The Commerce Department needs the help of private industry in putting together the cybersecurity framework, Senior Policy Advisor Ari Schwartz told a USTelecom policy briefing on the Cybersecurity Executive Order, which President Obama announced Feb. 12.
“As many of you know, our cybersecurity threats to critical infrastructure have been growing, and public information about some of these threats has come to the fore in the last few months,” Schwarz said. Information about the threats has given a “way to put a face to exactly the concern that Congress and others have been raising for a number of years.”
By mid-October, the Commerce Department’s National Institute of Standards and Technology must complete a preliminary version of the cybersecurity framework, a task that will require enormous input from industry, Schwartz said. “We’re expecting to have a lot of interaction with industry. NIST really can’t do this without industry.”
Schwartz gave an overview of the order’s requirements, which he said rest on three main pillars. The first focuses on expanding information sharing, specifically the sharing of information from the government to the private sector. The order directs federal agencies to provide timely notifications to companies.
The order’s second pillar deals with privacy and civil liberties safeguards that must be in place as information sharing activities expand. The third pillar is the cybersecurity framework itself, which is based on voluntary best practices that have been created by industry and which will be built into a program intended to help incentivize voluntary protection within certain critical infrastructure industries.
“We need companies and leaders in this space to come forward and help us put together this framework in a way that can help drive best practices forward in this space and highlight them,” Schwartz said.
Following Schwartz’s remarks, a panel of telecom and software company experts agreed there is much work ahead in the drive to assist government with the cybersecurity framework.
“I’m encouraged by the Executive Order,” said CenturyLink Director Kathryn Condello. Observing that the communications sector has a long history of working on cybersecurity issues and developing standards, Condello said other sectors may look to the comms sector for guidance.
Cybersecurity is a shared responsibility among all industry stakeholders, said AT&T Assistant Vice President Chris Boyer. “The order does a good job of getting government to work together,” said Tim Molino, director of government relations with the Business Software Alliance.
A key issue is how to facilitate information sharing going forward – most agree that Congress needs to adopt legislation in this area.
A variety of existing laws and regulations prohibit carriers or those involved in backbone infrastructure from relaying information in real time about threats to other entities. Because the threat levels are escalating so quickly, response times must be quicker so customers and networks can have the highest levels of protection.
Schwarz said he expected the administration to announce legislative goals “soon.”