The Cybersecurity Executive Order

Transcription

1 The Cybersecurity Executive Order Exploiting Emerging Cyber Technologies and Practices for Collaborative Success by Mike McConnell Sedar Labarre David Sulek Marcia McGowan

2

3 The Cybersecurity Executive Order Exploiting Emerging Cyber Technologies and Practices for Collaborative Success Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, calls for government to collaborate more closely with critical infrastructure owners and operators to strengthen cybersecurity, particularly by sharing information about cyber threats and jointly developing a framework of cybersecurity standards and best practices. Elements of the framework may later be incorporated into government regulations or voluntarily adopted by industry. Many owners and operators recognize the value of these efforts but worry that the EO will result in burdensome regulation rather than strengthened security. They are cautiously supportive, waiting to see how the EO will differ from previous efforts to improve governmentindustry collaboration. Others question if the EO goes far enough, suggesting cybersecurity legislation is required to make a difference. At Booz Allen Hamilton, we believe the EO offers reason for optimism. While it is true that the general concepts and goals of the EO are similar to earlier initiatives, such as the 1998 Presidential Decision Directive 63 and the 2003 Homeland Security Presidential Directive 7, cyber technologies and practices have evolved in significant ways since those directives were issued. For example, new continuous monitoring capabilities ensure that government and industry collect enormous amounts of data that enhance the value of information sharing. The development of powerful analytics makes that data even more valuable because of the potential insights that can be gleaned by sharing intelligence and data. In addition, cyber professionals have developed stronger cybersecurity skills and better understand how to exploit the accumulating threat and network data. And cyber experts have used their experience to identify cybersecurity best practices and create standards and maturity models that can be applied across critical infrastructure sectors. These changes offer government and industry opportunities to strengthen cybersecurity. We have identified five key steps for exploiting these new technologies and practices to achieve collaborative success: Establish flexible, risk-based cybersecurity standards of practice (such as a Cybersecurity Framework) that provide a foundation for measuring the growing maturity of an organization s security program Accelerate the adoption of continuous monitoring and data analytics Create an information sharing broker (or brokers) to help government and industry share threat information efficiently and effectively Revitalize the public-private partnership based on shared interests Explore and develop norms guiding the use of active cyber defense We don t discount the challenges of bringing together a diverse group of critical infrastructure stakeholders; however, we believe that emerging cyber technologies and capabilities have created opportunities for collaborative success that did not exist 15 years ago when government first initiated "whole-of-government" efforts similar to the EO. By building on their common interests, government and industry can build a partnership that grows and matures to counter cyber threats today and into the future. 1

4 Introduction Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, is designed to provide critical infrastructure owners and operators with assistance to address cyber threats and manage risks, but owners and operators are wary. Among its major goals, the EO calls for government to collaborate more closely with industry by sharing information about cyber threats and jointly developing a framework of cybersecurity standards and best practices. Elements of the framework may later be incorporated into government regulations or voluntarily adopted by industry. Owners and operators recognize the value of public-private partnership, information sharing, and security practices, but many worry that the EO will result in burdensome regulation rather than strengthened security. Others regard the EO as offering little new over existing processes for governmentindustry collaboration, saying the order has raised but not resolved previous controversies surrounding how best to implement cybersecurity protections. Even supporters view the order as a modest first step that will require cybersecurity legislation and additional guidance to make progress. As a result, many are taking a wait-and-see approach before fully committing to the new EO. At Booz Allen, we believe there is much greater reason for optimism. While it is true that the general concepts and goals of the EO are similar to earlier initiatives, such as the 1998 Presidential Decision Directive 63 and the 2003 Homeland Security Presidential Directive 7 (HSPD-7), the cyber environment has evolved in significant ways since those directives were issued. For example, the rise and maturing of continuous monitoring and automated threat-detection capabilities mean that government and industry are now collecting enormous amounts of data that enhance the value of information sharing. The simultaneous development of powerful analytics makes that data even more valuable, because of the potential insights that government and industry can glean by sharing intelligence and data. At the same time, cyber professionals have developed stronger cybersecurity skills over the past decade and better understand how to exploit the accumulating threat and network data. They have also used their experience and skills to identify cybersecurity best practices and create standards and maturity models with many already in use by some critical infrastructure owners and operators that can now be used across the critical infrastructure sectors. Although many of the issues that previously hindered collaboration still remain, government and industry now have much greater incentive to find solutions because the potential value of collaboration is so much greater. We believe the EO can, in fact, provide a strong foundation for improving critical infrastructure cybersecurity. Finding the right balance in the proposed partnership and reaching agreement on new processes for information sharing, the cybersecurity framework, and other EO provisions will not be easy. The issues are admittedly complex, and disagreement persists among stakeholders. Nevertheless, we believe the EO can, in fact, provide a strong foundation for improving critical infrastructure cybersecurity if government and industry take advantage of new cyber technologies and practices that create opportunities for collaborative success. This viewpoint will examine how government and industry can use the EO to achieve their cybersecurity goals. The Cybersecurity Executive Order The White House issued the EO to counter growing threats to the nation s 16 critical infrastructure sectors from state and non-state actors, hacktivists, organized crime, extremists, and others. Repeated cyber intrusions into critical infrastructure demonstrate 2

