“Aggressive timelines” facing Trump administration officials to comply with the directives of an executive order on cybersecurity have made it challenging to engage stakeholders on the “deliverables” required by the order, Tom McDermott, the Department of Homeland Security’s deputy assistant secretary-cyber policy, said today. But the initial round of deliverables — mainly reports that aim to present data to policy-makers — will be followed by additional steps that will include more interaction with stakeholders, Mr. McDermott said at a USTelecom cybersecurity policy forum.
The EO, issued about 70 days ago, requires a slew of reports from agency heads within 90 days that, among other things, document the “risk mitigation and acceptance choices made by each agency head” and any “strategic, operational, and budgetary considerations that informed those choices” (TR Daily, May 11).
The EO was more generous in how much time it gave the Commerce Department to work with the private sector to develop strategies to address botnets. The department’s National Telecommunications and Information Administration and National Institute of Standards and Technology were given a year for the anti-botnet effort.
The White House viewed botnets as a significant cyber threat that could actually be addressed through a multistakeholder approach without a lot of preliminary data-gathering, according to Rob Joyce, the White House cybersecurity coordinator.
The threat was illustrated by botnet attacks that harnessed “cheap, insecure” technology — mainly Internet of things devices — “to bring down significant parts of the Internet,” Mr. Joyce told the USTelecom gathering.
But the botnet problem is viewed as something that could be reduced significantly with collaboration between the federal government and the private sector, he said. NTIA has already issued a request for comments on ways to combat botnets and botnet-launched distributed denial-of-service (DDoS) attacks (TR Daily, June 13). Comments in that proceeding are due next week.
Other problems will be harder to resolve, Mr. Joyce indicated. Getting critical infrastructure sectors to work together during a major cyber attack is one of the administration’s goals, he said, and that will require exercises that involve multiple sectors so that the power industry, telecom companies, and others know what to expect.
Kiersten Todt, who was executive director of the President’s Commission on Enhancing Cybersecurity under the Obama administration, made a similar point. “Government does incident response really well,” she said, but more “pre-event collaboration” is needed. —Tom Leithauser, email@example.com