The Federal government needs to set standards for cybersecurity and hold the proper people accountable, technology executives that gathered at the White House on June 19 told Rob Joyce, cyber coordinator for the White House.
The cyber executive order discusses whom to hold accountable within Federal agencies, critical infrastructure sectors, and international cyberspace.
“It really focused on the way that cybersecurity is an underpinning for the national security, economic security, and health of the nation,” Joyce said.
The executive order brings agency heads to the forefront of their agencies’ cybersecurity posture. Agencies are taking stock of their networks and deciding which networks need the most protection and what risks they’re willing to take.
“No kidding, not all data is created equal,” Joyce said at Tenable’s GovProtect17 conference. “Start with the crown jewels.”
Joyce said to consider the consequences of the Office of Personnel Management breach, if it had happened to the Social Security Administration or the Internal Revenue Service. Much more personal data could have been compromised.
“The idea that we are protecting Americans’ data has to be at the forefront,” Joyce said.
Joyce said that policy still needs to be written to determine whom to hold accountable after a breach like the incident at OPM.
“You’ve got to assume all the time that the bad guys are in your perimeter,” Joyce said.
The executive order enables partnerships between the government and the private companies that often control the 16 critical infrastructure sectors, including five lifeline sectors. Critical infrastructures such as the energy grid, telecommunications networks, financial systems, and health systems need to be protected from cyber intrusion.
“These are all interlinked and we recognize that,” Joyce said. “What do we need to do to enable [the private sector] to do good cyber defense?”
Joyce suggested that the government partner with the private sector and share information “perhaps on the classified level.” The Silicon Valley executives that met at the White House expressed a need to have a clear dialogue and engagement from the government in order to have a successful partnership.
Joyce said that there are many options to hold international hackers accountable, even though they’re difficult to identify. The Federal government can use diplomatic agreements, apply pressure on bad actors, engage in open disclosure of behavior, convict cyber criminals, and exploit cyber capabilities, according to Joyce.
“We’ve got to have alliances, agreements, and like-minded partners,” Joyce said.
Joyce offered the example of the department of Defense, which has a well-resourced cyber program, and the Bureau of Reclamation, which has an important mission of managing water in the United States, but doesn’t have as many resources. Joyce said the recent cyber graduates are more likely to want to work for the DoD than the Bureau of Reclamation. Shared services, which are encouraged in the cyber executive order, would strengthen the networks of agencies of all sizes.
“We’ve got to have these shared services so that we can bring people in to both defend the DoD networks and the Bureau of Reclamation,” Joyce said.