5 the need for improved cybersecurity, the February 12 order states. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats. 1 One of the EO s main goals is to improve government information sharing with critical infrastructure owners and operators regarding cyber threats, including attack signatures and other technical data. The EO directs the US Department of Homeland Security (DHS), the Department of Justice, and the Office of the Director of National Intelligence to produce and share unclassified and classified cyber threat reports that identify specific targeted and victim entities. DHS will expand the Enhanced Cyber Security Initiative to all critical infrastructure sectors, thereby making classified cyber threat data and technical information available to eligible critical infrastructure owners and operators. DHS will also expand programs that provide security clearances to private sector employees of critical infrastructure and bring private sector subject matter experts into the US federal government. Another major goal is to develop a Cybersecurity Framework of standards and best practices for reducing risk to critical infrastructure. Under the EO, the National Institute of Standards and Technology (NIST) will work with the Sector-Specific Agencies (SSAs), Sector Coordinating Councils (SCCs), and other stakeholders to develop the Cybersecurity Framework. NIST officials want owners and operators to actively participate in this process. The EO also calls for DHS to establish a voluntary program for framework adoption by owners and operators. As part of this program, the SSAs will work with their respective SCCs to review the Cybersecurity Framework and develop implementation guidance to support its voluntary adoption. DHS will use a similar consultative process to identify the high-priority critical infrastructure using a risk-based approach. Finally, DHS and the US Departments of Treasury and Commerce will recommend incentives to promote industry s participation in these efforts. Overall, the EO emphasizes the importance of government-industry collaboration in protecting critical assets, systems, networks, and functions from cyber attacks, stating, We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement riskbased standards. 2 In tandem with the EO, the White House issued the complementary Presidential Policy Directive 21 (PPD- 21) on Critical Infrastructure Security and Resilience, which replaces HSPD-7. The EO and PPD-21 contain ambitious milestones for implementing the planned cybersecurity initiatives. For example, within 120 days, DHS and other named agencies must recommend 1 Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 12, 2013, Section 1, Policy. 2 Executive Order 13636, Section 1, Policy. 3

6 incentives for obtaining the private sector s voluntary participation in the Critical Infrastructure Cybersecurity Program and adoption of cybersecurity practices. Within 180 days, agencies must develop the baseline data and system requirements for a framework to facilitate information exchange among government agencies and critical infrastructure owners and operators. NIST must develop a preliminary Cybersecurity Framework within 240 days, and a final framework within a year. The chief challenge facing government and industry is finding common ground to achieve meaningful results in such short timeframes. On the industry side, owners and operators are concerned that the government will create and then impose a one-size-fits-all Cybersecurity Framework. Many prefer instead that each sector develop for itself the strategy and techniques best suited to its unique business model and requirements. Moreover, some sectors have already put in place rigorous controls and they worry about getting locked into a framework that complicates rather than enhances security. But while industry wants to proceed with caution, government is pressed to move quickly to meet established deadlines. Consequently, given the complexity of the issues and the many differing voices regarding how best to proceed, the danger is that government and industry will settle on solutions that do little to change the status quo or substantially improve cybersecurity in order to keep activities progressing toward fast-approaching deadlines. The Changing Cyber Landscape Many of industry s questions and concerns are the same as those that hindered previous efforts to forge a stronger government-industry partnership. Although the essential issues have not changed, the cyber environment in which government and industry operate has changed in important ways. These changes create new opportunities for meaningful collaboration: Continuous Monitoring. Continuous monitoring uses powerful algorithms to constantly scan for anomalies, analyze them, and then communicate them through automatic, immediate warnings and alerts. By removing the human element, the automatic warnings significantly improve the 4

