President Obama recently signed several cyber bills directed at promoting standards, improving cybersecurity in the government, and helping the private sector develop jobs in the cybersecurity space. While these bills do not address all of the cyber challenges we face, they clearly signal that the federal government will invest, and will encourage others to invest, in improving cybersecurity. This includes through increased pay for cybersecurity workers, voluntary technical standards, information sharing, federal research and development, and education and workforce development.
S. 2519, the National Cybersecurity Protection Act of 2014, addresses information sharing via changes to the National Cybersecurity and Communications Integration Center, or NCCIC. The NCCIC is a “24×7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement” that “shares information among the public and private sectors to provide greater understanding of cybersecurity and communications situation awareness of vulnerabilities, intrusions, incidents, mitigation, and recovery actions.” S. 2519 designates certain functions to the NCCIC, including:
(1) being a Federal civilian interface for the multi-directional and cross-sector sharing of information related to cybersecurity risks, incidents, analysis, and warnings for Federal and non-Federal entities;
(2) providing shared situational awareness to enable real-time, integrated, and operational actions across the Federal Government and non-Federal entities to address cybersecurity risks and incidents to Federal and non-Federal entities;
(3) coordinating the sharing of information related to cybersecurity risks and incidents across the Federal Government;
(4) facilitating cross-sector coordination to address cybersecurity risks and incidents, including cybersecurity risks and incidents that may be related or could have consequential impacts across multiple sectors;
(5)(A) conducting integration and analysis, including cross-sector integration and analysis, of cybersecurity risks and incidents; and
(B) sharing the analysis conducted under subparagraph (A) with Federal and non-Federal entities;
(6) upon request, providing timely technical assistance, risk management support, and incident response capabilities to Federal and non-Federal entities with respect to cybersecurity risks and incidents, which may include attribution, mitigation, and remediation; and
(7) providing information and recommendations on security and resilience measures to Federal and non-Federal entities, including information and recommendations to–
(A) facilitate information security; and
(B) strengthen information systems against cybersecurity risks and incidents.
This law also added certain principles for the NCCIC, including that it will ensure:
(1) to the extent practicable, that–
(A) timely, actionable, and relevant information related to cybersecurity risks, incidents, and analysis is shared;
(B) when appropriate, information related to cybersecurity risks, incidents, and analysis is integrated with other relevant information and tailored to the specific characteristics of a sector;
(C) activities are prioritized and conducted based on the level of risk;
(D) industry sector-specific, academic, and national laboratory expertise is sought and receives appropriate consideration;
(E) continuous, collaborative, and inclusive coordination occurs–
(i) across sectors; and
(ii) with–
(I) sector coordinating councils;
(II) information sharing and analysis organizations; and
(III) other appropriate non-Federal partners;
(F) as appropriate, the Center works to develop and use mechanisms for sharing information related to cybersecurity risks and incidents that are technology-neutral, interoperable, real-time, cost-effective, and resilient; and
(G) the Center works with other agencies to reduce unnecessarily duplicative sharing of information related to cybersecurity risks and incidents;
(2) that information related to cybersecurity risks and incidents is appropriately safeguarded against unauthorized access; and
(3) that activities conducted by the Center comply with all policies, regulations, and laws that protect the privacy and civil liberties of United States persons.
S. 2521 made changes to the Federal Information Security Management Act, or FISMA and covers topics such as standards, annual independent assessments, and breaches.
S. 1353 grants authorization to NIST for the development of voluntary cybersecurity standards, and also addresses: federal research and development; the review of existing cybersecurity modeling and test beds; education and workforce development, including through cybersecurity competitions and challenges; and the advancement of cybersecurity technical standards.
H.R. 2952 is the Cybersecurity Workforce Assessment Act, which is aimed at enhancing the cybersecurity strengths of DHS, including through certain assessments and the creation of a strategy.
S. 1691, a bill that addresses the pay of Border Patrol Agents, also addresses cybersecurity recruitment and retention in DHS.
As cybersecurity becomes more and more critical, and the federal government takes steps to promote economic development around cyber, several regions of the country stand ready to help, including San Diego, and the Cyber Center of Excellence, or CCOE, is one of those organizations. According to Rear Adm. (ret) Ken Slaght, Co-Chair of CCOE, San Diego is uniquely positioned to help provide support for the cyber effort contemplated in these new laws because “this public-private partnership promotes alignment and collaboration within the cyber community. By capitalizing on San Diego’s unique strengths in this growing and future-oriented field, the CCOE aims to accelerate the regional economy by: fostering cooperation through the established cyber community here; attracting and nurturing talent; and creating new opportunities for business.”
San Diego has a unique and diverse number of cyber security companies, but a particular strength is analytics. Information sharing and real-time utilization of threat data is a key issue as cyber-attacks become more sophisticated, and this is a core competency of San Diego’s most successful threat detection companies such as FICO, which enables a banking data consortium of fraud threat sharing for the purposes of development and continual refinement of real-time analytic models.
As cyber security continues to dominate the news, watch for San Diego to be a strategic asset in our nation’s response.