessment process overview document describing how FISMA data collected is used by the National Cybersecurity and Communications Integration Center, USCERT and other departments and agencies for risk analysis and assessment.
  • GSA work with DHS and the Commerce Department to create a roadmap of deliverables toward identifying commodity IT services and solutions that mesh with the administration's cybersecurity priorities.

For more:
- download Daniel's prepared remarks, "007 or DDoS: What is Real World Cyber?" (.pdf)
- read the White House blog post
- download the report, "Cross Agency Priority Goal: Cybersecurity FY2013 Q1 Status Update" (.pdf)

Related Articles:
Network access continues to be elusive use of HSPD-12 cards
Cybersecurity framework will include controls and metrics
Cybersecurity framework could be mandatory for some companies
Obama signs cybersecurity executive order - UPDATED