7 speed and effectiveness of responses and provide decision-makers with information on the current health of their networks, effectiveness of certain controls, and areas of risk. In addition, near real-time monitoring of the threat environment is enabling organizations to predict and prevent attacks. Such processes are generating enormous amounts of data about threats, vulnerabilities, and other network activities that could provide significant value if it were shared and then combined and analyzed with other data within sectors, across sectors, and across government. Data Analytics. Powerful analytical tools not only enable organizations to conduct continuous monitoring of their own activities, but they also enable them to sift through volumes of open source data to uncover timely insights. For example, intelligence tools can quickly analyze global news sources, social media feeds, malicious databases, etc., to enhance situational awareness and identify rising threats, attack vectors, trends, and other valuable information. In addition, sophisticated text analytics, sentiment analysis, and language processing technologies can provide insight into an organization s own unique environment and help prioritize response activities before threats escalate. And using modern computational capabilities, organizations can scale their analytic processes beyond their own network data to include nearly limitless amounts of threat data gathered by partner organizations in government and industry. The data generated through continuous monitoring and data analytics provide a powerful incentive for information sharing and collaboration. Cybersecurity Human Capital Skills. Data and data analytics are much more valuable today because the cyber professionals who work with the data are so much smarter. Cyber experts have greater knowledge and expertise in analyzing network data, spotting trends, and developing analytic programs and tools than they did a decade ago. And, this trend is predicted to continue. A recent study found that information security is a stable and growing profession [and] the number of professionals is projected to continuously grow more than 11 percent annually over the next five years. 3 Cyber professionals develop skills across multiple systems and environments, and work together in cybersecurity communities and associations to identify needed skills, share best practices, and promote the highest standards of training and certification. Their skills enhance the value of collaboration. Cybersecurity Maturity Models. Just as cybersecurity human capital skills have improved, so too have the models and approaches that organizations use to protect their networks and systems and manage risk. Organizations and sectors are beginning to embrace cyber risk management approaches that allow organizations to ascertain the maturity of an enterprise's security posture within the context of the business and, in some cases, across the dimensions of people, process, and technology. New risk-based models in both government and industry provide proven frameworks for measuring, managing, and systematically maturing cybersecurity, helping organizations to allocate cyber resources efficiently while continuously improving security. Proven maturity models now exist to inform the planned Cybersecurity Framework. Keys to Success These four changes, along with related developments within the cyber environment, have important implications for strengthening critical infrastructure cybersecurity. They not only enhance the potential benefits of industry-government collaboration in sharing information, creating a Cybersecurity Framework, and other EO activities, but they also make 3 Frost & Sullivan and Booz Allen Hamilton, The 2013 (ISC)2 Global Information Security Workforce Study, p. 3. 5

