The Coalfire Blog
Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, Retail, Financial Services, Healthcare, Higher Education, Payments, Government.
The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts.
The Coalfire Blog
White House Executive Order on Cyber Security
February 14, 2013, Rick Dakin, CEO, Co-founder and Chief Security Strategist
The tense standoff between an unresponsive Congress and a reluctant critical infrastructure industry has been broken. On February 13, 2013, the President issued an Executive Order that provides initial guidance for the country to confront escalating cyber threats. Finally, we have someone with the courage to address the ‘elephant in the room’. Our critical infrastructure is under attack and our ability to defend against increasingly sophisticated attacks is simply not adequate.
<< Go Back
Just a few weeks ago, the Commander of the U.S. Cyber Command announced the addition of 2,000 new cyber warriors that almost doubles the offensive cyber warfare capability of the United States. Most of us have no direct knowledge of the level of cyber confrontation that exists, but this unprecedented escalation should give us a clue. If we have a rapidly increasing offensive cyber warfare capability, do we think that other unfriendly nations have similar programs? Again, we do not have direct knowledge of adversary capabilities, but I am going forward with the understanding that we may already be at a heightened level of conflict with some nations today. We simply have to take the cyber threats more seriously and must start taking justified risk mitigation steps under federal guidance to protect our critical infrastructure.
Before the uniformed masses start responding with a “less government chant”, we all have to make a commitment to understand both the risk and the state of readiness. The U.S. government can actually help us all on this one. We may not need the heavy hand of regulation, but we definitely need to share information at a level where the impact of these emerging threats can be integrated into a prioritized risk mitigation program. Most of my cyber colleagues argue that the “enlightened man” concept is the best approach. In their words, “if we truly understood the risk, business and government would voluntarily take the justified action to mitigate the risk.”
Then, let’s go. The increasing volume of documented risks simply has not been accompanied by a commensurate response. What are we waiting for? Ahhh, yes, what is an appropriate response? Fortunately, the U.S. government has a solid background to help with this key task. The National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) have established a proven track record of analyzing risk and developing actionable standards to guide risk mitigation. In fact, they are widely recognized as world leaders for cyber security standard development.
The Department of Homeland Security, under the leadership of Mark Weatherford and Michael Locatis, has deployed much needed monitoring tools and analysis capabilities that inform NIST about the evolving threats and vulnerabilities. NIST has been very active in updating cyber security guidelines for federal systems and has recently published guidelines for multiple industry sectors. In short, they are both up to date.
In the President’s Cyber Security Executive Order, NIST is tasked with the responsibility to develop sector-specific standards for risk mitigation and DHS has been assigned the responsibility for rolling out those standards for critical infrastructure adoption in each market segment. This, in my opinion, is a winning combination. However, I am more skeptical of industry’s willingness to adopt the standards on a voluntary basis.
Industry lobbyists, to include the U.S. Chamber of Commerce, have been outspoken about the cost of regulation, but have done very little to help their members voluntarily adopt standards that would help reduce their cyber risk. For industry, I question their reluctance to take action. Why not start working towards the NIST standards and mitigate industry risk to a level where additional federal regulation is not needed? Why not take control of the program and encourage your industry groups to turn from their current obstructionist roles to a more helpful industry collaboration role?
In the end, all U.S. citizens want a more secure and reliable virtual environment. We want to believe that our electricity is reliable and our financial institutions are safe. Unfortunately, the President’s Executive Order acknowledges that we are not yet safe enough. There are no good guys and bad guys in this debate. We all have a stake in coming together to solve a growing cyber security problem. We just need to get more proactive.
If you do not yet belong to your industry Information Sharing and Analysis Center (ISAC) or do not currently receive the FBI InfraGard daily critical infrastructure bulletin, please join and get up to date on both the threats and new standard development processes. We all need to work together on cyber security to deliver the level of assurance our citizens, customers and partners expect from each of us.
Blog post currently doesn't have any comments.