Napolitano: Cybersecurity executive order only part of the solution


President Obama's Feb. 12 executive order falls short of a complete cybersecurity plan and should be seen as a first step in addressing cybersecurity issues, said Homeland Security Secretary Janet Napolitano March 7.

"We need Congress to enact a suite of comprehensive cybersecurity legislation," said Napolitano in testimony before a joint hearing of the Senate Homeland Security and Governmental Affairs and Commerce, Science & Transportation committees.

Napolitano said legislation would ideally include mechanisms for safeguarding civil liberties, further increasing information sharing, and establishing and promoting standards for critical infrastructure. It could also craft news tools for law enforcement, create a national data breach reporting requirement and give DHS hiring authority equivalent to the National Security Agency's, she said.

Napolitano said she's "looking for legislation that can, if necessary, put in statute the clarity of roles and responsibilities now contained in the EO, so that is preserved moving forward." The bill should also address the Federal Information Security Management Act of 2002, or FISMA, and "try to move from a paperwork-dominated statute to one that requires and embodies continuous diagnostics in real time."

Patrick Gallagher, director of the National Institute of Standards and Technology, agreed that the executive order is a step in the right direction, but more is needed.  

"In order to make progress you can't boil the whole ocean at once. I think you have to set priorities," said Gallagher. "I think the executive order and this process will allow that to happen."

Greg Wilshusen, director of information security issues at the Government Accountability Office, said it's too early to tell how effective the executive order will be, but he is encouraged by the fact that it assigns specific responsibilities to specific individuals with specific deadlines.

However, it does create yet another cybersecurity document.  Wilshusen said there is a surplus of cybersecurity guidance in the federal government. There is still no overarching document that synthesizes the relevant portions of all of them or provides a comprehensive description of the current strategy, he said.

The GAO believes the White House cybersecurity coordinator should develop an overarching strategy that integrates the executive order with existing cyber guidance, said Wilshusen.

During the hearing, Napolitano also briefly addressed the effects of sequestration on cybersecurity programs at her department. Napolitano said the sequester limits the department's flexibility.

"In our CERT teams we're looking at a 10 to 12 percent reduction there, in terms of being able to fill vacancies," said Napolitano.

"We are, importantly I think, probably going to have to delay the deployment of the next generation of security for the civilian aspect of the federal government--[Einstein 3-Accelerated] the so called E3A program--for a year, because we just are not going to be able to meet the deadlines given the lack of resources that had previously been budgeted," she added.

Gallagher said sequestration will have a limited impact on NIST's ability to carry out its duties under the executive order, because NIST aims to make the forthcoming cybersecurity framework an industry-driven process.

The executive order requires NIST to facilitate the development of a framework within a year, and a preliminary framework is due with 8 months. The agency issued a request for information to gather relevant input from industry and other stakeholders and will use workshops. The first will be April 3 and in May NIST will release initial findings from the request for information and analysis of those responses, said Gallagher. By the 8 month point NIST will issue an initial draft framework including an initial standards guidance and practices.

For more:
- go to the hearing page (includes prepared testimonies and archived webcast)

Related Articles:
Cybersecurity framework will include controls and metrics
Cybersecurity framework could be mandatory for some companies
Obama signs cybersecurity executive order - UPDATED