President Barack Obama hasn’t seen a draft executive order intended to improve the cybersecurity of critical private networks, the head of the Department of Homeland Security (DHS) said last Friday, when she refused to give a timeline for when it would be released.
DHS Secretary Janet Napolitano, though, did make a push at a summit in Washington for companies to view investments in cybersecurity as benefitting the nation.
One of the “real problems” Napolitano said she sees with bolstering the security of private entities’ networks is that while she views it as a “shared good,” it is not something for which companies would necessarily receive a return on investment.
“Encouraging the kind of investment (that is) necessary is very difficult,” she said. “And when security is concerned we have to really approach it as to, (answering), ‘Well, what does the nation need?’”
She said administration officials want to create a strong public-private cybersecurity partnership with real-time information sharing and the “employment of best practices.”
Addressing the Government Executive magazine cybersecurity summit, Napolitano shared few new details about the executive order at the gathering. She said the order is still “being drafted in the interagency process” and “the president has not yet had the opportunity to review it.”
Some observers expect the executive order to call for the government to create cyber-security standards for critical-infrastructure providers, which a stalled Senate bill sponsored by Sens. Joseph Lieberman (I/D-Conn.) and Susan Collins (R-Maine) would do. Many Republicans and business interests oppose the imposition of such voluntary government standards, which they argue would lead to excessive regulation. Lieberman and the bill’s other co-sponsors, though, had wanted to go further and make the standards mandatory.
“I regret that debate kind of devolved into the typical, ‘Well, this is regulation or not regulation,’” Napolitano said last Friday about the general debate in Congress. “This is a security issue.”
She rejected the notion that the administration wants to tell private companies how to operate their own property.
“What we’re talking about is a very viable and vital partnership between the public and private sectors, where there’s real-time information sharing and where there’s the employment of best practices and the best technologies available,” she said. “So I don’t view this as the government coming in and telling you what to do, far from it. What we’re saying is, ‘Look, if you are the owner and operator of a core critical infrastructure on which other businesses depend and families depend and communities depend, we need to make sure that your cyber networks are as secure as possible.’”
If critical-infrastructure entities detect signs of malware or any cyber intrusions, she said, she wants there to be “real-time information sharing so we can help mitigate the threat.”
Asked how much cooperation the government could expect from private companies under cyber attack if their participation is voluntary, Napolitano emphasized her desire to instill in industry the view that a firm’s cybersecurity impacts the entire country.
“We say they’re aware, and they say they’re aware. But when it comes down to, well, where do you invest in your company, where do you put your resources?” she said. “That decision is not one that would normally take into account the cybersecurity for the country beyond your particular element. Yet we’re all interconnected, and that’s why there is a need for public and private partnerships.”
Prodded to say what the pending executive order entails, Napolitano repeated what she told the Senate Homeland Security and Governmental Affairs Committee last month: that the document has limits and cannot do things legislation can do. The order cannot offer liability protection to companies that share cyber-attack data with the government, which some observers see as a needed incentive. It also cannot allow DHS to pay cyber-workers more than is normally allowed, in order to attract high-quality workers. Both of those things would need to come about through legislation, which she argued is needed.
Napolitano also told the Senate panel last month that as part of the executive-order drafting process the administration has done a “deep dive” into specific sectors of the nation’s critical infrastructure to determine what current regulations the government could use to begin setting cyber standards.
“We’re very cognizant that in some industries there exists already regulatory authorities that can be used for cybersecurity,” she said last Friday. “We don’t want to be redundant. We don’t want to overload.”