Though a voluntary cybersecurity framework is a step toward securing networks from cyber crooks and state-sponsored intrusions, White House Senior Director for Cybersecurity Andy Ozment said Thursday, it won’t be a magical cure-all .
“When it comes out, it’s not going to be a unicorn. It’s going to be a pony,” Ozment said in a keynote speech at the USENIX Security Symposium in Washington, D.C.
It won’t be until the voluntary standards are updated several times that the framework will truly stand up against the multitude of threats facing companies responsible for critical U.S. infrastructure.
Currently, hackers have the edge, Ozment said, and security standards vary widely between industries.
The idea of the framework, he said, isn’t to set new standards so much as give industry a view of what the current best defenses are. With standards highlighted in one place, less sophisticated companies and industries can learn from those with a more mature understanding of cyber threats.
Although standards are not new regulations — which the Obama administration unsuccessfully asked Congress to allow — a February executive order calls industry regulators to examine how current rules will fit within the framework when it is finalized.
In October, the government will publish a framework draft for comment, and last week, the White House gave a glimpse at possible incentives companies might see if they adopt the standards. Perks could include lawsuit protection and rate recovery for regulated industries. At this point, however, the White House is still brainstorming.
While the administration wants private industry to boost security, Ozment notes another major vulnerability — the government itself.
Some departments — the Department of Defense, for example — have been proactive with network security, but Ozment said many agencies have lagged behind. Vulnerabilities have multiplied with the abundance of mobile devises government workers connect to the network.
“We need to get to the point where we’re monitoring pretty much anything with an IP address on our networks,” he said.
Ozment is also involved in developing cyber legislation to help build defenses beyond what can be accomplished through an executive order.
One focus is information sharing, which would set protocols for how companies can share data on threats with the government and with other companies. Currently, companies don’t know what can be legally shared and don’t have a designated channel to do so.
Likewise, though the government shares threat information with the private sector, much of the available intelligence is off limits because of security classifications.
Lawmakers have been slow to support information sharing measures.
Earlier this year, the House passed the Cyber Intelligence Sharing and Protection Act, though it has yet to clear the Senate.
At a cybersecurity event last week, retired Gen. Michael Hayden, former director of the CIA and National Security Agency, said intelligence leaks by former NSA contractor Edward Snowden have left that bill “dead in the water.”
In the meantime, the White House is attempting to boost information sharing from the government to industry by increasing security clearances in the private sector, limiting the amount of information that is classified and taking more risks in disclosing information that may help companies defend themselves.
“If you don’t share information, it doesn’t have a whole lot of value,” Ozment said, noting that some information should justifiably be kept secret.
The government is also trying to improve its response to intrusions reported by companies.
When financial institutions were hit with distributed denial of service attacks in 2012, Ozment said the government’s response was poor. By the time the government had information on where the attacks were coming from, weeks had passed, and the information was already obsolete.
In more recent attacks, the government has been able to give information to companies much faster, Ozment said, though improvements are still necessary to give the private sector confidence that reporting an incident will do more than give publicity to a damaging attack.
The White House is also attempting to sway nations like China away from hacking U.S. companies to steal trade secret. Ozment called the intrusions “unacceptable,” and while the countries have been discussing cyber issues, he said diplomacy could take several years to be effective.
Threats to networks come from numerous sources — governments, criminals, so-called hacktivists — and despite a growing understanding that a range of defenses are necessary, Ozment said the cyber game is currently stacked in favor of hackers.
“The reality is the odds are against us,” Ozment said. “We’re in Vegas, and we’re playing against the house.”
