by Charles Brooks, Featured Contributor
AT THE RECENT 2014 Aspen Ideas Festival, former 9/11 Commission Chairman and Governor of New Jersey, Tom Kean, noted that cybersecurity has exponentially grown as a threat since the original 9/11 Commission Report was issued.
The Governor is right–much has changed in the last decade. While dire terrorism threats remain, cyberterrorism and cybercrime have elevated as persistent, sophisticated, and dangerous threats to security and commerce.
The new reality is that almost all of our critical infrastructures operate in a digital environment, including the health care, transportation, communications, financial, and energy industries. While the information technology landscape has greatly evolved, so have the vulnerabilities. Ten years after 9/11 we are all reliant on the Internet’s connectivity for vital human services in almost every aspect of our daily lives.
In addition to its primary role in combating terrorism, the Department of Homeland Security (DHS) has assumed the lead civilian agency role in government for addressing cybersecurity. The agency’s role has evolved in correlation with the growing and complex threat, especially to the critical infrastructure.
Developments in the last few years have shaped DHS’s policy role. In July of 2010, The Office of Management and Budget (OMB) designated DHS with the primary responsibilities of overseeing the federal-wide information security program and evaluating its compliance with the Federal Information Security Management Act (FISMA) of 2002. As a result, DHS became responsible for overseeing the protection of the .gov domain and also for detecting and responding to malicious activities and potential threats. DHS was also charged with annually reviewing the cyber security programs of all federal departments and agencies.
In October of 2012, President Obama issued an Executive Order further delineating DHS’s increased cybersecurity role toward developing standards and enhancing information sharing with critical infrastructure owners and operators. The Executive Order was aimed at identifying vulnerabilities, ensuring security, and integrating resilience in the public/private cyber ecosystem and had three areas of major focus: 1) Increase information sharing with the private sector, including classified cyber threat data; 2) Create a voluntary framework based on industry best practices to improve the cybersecurity of critical infrastructure providers; and 3) Protect privacy and civil liberties throughout the sharing and framework. DHS created eight working groups to implement the Executive Order.
Since most of the critical infrastructure in the US is owned and operated by the private sector, DHS recognized the importance for private sector input into cybersecurity strategies and requirements across industry verticals. The Council on Cybersecurity has played a key role in facilitating this dialogue.
Last year, The Council on CyberSecurity formed a 20 Critical Security Controls list with collaboration between the public and private sectors that provides an emerging framework toward protecting the critical infrastructure. The list is a recommended set of actions for cyber defense that provides specific and actionable ways to stop today’s most pervasive attacks. They were developed and are maintained by a consortium of hundreds of security experts from across the public and private sectors. An underlying theme of the Controls is support for large-scale, standards-based security automation for the management of cyber defenses.
Governor Kean and members of the 9/11 Commission also recognized that DHS and the public need to be proactive rather than reactive to cyber-attacks against sensitive networks. The public and executive management in industry need to be educated on the threats and share information and protocols with the government to mitigate cyber threats to critical infrastructure. The Council on CyberSecurity’s important work in the cyber domain and especially on Critical Security Controls can be a guiding path to making the homeland more secure and resilient in the next decade to the growing cybersecurity threat.
About the Author: Charles (Chuck) Brooks serves as Vice President/Client Executive for DHS at Xerox. Chuck is also a member of The Council on CyberSecurity’s Expert Security Controls Panel. He served in government at the Department of Homeland Security as the first Director of Legislative Affairs for the Science & Technology Directorate. Chuck also spent six years on Capitol Hill as a Senior Advisor to the late Senator Arlen Specter and was Adjunct Faculty Member at Johns Hopkins University where he taught homeland security and Congress. Chuck has an MA in International relations from the University of Chicago, and a BA in Political Science from DePauw University. Chuck is widely published on the subjects of innovation, public/private partnerships, emerging technologies, and issues of cybersecurity.
Editor’s Note: This Articles originally appeared on Council On Cybersecurity and is featured here with permission from the Author.