President Obama emphasized government-industry partnership during his “CEO summit” on cybersecurity last week at Stanford University, where he unveiled new tools designed to protect American consumers and businesses online.
The Obama administration also announced the creation of a new Cyber Threat Intelligence Integration Center, while the president touted an “executive action” designed to improve the flow of cyber threat information between the private sector and government.
Obama has stressed the need for a collaborative approach going back to the Feb. 12, 2013, release of his landmark executive order on cybersecurity.
The executive order, in turn, led to the release of the National Institute of Standards and Technology’s framework of cybersecurity standards one year later, which has become the touchstone for industry’s efforts to protect information.
The Senate Commerce Committee held an oversight hearing earlier this month on the NIST framework, with some panel Democrats expressing skepticism about whether it can deliver demonstrable improvements in cybersecurity.
Communications industry leaders are in the final throes of producing a cybersecurity strategy, based on the NIST framework, that seeks to affirmatively answer that question before regulators choose a different approach.
Federal Communications Commission Chairman Thomas Wheeler discussed the challenge in a speech last spring at the American Enterprise Institute.
“The challenge is that this private sector-led effort must be more dynamic than traditional regulation and more measurably effective than blindly trusting the market or voluntary best practices to defend our country,” Wheeler said.
“The new paradigm for the communications sector must be real and meaningful,” the chairman stressed. “It has to work. The commission’s commitment to market accountability will help ensure that it does work. And, while I am confident that it will work, we must be ready with alternatives if it doesn’t.”
The alternative was apparent to Wheeler’s audience: mandatory rules, enforced by the FCC, for companies to follow as they try to secure their networks from cyber attacks.
Last March, the FCC’s Communications Security, Reliability and Interoperability Council empowered an industry-led group — known as “working group 4” — to come up with a new way to ensure cybersecurity for the communications sector.
The one hundred or so industry representatives on working group 4 held their final all-hands meeting last week. The group includes security experts from the five corners of the communications industry: wireless, traditional “wireline” service, broadcast, cable and satellite.
It will be up to Wheeler and the other FCC commissioners to determine whether the recommendations are up to the task of best securing the telecom sector from cyber attacks.
Industry and government officials alike appear confident in the outcome.
Retired Rear Adm. David Simpson, the FCC’s security chief, late last year said he expects the group’s recommendations to be “more flexible and dynamic than traditional regulation,” while also providing a way to measure effectiveness.
“The industry gets it and by and large is getting after it,” Simpson said.
The scale of the industry-led effort, and its future implications for cyberpolicy, are apparent to the participants after a year of breakneck activity.
“The working group 4 effort represents a seismic shift in the way the communications sector works with our government partners and our regulator to address the formidable threats to our nation’s critical communications infrastructure,” said Robert Mayer, vice president for industry and state affairs at the U.S. Telecom Association.
Mayer, who is co-chairing working group 4, said, “We are using the NIST framework as a foundation for evaluating how we integrate emerging threats into enterprise risk management and how we communicate our capabilities and expectations to both internal and external stakeholders.”
Industry participation has been substantial, perhaps even unprecedented.
“Over the course of a year, we have had over 100 cybersecurity professionals think about the most complex challenges facing our nation and critical infrastructure enterprises and we have formulated recommendations to the FCC and guidance to the industry that should advance our business and national security interests in the cybersecurity arena,” Mayer said.
“It’s astonishing how much has been accomplished in one year in addressing these issues,” said Time Warner vice president Brian Allen, Mayer’s fellow co-chairman. “These issues take a lot of work because this is a very complicated industry with diverse segments.”
Allen said the NIST framework was the key. “I love the framework,” he said with a laugh. “It surrounds policy with risk management principles and simplifies it with good security practices.”
The “core principles” in the framework “make it adaptable and flexible,” Allen said.
“I think there is a lot of good, fundamental security practice in here,” Allen said of the upcoming working group proposal. “This could be a model for others — if you start with the basic elements and build off of those, it becomes very practical very quickly.”
Working group 4 will deliver its package of recommendations to the FCC’s security council on March 18.
“The communications sector is at a critical juncture,” Wheeler said last spring. “We know there are threats to the communications networks upon which we all rely. We know those threats are growing. And we have agreed that industry-based solutions are the right approach. The question is: Will this approach work? We are not Pollyannas. We will implement this approach and measure results. It is those results that will tell us what, if any, next steps must be taken.”
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
