Government Stresses Need for Input from Private Sector to Implement Cybersecurity Executive Order

To tackle the information sharing component, the administration will first focus on the flow of information from the government to the private sector, Schwartz said. It’s what the government can focus on today without legislation, he said. The philosophy behind the order is that it’s a “down payment on future legislation,” he said. “It’s the beginnings of what we can do today that will make future legislation more important.” The Department of Homeland Security (DHS) is taking the lead on information that agencies may have on companies that may be victims of a cyberintrusion, he said. DHS also will head up the process of speeding up clearance for critical infrastructure companies, he said.

The drafting of the framework, which will be led by the National Institute of Standards and Technology, will be informed by industry “to be used to build a program … to help incentivize voluntary protection within certain critical infrastructure industries,” Schwartz said. Companies driving cybersecurity innovations and current practices can help shape these best practices, he said. Government needs the help of leaders in the field, he said: “This is not a case of ‘I'm from the government and I'm here to help,’ but ‘I'm from the government and I really need your help.'"

There will be challenges along the way as NIST works to complete the framework, Schwartz said. “There are cases where you have a number of standards and best practices in one area and they must be highlighted in a way that’s appropriate,” he said: “You don’t want to provide so many standards within one area that it overwhelms the general cause within that space.” But “you don’t want to have something so narrow that people consider it to be a technical mandate.” NIST put out a request for information on standards and best practices and comments are due April 8, Schwartz said. The first workshop “to lay out how the framework will move forward” will be held April 3, he said.

The information sharing component is the most “immediately important thing” for the U.S. Internet Service Provider Association, said Kate Dean, the group’s executive director. Improving and enhancing private-to-private and private-to-government sharing will require action by Congress, she said. The order does a good job of trying to make sure that government is coordinating “so that the telecom industry doesn’t have to answer to 30 different regulators,” said Tim Molino, government relations director for BSA-The Software Alliance. There’s a recognition that there needs to be better government coordination, he said. “What’s missing is breaking down the barriers of information sharing from industry to industry,” and from the industry to the government, he said. It’s important for the process to be “truly flexible” and voluntary and that “it’s not a top-down kind of government process,” said Chris Boyer, AT&T public policy assistant vice president. “If it becomes more of a regulatory exercise, then that'll create some issues.”

There’s an antitrust concern that goes along with information sharing, said Molino. Some attorneys may advise their clients that it’s a little risky to do it, he said. “Having those rules defined better for us would definitely help and that’s only going to be done through legislation as far as we can tell.” The industry has a good and trusting relationship with DHS when working to meet the different deadlines around the executive order, said Dean.

Robert Mayer, USTelecom industry and state affairs vice president, cautioned against duplicating work when integrating the efforts of the FCC’s Communications, Security, Reliability and Interoperability Council (CSRIC) into the framework of the executive order. “What we don’t want … is to have duplication of effort at a time when our resources are going to be under significant strain,” he said. The question is “how do we resolve this so we don’t wind up having to serve multiple masters at the same time” with the same resources needed to defend against cyberthreats, he said. There’s plenty of time for the FCC to focus on CSRIC, said Boyer. “We could focus on the NIST activities” and cyber work in CSRIC can be delayed until that work is completed, he said.

Information sharing exists on a more informal, ad hoc level, said Kathryn Condello, cybersecurity and emergency preparedness director at CenturyLink. But the environment is changing, she said. The acceleration and nature of the cyberthreat is much faster, she said. Responding to the need “to protect your own networks, [and] to protect your customers has got to escalate and accelerate in the same time frame,” she added.

Reaching a consensus around incentives for adopting the framework could be difficult, they said. As an incentive, there’s the idea that companies want to be good corporate citizens, Dean said. “Right now it’s a little unclear as to how the process will go forward.” But it’s in the companies’ best interest to engage in the process, she said. Companies already have incentive to adopt cybersecurity practices, said Boyer. If the framework is effective and adds value to the overall discussion, then companies will adopt it, he said. It will be a challenge to determine an incentive that will meet all 16 sectors, said Condello. “There may be some sectors where some incentives are more important than others.” If DHS does find a common incentive, “we may find that the vast majority of us have already been doing it,” she said.