The Complex

Napolitano: Cybersecurity legislation preferred over exec order

Here's your midweek update on the push from the White House and Congress to establish minimal cybersecurity standards for banks, energy firms, transportation companies and communications businesses -- frequently called critical infrastructure providers by the government.

While Senate Majority Leader Harry Reid (D-Nev.) has said he plans to call for a vote on the Cyber Security Act of 2012 next month, the White House is still circulating a draft of its executive order -- or "EO" -- on cybersecurity to businesses that it would affect in an effort to get their feedback.

"In light of the failure of the Congress to be able to pass legislation this past year, in part, because we recognize given the severity and urgency of the situation we can't simply wait if Congress cannot act," Homeland Security Secretary Janet Napolitano said after an Oct. 25 speech about cybersecurity at the Center for Strategic and International Studies. "One of the things that's happening now is outreach into the private sector and other stakeholders to look at it and get some feedback before any EO would be issued if there is, ultimately, that decision."

Still, senior administration officials maintain that they would like to lose this race to lawmakers. During questions after her speech today Napolitano echoed the White House and Defense Department's argument that legislation is key to protecting the nation's critical infrastructure from cyber attack.

"If you ask me what concerns me the most, is that in an interconnected world, where infrastructure is concerned you could have entities that are doing a really good job, but it only takes one or two to create a gap in the system and then the gap can have a domino effect," said Napolitano. "That's why having legislation, I think in the end, is going to be absolutely necessary to make sure we have [a set of uniform] best practices that are incorporated in the core infrastructure of the country."

Napolitano added that while legislation is a better way to deal with securing critical infrastructure than an executive order, the lame-duck Congress will have plenty on its plate when it returns in mid-November, including trying to reach a deficit reduction deal to avoid the massive government spending cuts that are scheduled to take effect in January.

The White House is keeping a tight lid on the details of its executive order, saying only that it will take a "collaborative" approach with businesses and lawmakers in developing cybersecurity "best practices" for critical infrastructure providers. Any such order will have strong privacy and civil liberties protections in place, according to the White House. In addition to establishing best practices, the order may provide a means for rapid information sharing about cyber threats between businesses and the government.

Wikimedia Commons

National Security

Rogers was right, DoD-DHS cyber info sharing program has shrunk

The joint DoD-DHS program that provides defense contractors with protection from bad cyber actors identified by U.S. intelligence agencies has actually shrunk, contrary to the Pentagon's earlier insistence otherwise.

The Defense Enhanced Cybersecurity Services (DECS) program has been touted as one way that the U.S. government can partner with private "critical infrastructure providers" to boost their online defenses. Under DECS, businesses pay their Internet service providers (ISPs) a fee to receive extra protection from specific threat signatures that have been identified by American spy agencies as being malicious. (Those signatures -- collected via secret means -- are given to the ISPs by the U.S. government.)

The program ran in pilot mode for nearly two years with 17 member companies subscribing, and it was opened up to a broader swath of companies last month.

However, several weeks ago, Rep. Mike Rogers (R-Mich.), chair of the House intelligence committee claimed that, while DECS is a good idea, the program has been shrinking, something the Pentagon denied. Until now.

"At the end of the operational pilot, one of the commercial service providers withdrew," a Pentagon spokesman explained in an Oct. 24 email. "During the operational testing of the pilot, five of the 17 DIB companies chose to withdraw and reallocate their resources to other corporate priorities."

That leaves 12 companies that are participating in the DECS program. Four of the five companies that quit during the pilot are considering rejoining a modified version of the program, according to DoD. These companies would cut out the ISPs as middlemen and receive threat signatures straight from the government, allowing them to monitor their own networks without paying the ISPs.

"Four of the five companies that withdrew are now reviewing the documentation for the permanent DECS component to determine whether to become an operational implementer, wherein they would be authorized to implement the services for their own networks," reads the email.

The Pentagon explained its earlier insistence that the DECS program still had 17 members by saying that since the program involves relationships between the defense contractors and ISPs, it did not receive updates on how many companies where actually participating.

"Under DECS, the services are primarily a relationship between the companies and their commercial service providers," reads the email. "Participating companies are not obligated to report data about their participation on a regular basis. When DoD responded to queries from the press on the number of companies that were participating in the program early last week, DoD used the best information available at the time. Subsequent further direct engagement with each company resulted in the more specific count above. To support House Permanent Select Committee on Intelligence (HPSCI) inquiries, DoD contacted each of the original 17 pilot participants for feedback and status."

Meanwhile, the larger initiative to which DECS belongs -- the Defense Industrial Base Cybersecurity Assurance (DIB CS/IA) program -- has been growing as advertised since it was opened to a large number of defense companies in May 2012, according to the Pentagon. DIB CS/IA allows for information-sharing about cyber threats between defense companies and the government.

"Since May 2012, the DIB CS/IA program has expanded from 34 to 65 companies, with new companies joining every week," read the spokesman's email. "In addition, since DoD recently finalized the processes for DIB CS/IA participants to join DECS, DoD continues to inform DIB companies of the availability of the services offered in the baseline DIB CS/IA program and the enhanced services under DECS."

Department of Defense