Editor's Note: This article was originally published on Aug. 25, 2014.
Michael Daniel was a long-time national security budget official at the Office of Management and Budget before being tapped in 2012 to oversee the interagency development and implementation of national cybersecurity strategy and policy, leading to President Obama's 2013 milestone signing of Executive Order 13636, entitled "Improving Critical Infrastructure Cybersecurity." In a recent interview with Federal Times Editor Steve Watkins, Daniel discusses cyber attacks and what challenges and progress still lie ahead. Following are edited excerpts:
I wanted to ask you about the latest news of the breach of 1.2 billion logins and passwords. Do we know in terms of what impact that might have in the federal space?
The first thing I would say is that obviously it's still in the very early stages of the investigation and we are trying to determine exactly the extent of what may have happened and what may have occurred. So we'll be reaching out to the company [Hold Security, the firm that discovered the theft] to try to understand what impact there might have been to federal websites where any of the credentials actually could have possibly come from federal websites; and then obviously to the extent that we have determined that has happened, we will take steps to mitigate that. But it does fit into a broader complex of agencies always have to be very vigilant about maintaining their site security and keeping their patches up to date and things like that.
Executive Order 13636 was a major milestone in terms of getting government prepared for cybersecurity. What is the status of its implementation, and what do you see ahead?
I actually think the implementation is going very, very well. The National Institute of Standards and Technology [NIST] Cybersecurity Framework, which was a hallmark of that executive order, came out on time, despite the fact that we had a government shutdown in the middle of development that cost us several weeks. And we're already getting a lot of good feedback from a variety of points of view, including different companies talking about how they're using it in their supply chain. Companies are developing products and services around helping other companies implement the framework. And we're already beginning to look at kicking off the more formal review of input on the framework and how we can evolve to the second version In the executive order, we, of course, called for the framework to be updated periodically. So we're already beginning that process. I very much see the framework as a living document that will keep pace with the changes in inside security.
The other pieces of the executive order, including directions to share more information more rapidly with the private sector, are an ongoing work in progress. We continue to press forward with the privacy and civil liberties reviews as well, and we continue to look at things like the regulators making their reports on how the framework fits in with their regulatory frameworks that are already existing.
Can you discuss potential areas where we might see some revisions in the second version?
It's hard to say now because a lot of it is actually going to be informed by what industry tells us they have learned from actually trying to use the framework and implement it over the last nine months to a year. So, I don't want to give any projections until we see more of that. Clearly some of the areas that we acknowledge when we rolled out the framework, sort of how do you think about measuring the framework and other things if you're a company, and the other area is sort of sector overlays, how you adapt the framework for particular sectors. I would expect there to be some good commentary and feedback on both of those areas, but obviously industry can raise others as well.
How do you get more responsive communications with industry sectors, particularly those where critical infrastructure resides? What would you like to see in terms of a legislative fix?
The administration has been very consistent in its approach since 2011 of arguing that we need legislation to help address the issues related to information sharing. Not so much with the federal government pushing information out to the private sector, but enabling the private sector to share information back with the federal government and among private-sector companies. We continue to very strongly want to see legislation that will address those issues.
In the interim, we've done steps like encouraging and having the [Department of Justice] and the Federal Trade Commission issue guidance saying that companies sharing cybersecurity threat indicators amongst themselves is not an antitrust violation to encourage that kind of company-to-company sharing. And we continue to work on what we can do under executive authority to encourage information to come back into the federal government from the private sector.
But ultimately, we do probably need legislation to make some big changes there. We continue to work very closely with the Senate and various committees on the Hill to get legislation passed that the president can sign.
I recently heard Adm. Mike Rogers [director of the National Security Agency and commander of the U.S. Cyber Command] say he was meeting with the Department of Homeland Security and FBI to try to sort out some of the boundaries there. What is the status of defining roles and missions among federal players?
I think that the roles and missions are actually fairly well defined in many ways. What we're really talking about is the next level down — the term that is often used is CONOPS [concept of operations] — and how we're actually going to implement the broader policy. For example, clearly the Department of Justice, FBI, Secret Service and the law enforcement agencies have the lead for investigating cyber crimes. And DHS has the lead for mitigation efforts interfaced with our critical infrastructure to raise the baseline level of cybersecurity. And the Department of Defense is responsible for defending the nation against aggression in cyberspace, just like they are in real space.
So taking those broad concepts and translating them to what we do in specific incidents, and how we achieve the level of coordination inside the federal government that we need to,is still a work in progress. And that's why we are taking every opportunity to learn from incidents, get better at [it], and take the opportunities we have to practice.
Let's discuss the NSTIC, the National Strategy for Trusted Identities in Cyberspace. What is the status on the rollout of that stand and what challenges and obstacles do you see coming forward?