8 those benefits easier to obtain. Equally important, an understanding of these changes provides insight into how government and industry can work together to implement the EO and improve cybersecurity. These actions are key to collaborative success: 1. Establish flexible, risk-based cybersecurity standards of practice (e.g., Cybersecurity Framework) that provide a foundation for measuring the growing maturity of an organization s security program. The standards of practice should be flexible to guide strategy and approach rather than prescribing specific technologies and solutions. This will give owners and operators the flexibility to adopt measures that best suit their sectors and business imperatives, as well as the agility to adjust quickly to evolving threats, vulnerabilities, and risks. The standards of practice should be risk-based to guide the effective allocation of resources. It is impossible for organizations to protect all assets, systems, and functions, particularly when the threat landscape is constantly evolving. Consequently, rather than relying solely on checklists of required technologies or references to national and international standards, a risk-based approach will be informed by business priorities and tied to overall enterprise risk. And, they will use quantitative measures and controls to assess risk and allocate resources proactively to mitigate that risk. A risk-based approach also supports a maturitybased framework that defines the expected security practices for a given maturity level. This enables managers to readily ascertain the maturity of an enterprise s cybersecurity posture across the dimensions of people, processes, and technology, and then to develop custom-tailored solutions to improve maturity and mitigate risk. Additionally, a risk-based approach lends itself to repeatable measures, thus enabling the organizations to assess the effectiveness of current security controls against identified threats (again, across multiple dimensions) as they relate to business goals, objectives, and risk tolerance. In addition to being flexible and adaptive to the individual requirements of each sector, the new standards of practice should also be broad enough to incorporate the entire cyber ecosystem, thus recognizing the wider connections among the public-, private-, and civil communities within the ecosystem. In this way, the risk-based approach will include enterprise-wide, sector-wide, and ecosystem risks, as opposed to traditional models that focus narrowly on system risks. Finally, the standards of practice can provide a foundation for developing agreed-upon international cybersecurity standards, which would eliminate duplicative and conflicting requirements across multiple countries. Overall, the standards of practice embody a common understanding of risk from the perspective of multiple stakeholders and provide a basis for determining how effectively a cybersecurity program is protecting the business, as opposed to merely protecting information technology systems. The standards of practice can provide a foundation for developing agreed-upon international cybersecurity standards, which would eliminate duplicative and conflicting requirements across multiple countries. A focus on risk will also help organizations visualize and prepare for the full spectrum of cyber threats. It enables organizations to respond with agility to changing threats and incorporate new strategies, technologies, and approaches into the framework. Moreover, a framework of standards of practice will have the ability to learn and adapt to an evolving cyber landscape. In this way, the 6

9 community avoids both a one-size-fits-all approach and a strict regulatory regime, which tends to create a focus on checklists and compliance rather than genuine security. 2. Accelerate the adoption of continuous monitoring and data analytics. Government and industry already have access to enormous amounts of data related to the protection of critical infrastructure, but they currently lack the capability to fully process and analyze this data to address complex cybersecurity challenges. Organizations can improve their analytic capabilities by tapping into emerging cloud-based analytics. Such capabilities would enhance significantly the value of information sharing among stakeholders because they would be able to quickly analyze data and respond to threats. Similarly, continuous monitoring capabilities would generate even more data regarding the health of networks within a sector and rapid responses based on data, as opposed to fear or premonitions about potential threats. While it is true that an individual sector could create these capabilities on its own, sharing capabilities and information across sectors, as well as across government agencies, provides much greater value. This is the goal that government and industry should be striving for, and federal initiatives such as the Big Data Research and Development Initiative, Digital Government Strategy, and the Cloud First Strategy directly support a movement in this direction. Agencies that have embraced these efforts are building the capacity to more effectively monitor their networks and exploit cybersecurity data. 3. Create an information-sharing broker (or brokers). Both government and industry need help sharing information efficiently and effectively. The owners and operators want data that can help them address their cybersecurity challenges, but they do not have the resources to sift through mountains of information unrelated to the threats they face. They need information that is delivered in a way that helps them understand why the information is relevant to businesses within their sector and how they can use it. However, the government agencies that collect this information do not have the resources to create this context that is, address these questions for each stakeholder. An information broker could provide these services for both government and industry. An information broker could take many forms and serve a number of essential functions. For example, the broker could serve as a trusted aggregator of threat data with the expertise to address privacy, security, and other issues that often hinder data sharing. It could also provide risk ratings, evaluating the level of risk that a reported threat posed to the company (or sector) receiving the report. Such a broker would refine and sharpen data to reduce substantially the friction in data sharing processes, thus making the data easier for government to share and more valuable for industry to receive. And because the information-sharing 7

