By John L. Guerra
Editor, GRC & Fraud Software Journal
The White House Cybersecurity Policy Directive, announced last month, is the federal government’s latest attempt to unify efforts among federal agencies, law enforcement and private businesses who have been hit by breech, data theft or other network-crippling event.
Tough issues prevent real collaboration among these arms: businesses are uncomfortable sharing proprietary information with the government and law enforcement and the idea of federal agencies leaping into effective action in the hours after an especially big breach is hard to imagine for executives.
The document does spell out the hierarchy of efforts within the Federal Government and especially close coordination between the public and private sectors. The directive also creates A Cyber Unified Coordination Group (UCG) that “coordinates response among Federal agencies in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts,” the directive states.
The FBI is the lead federal agency for investigating criminal and national security hacks. The Department of Homeland Security has the baton in helping breached organizations reduce the impact of an event and prevent its spread. The Cyber Threat Intelligence Integration Center, or CTIIC, pools intelligence to help identify who directed an intrusion or attack.
But does the directive change anything?
We asked French Caldwell, chief evangelist of MetricStream, to weigh in on the directive.
Question: What does this mean for the private sector with federal contracts? Are they to comply with the directive if they use data from government servers in their contracts?
A: There’s nothing specific in the directive, but like other cybersecurity guidance, e.g., Federal Information Security Management Act, you should expect that any contractors, research universities, and others that are operating under federal contracts will be required to meet the same standards as the agencies with whom they are affiliated.
Q: Do you see anything that is unrealistic or ungainly in the directive?
A: Absolutely. The expectation that a unified coordination group (UCG), can be stood up following an attack is totally unrealistic. When we have a plane crash, we know the National Transportation Safety Board will investigate.
When we have a natural disaster, we know FEMA will respond. But in the case of a major cyberattack, we’re expected to respond with a sandlot, pick-up team. And only then, if two or more federal agencies agree.