Organizations — whether government agencies or private businesses, large or small — have all become “literally blind” to their risk of cyberattacks, according to the director of the Department of Homeland Security’s Cyber Joint Program Management Office.
Mike Echols, who is DHS’ point person for implementation of President Barack Obama’s February 2015 cybersecurity executive order, spoke Tuesday about how neither the public nor private sector have done enough to reduce the scope and speed at which hackers can infiltrate critical systems.
Echols spoke at the Association of Government Accountants’ Financial Systems Summit, echoing what has been said many times by cybersecurity experts: The criminals are moving faster than the cybersecurity cultural changes that need to happen inside both business and government.
“We’re not moving as fast as the cyber criminals,” Echols said. “The speed at which we are rolling out our programs and aligning our value systems between small businesses, federal agencies and big businesses is moving a lot slower than the people who are trying to attack us.”
The executive order Echols is responsible for created information sharing and analysis organizations, or ISAOs, stood up for groups of companies to better collaborate with DHS’ National Cybersecurity and Communications Integration Center, or NCCIC. It also provided more clearances for private sector executives who need access to classified information that was not previously shared in public-private partnerships.
These organizations differ from information sharing and analysis centers, or ISACs, in that they are not restricted to what DHS considers to be the 16 sectors of U.S. critical infrastructure. Echols said since the order was signed, he has seen ISAOs created by engineers focusing on automotive hacks, casino owners and CISOs who work in the same cities or towns. He also said federal agencies have even inquired about creating their own ISAOs.
“[Federal agencies] see an opportunity to connect in way with the private sector that they have not been connected to,” he said. “By doing this over a period of time, we expect that we will go from 16 ISACs to potentially 500 ISAOs.”
Yet outside of standing up ISAOs, organizations — particularly small businesses — are not willing to spend money on cybersecurity despite the fact that affordable systems geared toward small business exist in the marketplace.
“We talked to everybody — the Northrop Grummans, the Lockheeds, the Accentures, the Ernst & Youngs, the Symantecs, the McAfees, the Trend Micros — there are tons of scalable and affordable systems and solutions, the businesses just are not finding them,” he said. “The value prop is not there. They would rather hire an employee than pay for cybersecurity.”
Even with the solutions available, Echols said another key component that needs to change is culture around cybersecurity. He called on organizations to find “cybersecurity heroes” who will either call peers out on the carpet for practices like sharing passwords or think about cybersecurity as companies develop new products or services.
“These people who could probably lose their livelihoods, they don’t understand the threat to their livelihood,” he said. “That’s probably the same case across the government, probably the same case with large companies that perform critical functions.”
Echols said he hopes the ISAOs could eventually teach both the government and business to move toward a holistic security presence before they wind up becoming the next Sony Corp. hack or Office of Personnel Management breach.
“Cybersecurity has become everyone’s business,” he said. “Even if you have all the [Federal Information Security Management Act] compliance in place, you might still end up sitting in front of Congress because there are systems in play, partnerships in play that actually increase your risk.”
Contact the reporter on this story via email at email@example.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.