Cyberthreats are a national emergency.
That’s what President Obama declared in an executive order signed yesterday, that also authorized the levying of targeted sanctions against individuals or groups involved in malicious cyber activities aimed at the U.S. With this most recent action to address the growing cybersecurity challenge, it was especially timely to hear from Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, Executive Office of the President. Daniel was the first keynote speaker at AFCEA’s 6th Annual Cybersecurity Technology Summit in Washington, D.C., where he spoke about evolving cyberthreats and how government – and the Obama administration in particular – is tackling the problem. Ultimately, Daniel argued that collaboration, incident response management, and effective policy will help advance the nation’s cybersecurity efforts.
Cybersecurity is an increasingly complex problem that pervades nearly every aspect of our daily lives. The great paradox of the information age, Daniel noted, is that the very technology that allows us to create and spread remarkable innovations is also used by our adversaries to harm us. And these threats are becoming increasingly broad, diverse, sophisticated, and dangerous.
With increasing digitization, our widespread connectivity creates an expansive attack surface that is difficult to monitor and protect. At the same time, capabilities that were once the equivalent of “digital graffiti,” have now advanced to where hackers have the ability to be severely destructive and impact critical infrastructure, intellectual property, and trade secrets.
We are no longer very concerned with the hacker sitting in his pajamas in his mom’s basement, Daniel humored. Instead, the “industrialization of hacking” has provided cyber adversaries with organizational-like capacities, including division of labor and specialization within their hacking endeavors. For the cherry on top, these threats are also more frequent today than in the past. Instead of tracking two to three major threats every month, we’re looking at more like two to three every day, said Daniel.
How Gov is Tackling the Problem
Many may not realize, but there is a lot of government innovation happening in cyber. With new threats, government needs to utilize new methods as well as older ones in new ways, Daniel said. He provided two ways the Obama administration is trying to stay ahead of cyberthreats: through incident management and response as well as policy.
Incident management and response
You need to think of cybersecurity as a team sport, Daniel said. With an interconnected network, we cannot assign security to just one entity, or even to just one sector. Instead, cyber is an “inherently shared endeavor,” he said. To guide this, we need to think about four different components.
- Shared situational awareness. This is all about information sharing and collaboration between partners. This is critically helpful to organizations’ abilities to manage security and incidents on a daily basis.
- Support for critical system business owners. A vast majority of critical infrastructure in the U.S. is owned by private entities, not the government. It is imperative that these private entities can respond effectively to threats. The federal government will provide support to enhance those capabilities if requested.
- Shared responsibility. This cannot be overemphasized. All levels of government and the private sector need to work at this together, said Daniel. No one agency has the capability to do this alone. When working with partners and sharing information and resources, however, privacy and civil liberties must be a key priority.
- Flexible response. With evolving threats, government needs to be equally agile. There should not be any “pre-defined redlines,” Daniel said. Government needs to maintain some “tactical ambiguity” so adversaries aren’t completely aware of security thresholds.
Through legislation as well as executive orders, government has focused such things as providing law enforcement with updated tools to combat cyber crimes and sharing threat information between sectors. DHS’s National Cybersecurity and Communications Integration Center (NCIC) was authorized through the National Cybersecurity Protection Act (2014) and there is legislation currently being deliberated regarding targeted liability protection for private entities that share threat information with the government.
Daniel also emphasized data breach standardization that aims to restructure the patchwork of state laws regarding breaches. The White House even drafted its own legislation language on this matter: The Personal Data Notification & Protection Act. Having standards can build trust and reliability and simplify the post-breach notification process.
And of course, Daniel mentioned Obama’s most recent executive order. Targeted sanctioning provides a new tool that will enable the government to go after the worst of the worst. This will be deployed very judiciously, Daniel assured, and is not designed for petty criminals.
Cyberspace will continue to be a daunting environment for government. Some believe we are in a “pre-9/11” period in cybersecurity. But Daniel thinks it’s more like post-WWII, where we didn’t quite know how the Cold War would shape up. Today, we’re at a similar strategic inflection point, Daniel said. Therefore, the policies and foundation we are laying now are ones we will need to rely on for decades to come.
Cyber has become a strategic asset and a tool for statecraft, he said, and if we do not solve some of these vexing cyber problems, we risk cyberspace becoming a strategic liability.