Michael Daniel

In February, President Barack Obama announced a Cybersecurity National Action Plan (CNAP) that takes a series of short-term and long-term actions to improve our cybersecurity posture within the Federal Government and across the country. The CNAP builds upon a comprehensive series of actions over the last nearly eight years that have fundamentally shifted the way we approach security in the digital age and raised the level of cybersecurity across the country. While we’ve seen progress, and as the President has made clear on many occasions, there’s much more to do. That’s why we are proud to announce Brigadier General (retired) Gregory J. Touhill as the first Federal Chief Information Security Officer (CISO).

A key feature of the CNAP is creation of the first CISO to drive cybersecurity policy, planning, and implementation across the Federal Government. General Touhill is currently the Deputy Assistant Secretary for Cybersecurity and Communications in the Office of Cybersecurity and Communications (CS&C) at the Department of Homeland Security (DHS), where he focuses on the development and implementation of operational programs designed to protect our government networks and critical infrastructure. In his new role as Federal CISO, Greg will leverage his considerable experience in managing a range of complex and diverse technical solutions at scale with his strong knowledge of both civilian and military best practices, capabilities, and human capital training, development and retention strategies. Greg will lead a strong team within OMB who have been at the forefront of driving policy and implementation of leading cyber practices across federal agencies, and is the team that conducts periodic cyberstat reviews with federal agencies to insure that implementation plans are effective and achieve the desired outcomes.

Cybersecurity touches so much of our lives now that we need a rich and continuing dialogue that includes the broadest possible set of stakeholders. In an overall strategic context, I think that we need to continue to work on how we can flip the economics of cyberspace; specifically, how we can change our overall approach to cybersecurity to more directly address economic and human behavioral factors.

For example, we need to figure out how to use economic incentives to create a market for systems that are secure by default and that increase cost of conducting malicious activities in cyberspace. In the end, what makes cybersecurity hard is the non-technical aspects of it. As a result, cybersecurity requires a holistic approach that takes into account human behaviors and economics, as well as the technical factors.

[Daniel is the White House Cybersecurity Coordinator]

Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” called on Executive Branch agencies to assess whether and how existing cybersecurity regulation could be streamlined and better aligned with the Cybersecurity Framework launched in February 2014.

The EO directs Executive Branch departments and agencies with responsibility for regulating the security of private-sector critical infrastructure to: (1) assess the sufficiency of existing regulatory authority to establish requirements based on the Cybersecurity Framework to address current and projected cyber risks; and (2) identify proposed changes in order to address insufficiencies identified.

The Cybersecurity Framework articulates a risk management approach based on best practices and globally recognized standards. It is a voluntary tool that organizations can use to strengthen cyber risk management.

After extensive research, we determined that the following departments and agencies were required to submit reports: Environmental Protection Agency (drinking water and waste-water), Department of Health and Human Services (medical devices, electronic health records, health exchanges), and the Department of Homeland Security (chemical facilities and transportation).

As one of Brazil’s leading Internet scholars and chair of Netmundial Virgilio Almeida brought NETmundial to a close, the US government delegation rose in applause. And almost everyone else in the room rose with us.

We affirm the Multistakeholder Statement of São Paulo, the ideas it presents, the ideals it embraces, and the multistakeholder process that made it possible. We rose out of appreciation for the Brazilians and the Internet community leaders that brought us together and impressively managed a challenging conversation. And we rose in joint commitment to preserving, promoting, and expanding the benefits of a single, interoperable, open, and global Internet for all of the world’s people.

NETmundial clearly demonstrates the suitability of the multistakeholder approach over intergovernmental discussion to address Internet governance issues. We will carry this experience forward as we approach upcoming multilateral events like the International Telecommunication Union (ITU) Plenipotentiary Conference in Korea in October, where we will work to ensure that the ITU remains relevant and responsive to the evolution of technology in its traditional areas of competence, and leaves issues such as Internet governance to the fully capable global multistakeholder community.

[Michael Daniel serves as Special Assistant to the President and White House Cybersecurity Coordinator. Lawrence Strickling serves as Assistant Secretary of Commerce for Communications and Information and Administrator, National Telecommunications and Information Administration. Ambassador Daniel A. Sepulveda serves as US Coordinator for International Communications and Information Policy at the US Department of State. Christopher Painter serves as Coordinator for Cyber Issues at the US Department of State. Scott Busby serves as Deputy Assistant Secretary of State for Democracy, Human Rights and Labor]

[Commentary] In early April, the National Security Agency sent out a Tweet making clear that it did not know about the recently discovered vulnerability in OpenSSL known as Heartbleed. While we had no prior knowledge of the existence of Heartbleed, this case has re-ignited debate about whether the federal government should ever withhold knowledge of a computer vulnerability from the public.

But there are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.

We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:

• How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the US economy, and/or in national security systems?
• Does the vulnerability, if left unpatched, impose significant risk?
• How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
• How likely is it that we would know if someone else was exploiting it?
• How badly do we need the intelligence we think we can get from exploiting the vulnerability?
• Are there other ways we can get it?
• Could we utilize the vulnerability for a short period of time before we disclose it?
• How likely is it that someone else will discover the vulnerability?
• Can the vulnerability be patched or otherwise mitigated?

[Daniel is Special Assistant to the President and the Cybersecurity Coordinator]

[Commentary] We head to Sao Paulo, Brazil, to attend NETmundial, a global meeting of governments, entrepreneurs, academics, Internet institutions, activists and users to discuss the future of Internet governance.

Over two days delegates will discuss and work toward developing a set of principles to guide international Internet governance activities in the future.

The United States will work with other delegations to expand the community of individuals, organizations, firms, and governments who are willing to put their faith in the proven multi-stakeholder system of cooperation and coordination; this system has enabled the unprecedented growth of the global Internet, which in turn has fueled economic development and innovation.

Along with most of the world’s Internet advocates and users, we believe that no one stakeholder or group of stakeholders, including governments, should have control over the operation or protocols of the Internet or the creativity, innovation, and freedom of expression that it enables. We are optimistic that NETmundial will make an important contribution to the positive evolution of the Internet and its governance and we support efforts at NETmundial and beyond to preserve an, open, inclusive, resilient, interoperable, and innovative global Internet.

[Daniel serves as Special Assistant to the President and White House Cybersecurity Coordinator; Strckling serves as Assistant Secretary of Commerce for Communications and Information and Administrator, National Telecommunications and Information Administration; Ambassador Sepulveda serves as US Coordinator for International Communications and Information Policy at the US Department of State; Painter serves as Coordinator for Cyber Issues at the US Department of State; Busby serves as Deputy Assistant Secretary of State for Democracy, Human Rights and Labor]