Why the federal CISO can't sleep

Federal cybersecurity officials are incorporating advice from the industry advisory group NSTAC into incident response policy.

Shutterstock image (by MaximP): network defense.
 

The new federal chief information security officer says he's off to a good start, but much work remains.

"We're not anywhere close to where I feel comfortable," said Greg Touhill, the retired Air Force general tapped by President Barack Obama to lead federal civilian agency cybersecurity. "I don't sleep well at night because I know there's a lot of opportunities out there."

The culture of cybersecurity needs to change, he said at a Dec. 7 White House meeting of the President's National Security Telecommunications Advisory Committee (NSTAC). Touhill wants to see more of a risk management approach. And technology, he said, can't be the answer. It will take a larger understanding from federal workers of every type for more effective cybersecurity to take hold.

Touhill also hopes Congress will consolidate cybersecurity and infrastructure protection functions under the oversight of a single agency. The White House's Commission on Enhancing National Cybersecurity recommended that approach in its report last week.

Touhill told FCW the National Protection and Programs Directorate at the Department of Homeland Security would be "the best option" for such a consolidation. "It's an appealing approach," he said. "It gives unity of command."

An effort to reorganize and rename NPPD is underway, and has the support of both current DHS Secretary Jeh Johnson and Rep. Michael McCaul (R-Texas), who heads the House Homeland Security Committee. In a Dec. 7 speech, McCaul said that legislation backing the reorganization "will be one of my highest priorities in 2017."

NSTAC, which is made up of more than 20 senior executives at cybersecurity firms, ISPs, government contractors and other companies, shared their concerns about the vulnerability of communications networks and other infrastructure to cyber attack.

NPPD head Suzanne Spaulding told the group that "cybersecurity is a shared responsibility," and praised NSTAC members for reports that have helped DHS shape the National Cyber Incident Response Plan, which is due out before the close of the Obama administration.

The rising tide of interconnected Internet of Things devices, said Spaulding, not only presents a growing attack surface, but possibly affords "an opportunity" to help fight cybercriminals seeking to harness the devices for attacks. The sheer number of IoT devices, she said, could provide enough mass, with security built into future devices, to stanch their nefarious uses, she said.

"The 2014 NSTAC report on IoT," said Robert Silvers, NPPD assistant secretary for cyber policy, "was a clarion call for us." Silvers added that NSTAC's efforts "sharply accelerated" the work to address IoT security across the executive branch of government.

"The cyber threat is only going to get worse," said Michael Daniel, the White House cybersecurity coordinator. "I believe we are at an inflection point" for digital technology, which has been considered an asset for the last 40 years. However, he said, "if we don't address the underlying security issues," those devices and systems will become "strategic liabilities."