10 government and industry have a shared interest in ensuring that networks are up and running at all times. All agree on the value of continuous monitoring in protecting networks and on the value of sharing threat data derived from continuous monitoring and other sources. Most would probably agree on the value of creating a robust framework that could be applied consistently across all sectors. These and other shared interests provide opportunities for collaboration and leadership. broker is focused on providing this service, it would continuously improve its own capabilities and the value of the data as it flows between government and industry. 4. Revitalize the public-private partnership based on shared interests. When issuing the EO, the White House said, The Executive Order strengthens the US Government s partnership with critical infrastructure owners and operators to address cyber threats. 4 However, many in industry are skeptical of the term partnership, uncertain of its precise meaning and wary of its implications for moving forward. Consequently, government and industry should use the EO and PPD-21 as an opportunity to clearly define roles, responsibilities, and processes for collaboration among major stakeholders. The starting place is finding common ground. Too often, discussions focus on the unique requirements or issues separating stakeholders, and they lose sight of the overlapping vital interests that have brought them together. For example, both An approach that focuses on common interests also helps to shape the adoption of key components of the EO. For example, in developing a Cybersecurity Framework, government and industry will want to create a framework at a high enough conceptual level to address the requirements of all sectors. Moreover, the framework must be flexible to adapt to both a changing cyber environment and a more mature understanding of common interests. This approach also suggests that the current partnership model should be expanded to include the civil sector that is, cyber and risk management experts from academia, think tanks, and others among the general public because government and industry also have shared interests with the civil sector. The civil society has always played an important role in developing and shaping the Internet, and its members can contribute many useful ideas, as well as valuable data and intelligence necessary to predict, prevent, and respond to cyber threats. By viewing the cyber ecosystem as a collection of communities, rather than a limited number of sectors, the EO can strengthen both the partnership among stakeholders and the security of critical infrastructure. In fact, this is how cyber adversaries come together and operate: As communities with similar interests that share tactics and resources. A strong publicprivate-civil sector partnership can build an effective network to defeat the adversary's network. 4 Office of the Press Secretary, Executive Order on Improving Critical Infrastructure Cybersecurity, February 12,

11 Each partner, through data analytics and continuous monitoring, has richer data to inform collaborative efforts and determine what needs to be done to address systemic risks, which have the potential to adversely impact all. A new type of leadership is needed to galvanize strategic connectivity and unity of effort among these diverse partners. The National Preparedness Leadership Initiative (NPLI) at Harvard developed a framework and practice around "metaleadership," which offers insight into the leadership skills required to foster collaboration among interdependent entities in the pursuit of shared goals. NPLI characterizes meta-leaders as those who lead advances down into their own group, but who also lead up to gain their leaders support. Although team players, meta-leaders are not afraid to speak truth to power, if necessary, to those more senior. They also lead across agencies, extending their influence among stakeholder organizations, and they develop situational awareness to create a path forward, often in the face of incomplete information. Meta-leaders think beyond personal, bureaucratic, or business interests to achieve a higher purpose. They recognize that optimizing effectiveness and achieving high performance demand a spirit of collaboration, combined with tangible mechanisms that activate collaboration and partnership. Meta-leaders think beyond personal, bureaucratic, or business interests to achieve a higher purpose. infrastructure cybersecurity. And these efforts will, in turn, strengthen the partnership. 5. Explore and develop norms guiding the use of active cyber defense. Private sector organizations are developing the capability to identify more precisely the source of cyber attacks using honey pots to attract and study threats and advanced forensics to track down attackers. The ability to identify attackers provides an opportunity for organizations to go beyond simply preventing or deterring attacks to actually striking back at an attacker s networks and systems. An organization might engage in active cyber defense through collective action with other sector members or by turning to other communities of interest to address the threat. Such action might be especially tempting if the government were seen as unable or unwilling to protect the organization. The concept and potential use of active cyber defense is another area of compelling shared interest between government and industry. Employing active cyber defenses against attackers is already being widely discussed among cybersecurity professionals as an option, given the severity of the threats and the risks they pose. However, such activities could create a Wild West environment of vigilantism, attacks on innocent parties, and escalating attacks that draw the US government into conflict, potentially beyond cyberspace. Consequently, as government and industry collaborate on sharing information and building security frameworks, they also should address this emerging area of cyber policy and strategy. A partnership forged on shared interests and guided by meta-leadership will create a stronger Cybersecurity Framework, develop more effective information sharing processes, and implement more meaningful changes to strengthen critical 9

