Government officials on Thursday took to the Hill to fill Congress in on their progress developing the voluntary cybersecurity framework President Barack Obama called for in his February executive order.
The framework is well on its way and has continuously solicited public industry input, said officials from Homeland Security and the National Institute of Standards and Technology. But members of the House Homeland Security Committee cybersecurity subcommittee were more apprehensive: Will the framework infringe on an individual civil liberties? Will “voluntary” slowly morph into mandatory?
Obama’s executive order was intended to expand information sharing about cyberattacks, identify the country’s critical infrastructure susceptible to cyberattacks and — most notable Thursday — create a voluntary framework for cybersecurity standards.
In October, NIST will release that voluntary framework based on four workshops (three of which span three days) bringing together industry, academia and government. Before the first workshop, NIST also accepted public comments, 244 in all — “Some as brief as a few sentences as well as some so comprehensive they ran over 100 pages,” said Chuck Romine, director of the Information Technology Lab at NIST.
“We’ve had vigorous discussion and vigorous debate,” he added. “We’ve achieved a lot of consensus over a short time on a framework.”
DHS has also worked alongside NIST to identify private industry infrastructure “where we think a cyber incident can cause significant economic damage or have national security implications,” said Robert Kolasky, director of the Implementation Task Force for the National Protection and Programs Directorate at DHS.
It’s a small list, Kolasky said, and he was “confident” at the cybersecurity progress already made by the industries in security their critical infrastructure.
While the subcommittee lauded the agencies’ efforts to engage the public sector, Rep. Yvette Clarke, D-N.Y., wanted to know what steps were being taken to assure the framework would not encourage the collection of personal information — a civil-liberties infringement, in her opinion.
Romine pointed to specific breakout sessions on privacy and civil liberties NIST held during its San Diego workshop last week. NIST is also working with the Information Security and Privacy Board, which meets quarterly to advise NIST and other agencies on privacy concerns. Moving forward, Romine said NIST is also “hoping to engage” the executive branch’s Privacy and Civil Liberties Oversight Board, which serves much the same purpose.
Kolasky echoed Romine’s comments: “We want to bake privacy and civil liberties into all the work we do.”
Subcommittee Chairman Pat Meehan, R-Pa., repeatedly returned to his main concern: that the framework would be voluntary in name only. It’s a concern shared by a number of lawmakers representing regions with critical infrastructure industries. The Senate only enhanced the fear when it included the voluntary framework in a cybersecurity bill it introduced July 11.
“I’d like to explore the extent to which people see this framework at the basis for further activity,” he said. “I’m aware of a number of ‘shalls’ in the executive order.”
Kolasky countered: “I can speak with certainty DHS is viewing this as a voluntary.” Romine seconded his sentiment, pointing to NIST’s long history of developing voluntary regulations in cooperation with industry.