SAN FRANCISCO -- Just a few weeks after President Obama issued an executive order aimed at protecting the country’s critical infrastructure against cyberattacks, White House officials came to a major cybersecurity conference to lobby for industry support on the new order.
“We're in this together, both government and industry. We need your help,” Andy Ozment, a senior director of cybersecurity at the White House, said during a Thursday panel.
White House Cybersecurity Coordinator Michael Daniel, who participated in two widely attended panels during the conference, also sought to drive home that same message about the president’s cyber order to the industry representatives in the crowd.
"It won't work unless we get very heavy participation and really enthusiastic participation from industry,” the White House cyber chief said during one of the panels.
The government cannot solely protect the nation’s key infrastructure from cyberattacks because private companies own and operate more than half of that infrastructure—from telecommunications networks to the stock exchange, air traffic control systems and power plants. For this reason, key sections of the president’s cyber order call for industry feedback and participation.
Under the order, the Commerce Department’s National Institute of Standards and Technology (NIST) will work with industry over the next year to craft a set of cybersecurity best practices and standards for companies that operate critical infrastructure. The Department of Homeland Security (DHS) is in charge of running a program in which critical infrastructure operators would elect to adopt those best practices and standards developed by NIST into their computer systems and networks.
But it’s entirely up to industry to decide whether to work with the government on its implementation of the order.
Unlike congressional legislation, an executive order cannot grant new powers or authorities and its measures are entirely voluntary. Because of this, observers in Washington have questioned whether the president’s cyber order will actually accomplish its intended purpose of boosting the security of the nation’s power grid, water plants, financial systems and other critical infrastructure from hackers seeking to inflict harm on the United States.
The presence of administration officials at the RSA conference, which is viewed as one of the largest confabs of the nation’s cybersecurity professionals, showed the White House is moving full-speed ahead in its quest to rally industry participation in its efforts to implement the order.
During his panel, Ozment argued that the cybersecurity standards and best practices crafted by NIST will only be useful if they include significant feedback from companies.
“The ideas and experiences for this have to come from you,” he said. “You guys in this room and the folks in the rest of this conference, you bring more experience to bear than the rest of government combined and the framework can only be useful if you and other companies like yours participate in its development.”
While many companies already have state-of-the-art cybersecurity defenses in place, Ozment noted that “there are other critical infrastructure owners and operators who are much less sophisticated with respect to this [cyber] threat.”
The administration provided little detail in the order about how the DHS-led voluntary program would run because it wants companies to have a hand in that decision, he added.
“We want to work with you to figure out what constitutes a program you would like to participate in,” Ozment said. “DHS will be working with industry to figure out what will be a helpful program that will encourage participation and adoption of the cybersecurity framework.”
Ozment closed the panel by encouraging the audience to visit NIST’s website and answer its call for feedback on best practices for safeguarding computer systems and networks from probing hackers.
Earlier in the week, Daniel also underscored the importance of industry feedback on this section of the cyber order.
"I can't emphasize enough that it has to be a collaborative process. It has to be industry-driven," Daniel said.
So far, industry groups have lauded the administration’s focus on cybersecurity and expressed hope that the order would break congressional gridlock on cybersecurity legislation this year.
The powerful U.S. Chamber of Commerce, which has opposed executive action on cybersecurity, has voiced skepticism about the order.
While the order cannot offer incentives to industry, administration officials also pointed out during the conference that it would encourage the government to share more valuable intelligence about cyber threats with companies in a more timely manner. Throughout the cybersecurity debate, industry groups have called for the government to improve its intelligence sharing efforts with industry to help them thwart attacks on their networks.
FBI Director Robert Mueller highlighted this section of the order during a speech on Thursday.
“The president’s recent executive order concerning cyber security mandates important steps in this direction,” he said.