12 Conclusion We are optimistic that the United States can strengthen critical infrastructure cybersecurity through a government-industry partnership that builds a robust Cybersecurity Framework, shares threat data, and collaborates on achieving national cyber goals. Although we don t discount the challenges of bringing together such large and diverse groups of stakeholders, we believe that emerging cyber technologies and capabilities have created opportunities for success that did not exist 15 years ago when government first initiated "whole of government" efforts similar to the EO. In particular, continuous monitoring, data analytics, a more expert cybersecurity workforce, and a maturing of cybersecurity standards and models provide a much stronger foundation for collaboration. The potential gains resulting from partnership are significantly greater; and, if efforts fail, the potential damage to the nation s economy and security is significantly greater as well. These two facts provide compelling incentive for stakeholders to work together to improve critical infrastructure cybersecurity. By building on their common interests, government and industry can create a partnership that grows and matures to counter cyber threats today and into the future. 10

13 11

14 Contact Information Mike McConnell Vice Chairman Sedar Labarre Principal David Sulek Principal Marcia McGowan Senior Associate

15 About Booz Allen Booz Allen Hamilton has been at the forefront of strategy and technology consulting for nearly a century. Today, Booz Allen is a leading provider of management and technology consulting services to the US government in defense, intelligence, and civil markets, and to major corporations, institutions, and not-for-profit organizations. In the commercial sector, the firm focuses on leveraging its existing expertise for clients in the financial services, healthcare, and energy markets, and to international clients in the Middle East. Booz Allen offers clients deep functional knowledge spanning strategy and organization, engineering and operations, technology, and analytics which it combines with specialized expertise in clients mission and domain areas to help solve their toughest problems. The firm s management consulting heritage is the basis for its unique collaborative culture and operating model, enabling Booz Allen to anticipate needs and opportunities, rapidly deploy talent and resources, and deliver enduring results. By combining a consultant s problem-solving orientation with deep technical knowledge and strong execution, Booz Allen helps clients achieve success in their most critical missions as evidenced by the firm s many client relationships that span decades. Booz Allen helps shape thinking and prepare for future developments in areas of national importance, including cybersecurity, homeland security, healthcare, and information technology. Booz Allen is headquartered in McLean, Virginia, employs approximately 25,000 people, and had revenue of $5.86 billion for the 12 months ended March 31, For over a decade, Booz Allen s high standing as a business and an employer has been recognized by dozens of organizations and publications, including Fortune, Working Mother, G.I. Jobs, and DiversityInc. More information is available at (NYSE: BAH) To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton publications, visit 13

16 Principal Offices Huntsville, Alabama Montgomery, Alabama Sierra Vista, Arizona Los Angeles, California San Diego, California San Francisco, California Colorado Springs, Colorado Denver, Colorado District of Columbia Pensacola, Florida Sarasota, Florida Tampa, Florida Atlanta, Georgia Honolulu, Hawaii O Fallon, Illinois Indianapolis, Indiana Leavenworth, Kansas Radcliff, Kentucky Aberdeen, Maryland Annapolis Junction, Maryland Lexington Park, Maryland Linthicum, Maryland Rockville, Maryland Troy, Michigan Kansas City, Missouri Omaha, Nebraska Red Bank, New Jersey New York, New York Rome, New York Fayetteville, North Carolina Cleveland, Ohio Dayton, Ohio Philadelphia, Pennsylvania Charleston, South Carolina Houston, Texas San Antonio, Texas Abu Dhabi, United Arab Emirates Alexandria, Virginia Arlington, Virginia Chantilly, Virginia Charlottesville, Virginia Falls Church, Virginia Herndon, Virginia McLean, Virginia Norfolk, Virginia Stafford, Virginia Seattle, Washington The most complete, recent list of offices and their addresses and telephone numbers can be found on Booz Allen Hamilton Inc. BA13-051