On short notice, the White House gathered a distinguished group of industry, academic and government types for a one-year anniversary of the President’s speech on cyber, hosted by Howard Schmidt. The President spoke for 10 minutes as well. No press attended, but an attendee gave me this summary of the event. A lot of what was said was known to all, but it was interesting to hear how they are bringing it together — especially the emphasis on industry partnerships, which every speaker (including the President) emphasized.
The main attendees, beside the POTUS, were: Howard Schmidt; DHS Sec. Napolitano; DoC Sec. Locke; Dep SecDef Lynne; and FCC Chair Julius Genachowski. A good number of the attendees were staff from Schmidt’s office, as well as from DHS, OMB, OSTP and DOD. If there were Hill staffers there, they were not in evidence.
Howard Schmidt opened up by talking about four thematic areas his office is pursuing:
1) Raise price of success for adversaries (legal penalties, increasing cost to attack by harder targets)
2) Resilience/recovery after an incident
3) Protecting privacy and civil liberties, and
4) Industry partnerships – (on info sharing, introducing new technology, technological vulnerability reduction, and specifically, on the National Incident Response Plan, National Cyber & Communications Incident Center, and National Strategy on Trusted Identities in Cyberspace).
Schmidt later talked about the need to move from strategy to action, including through cooperation with Cyber Command and moving FISMA from reports to continuous monitoring and practical metrics. He asked for involvement in Cyber Awareness month this October.
Sec. Locke then spoke about the issues importance across DOC, especially at NIST and NTIA. His main points included:
- Cyber is about confidence (consumers, businesses, military/trade secrets)
- NTIA recently led activity to install DNSSEC at the root of the domain name system, working with ICAAN and Verisign
- NIST is working with NSA to reconcile civilian and national security cyber standards
- DoC wants to lead in working with industry to identify best practices
- They are working with wireless groups on mobile computing security
- NIST is leading the new version of the CNCI education initiative, the National Initiative on Cybersecurity Education or “NICE” (this also involves DHS, ED, DOL and OPM)
- DoC is convening an Internet policy task force, addressing, among other things, privacy copyright, ecommerce
- Regarding cybersecurity, there will be a 7/27 symposium and comments on cyber policy
- Locke sees the private sector as a creator/innovator; the relationship should not be adversarial
The President then arrived, previously unannounced. He was accompanied by Dep National Security Advisor John Brennan. He spoke generally without notes, talked knowledgeably about his emphasis on cybersecurity working through Howard’s leadership. He cited the economic and social benefits of the internet and the need to protect that resource, in consultation with industry. He then discussed progress on a number of specific initiatives, including:
- NSTIC
- plan/capacity for unified incident response
- stronger partnerships
- R&D (broadband, health IT)
- cyber education
DHS Dep Under Sec Phil Reitinger then led a panel that included Ed Amoroso from ATT, Curtis Brunson from L3, Edmund Schweitzer (electric industry), the CIO from St Judes on bioinformatics, Ari Schwartz from CDT, and Chris Painter who is Schmidt’s Deputy.
The panel did not say much that was new, though Painter asked for industry input on how to harden targets, and made the point that we need to move the security action away from end users, as this will never be as effective as handling it earlier in the chain (e.g., among Tier one providers).
DHS Sec Napolitano closed by noting that cyber was one of DHS’ five key priorities, including protecting civilian networks and working to protect critical infrastructures. She noted that Einstein would be deployed in all agencies by year-end, but did not discuss Einstein 3. She then announced eight winners of the “Cyber Challenge” on how to raise awareness. Most were small entities or individuals, but Cisco and Deloitte were among the winners as well. There was some Q&A, during which Vint Cerf humorously apologized for not making the Internet more secure at the beginning.
I love celebrations, but we really need to move forward more aggressively. Thanks to my colleague who attended the event for the summary.