Calls have been made for the US Congress to work on and approve information security policies to enable a more secure environment.
Speaking in a session at the RSA Conference in San Francisco, James Lewis, senior fellow at the Center for Strategic and International Studies (CSIS), called for a review of Congress ahead of 2014, as he said it is "not working".
Making heavy reference to Obama's executive order and State of the Union address, Lewis said that the executive order will change the landscape and help address different challenges. “It might change in terms of thinking and give a new way to see networks. The task is in its implementation and we need to track this to see if it gets implemented,” he said.
Michael Daniel, special assistant to the US President and White House cyber security coordinator, said that cyber security has moved from 'techno geeks' into the interest of the C-suite and eventually government agencies and the US President.
He said: “Threats are growing as we hook more and more into the internet. It is not just code and worms and viruses, threats are becoming harder to detect, they are more dangerous and are moving up the spectrum. The environment is more dangerous and that is why Obama has moved into this space, the level of the threat demanded it.
“Sharing is about improving volume that we share with the public sector, there are three ways we are looking at this. The first is determining whether specific information can do a better job of pushing out to entities who are targeted or at a classified or unclassified level; the second is expanding enhanced cyber security services and setting up a programme to use classified information in a way to protect critical infrastructure; finally, the Department of Homeland Security secretary can clear people on the other side to deal with it.”
“The executive order is based on collaboration and the issue requires a whole government approach, no one division can do it by itself and we need to do it with state and local government. The executive order is a down payment on a lot of hard work to be done and on legislation, as we are limited as what it can do, we definitely need congress to act and update the statute to make progress on the cyber security front.”
Michael Chertoff, former US secretary of Homeland Security, said that as so much information is highly classified, it is hard to talk in concrete terms about values, but he welcomed a start on this "as things are getting worse and getting worse still".
He said: “This is not a full investment in what we need to do in cyber security, as we face accelerating threats. The executive order can tell government what to do and not the private sector, the programme is expanding to share information as usually it is classified, but to get an early warning on cyber security, we need to know how to get a safe space to share experiences with our colleagues. We are isolated, but the victim is empowered when you share in real-time.”
Asked by Lewis what the role for the Department of Homeland Security is going forward, Daniel said: “We will talk about the framework, we are used to working in an environment and intend to capitalise on our experience in that space, and we want to be open as the process develops. We want to link to the top five questions CEOs should be asking CISOs.
“In the next year we will focus on implementing the executive order and Presidential directive, and also see evolution of this both domestically and internationally, as that will be a critical issue.”
Chertoff said: “We have to enlist independent actors and make decisions on security and think about new architectures, there will be opportunities for creativity to create a focus and to get the attention of the decision makers.”