The challenge facing federal agencies boosting their cyber defenses has less to do with knowing what to do than actually doing it, a White House official that coordinates interagency cyber security efforts, said on Thursday.
“We know what we need to be doing,” John Banghart, director, Federal Agency Cyber Security on the White House National Security Staff, said at FireEye’s [FEYE] 2014 Government Forum. “And as reporting has shown us…clearly demonstrates that we’re not making rapid enough progress.”
Banghart believes there are two main reasons for this lack of progress. One is cultural.
Many agencies don’t have “fully ingrained” culture of cyber security and that it can be a “mission enabler,” Banghart said. “It has to be core to whatever the agency’s mission may be.”
The second issue is the need to better define and identify the challenges, Banghart said. In the coming weeks and months Banghart said his office will be working the interagency to get a better understanding of “why are we struggling? What are the things that most get in our way?”
Agency leaders know their priorities and have been told to implement actions to strengthen cyber defenses, Banghart said. So the upcoming meetings will drill down to understand why they are struggling and find out “what is the real problem,” he said.
Banghart also said that cyber security needs to tie to an agency’s mission in such a way that it “resonates” with its leadership. James Trainor, deputy assistant director for the FBI’s Cyber Division, said leaders don’t need to be cyber security experts but need to have an “intellectual curiosity” and a willingness to learn about cyber security.
Tony Coles, a FireEye vice president and its global government chief technology officer, said he believes that across the federal government different agencies have different understandings of their risks.
The culture of information security is often viewed as a “compliance exercise” within the federal government “instead of using compliance as a method of achieving security,” Michael Levin, director of Security Design and Innovation at the Department of Health and Human Services, said as part of a panel discussion at the forum. Compliance then “becomes the end goal,” he said.
Separately on Thursday, White House Cybersecurity Coordinator Michael Daniel said just completed reviews by several departments of their existing regulations and authorities shows they are sufficient when combined with a set of voluntary standards and best practices released in February by the Obama Administration to boost cyber security in certain critical infrastructure sectors.
The reviews were conducted by HHS, and Department of Homeland Security and the Environmental Protection Agency as part of an executive order on cyber security issued by President Obama in 2013.
The “Administration has determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information,” Daniel wrote in a White House blog post. Going forward, these departments will continue to clarify and coordinate existing regulations.