That's actually a really important effort and it goes back to the very first thing you raised today about the compromise of usernames and passwords. That is just another example in the long run of why we have to move beyond passwords as our primary cybersecurity mechanism. They're just not effective in the long run at securing people's information and securing our information in the way that we would like.
So the NSTIC is a really important effort to really jumpstart the private sector into providing different kinds of authentication, the way of doing your primary security mechanism. I think that program is really starting to show a lot of promise. There are several pilots that were begun several years ago that are really beginning to move into actual production;, they're not just slideware anymore. People are actually able to use them. Some of them are on different scales than others. Some involve several hundred or several thousand people, but some of them are likely to scale up pretty rapidly.
A good one, for example, is for veterans to be able to use only one login ID from a third-party provider to access services across a wide range of government agencies so you don't have to maintain separate usernames and passwords for all those different agencies. That's a huge benefit. I really think in the next couple of years, you're really going to see some innovative ideas start to come to fruition, many of which were jumpstarted by the effort the federal government put into the NSTIC program.
Adm. Rogers discussed the Joint Information Environment as a critical step toward cybersecurity in the Defense arena, because it essentially consolidates all the many DoD infrastructures into a single IT backbone, which is easier to protect. Is there any discussion of doing something similar on the civilian side of government?
The Defense Department has a unique structure with its command and control capability to centralize things in a way that you cannot do on the civilian side for a whole variety of reasons. Unquestionably, though, we need to increase the level of cybersecurity of our civilian agencies, and we are working to try to give them the tools to do that. Some of those include continuous diagnostics and monitoring [CDM] capability that DHS can provide to agencies. That is a really valuable tool, because it lets you know what's happening to your network in real time.
There's the Einstein suite of sensors that are both intrusion-prevention and intrusion-detection systems. They have really helped the agencies scale up beyond just commercial-grade anti-virus and firewall protection.
Then there's just the civilian agencies taking a look at their networks and making sure they understand what they have and where it is and really doing the hard work of making sure your software is up to date, making sure your patches are up to date and doing all of those basics that really have a huge impact on your cybersecurity. If you look at any of the private-sector reports that come out on this, whether you are talking about the Verizon report or the one that Symantec does, all of them show that intruders overwhelmingly still rely on known, fixable vulnerabilities. So, if you plug those holes, you are going to get a very large percentage of the cyber intruders.
Do you have any assessment as to how extensive those fixable vulnerabilities are within the federal space?
I think that's one of the reasons why we want to continue to modernize the Federal Information Security Management Act [FISMA] and really enable that to have a much more dynamic reporting process in there. Right now, it's one that's done on a paper basis every so many years. So, from our perspective, that's one of the reasons why we're trying to modernize that reporting requirement as much as we can outside of statutory changes. I think if we can do that, then we'll be able to put in place, again, the CDM capabilities [that] will start to give you a sense of where the federal government stands there. And as that capability rolls out across more of the federal enterprise, we'll be able to get a better picture of that.
I wanted to talk about Heartbleed for a second. You have said, in your recent keynote speech to the Gartner conference, that Heartbleed was really kind of the first high-profile example of the NIST cybersecurity framework in action. Can you discuss a little bit what refinements or lessons learned you may have taken away from that experience?
I think if you look at, not just Heartbleed, but a lot of the intrusions and vulnerabilities that occur, the first question you almost always have to ask yourself is: What is in the identified bucket, the identified category, of the framework. That is one of the key lessons that we have taken away and a very underappreciated part of the process: Knowing what information do I have as an organization, why do I care about it — in other words, how important is it to me? And then how do I care about it? Do I care about whether anybody sees it? In other words, is it personally identifiable information that I don't even want exposed to unauthorized users? Or is it that I really care more about the data integrity? I care very much about making sure that it's not changeable or messed with in any way. Understanding that really has an impact about how you go about building your defenses.
In the case of Heartbleed, the identified part was we realized we actually had to go out and figure out where in the government we were actually using open SSL as a security measure, and that, frankly, our level of understanding of that was not where it should have been prior to that incident. So it was a good lesson for us that [it is] really important that you actually understand both your information and what you're using to protect it.
One of the trends that is complicating the task of federal CISOs (chief information security officers) is the advent of mobility, as well as cloud. How does that fit into your portfolio and your initiatives?
From my perspective, the advent of mobile devices just continues to make the overall problem harder. But you can lump in there the Internet of Things. And we have moved from a world where we're trying to do cybersecurity with wired desktops to needing to do cybersecurity in a mobile cloud environment, just like the private sector. So it makes our problem harder, but, at the same time, it also provides some opportunities for baking in the security upfront. As we move into the mobile environment, we have an opportunity to do it better than when we did it with the wired desktop environment. And it's certainly part of what I have to work on because, just inevitably, what we're concerned about is the integrity and security of federal networks and federal information writ broadly, no matter what vector or pathway people choose to access that information.