Internet Security Alliance president Larry Clinton strongly praised new DHS under secretary Chris Krebs' embrace of a cyber risk management approach while arguing that the administration's strategic efforts are adding up to an important evolution in cyber policy.
“The Trump administration is going in the right direction on many aspects of cybersecurity,” Clinton told Inside Cybersecurity. He cited the 2017 Trump executive order, the recently released Department of Homeland Security cyber strategy document and the new botnet report, among other steps, that incorporate a risk management approach to cyber.
Krebs, in his first public appearance after being confirmed Tuesday as head of DHS' National Protection and Programs Directorate, said, “There is a nasty rumor in town that there is no cybersecurity leadership,” he said Wednesday at the Forcepoint-Cyberscoop “Cybersecurity Leadership Forum” in Washington, DC.
“There is a plan … there is a strategy,” Krebs said, while pointing to new “clarity” around NPPD’s mission as “the lead for national risk management.”
Clinton, commenting on the administration's overall cyber approach as reflected in a series of recent reports, said: “The development of a more sophisticated model to understand cybersecurity -- actual risk management -- is very good. I see an emerging coherence … there is a very positive consistency within all of these reports, reflecting “adoption of a true risk-management approach to cybersecurity.”
Concerns -- and skepticism -- about the federal government's articulation and implementation of a cyber strategy have been voiced publicly and privately within industry, among cyber professionals and on Capitol Hill.
The criticism has been fueled by steps such as elimination of the White House cyber coordinator position.
Melissa Hathaway, a senior White House cybersecurity official in the George W. Bush and Obama administrations, cited a disconnect between the recent batch of Trump executive order-inspired strategic documents and the scale of the cyber threat. She also flagged the White House Office Management and Budget-DHS report finding that 71 of 96 agencies “are either at risk or high risk."
“I do not believe that there is a strategy and I am really disturbed with the OMB risk report -- 96 [agency] reports that show that 74 percent of the USG institutions are either at risk or high risk”, Hathaway said in an email response to Inside Cybersecurity. “When coupled with the announcement that Russia is deliberately targeting our critical infrastructures -- I have to conclude that we are not serious -- and the complacency regarding what I believe to be an existential threat, is remarkable. We need, what my old boss would say, [is a] '2x4 shampoo' and get some honest leaders dedicated to the situation."
Clinton said he agreed with the assessment of the Russia threat, adding that “I wouldn't put any distance between myself and Melissa.” But he added that the scorecard cited by OMB-DHS is based on a “checklist model” that poorly reflects cyber efforts or needs.
The real progress, Clinton said, has been in framing the way the government sees its engagement with industry and its growing embrace of a forward-looking risk management model both for its own networks and in collaborating with the private sector.
“I see prioritization” in the DHS strategy, the botnet report, the recent update to the National Institute of Standards and Technology's framework of cybersecurity standards, and in the underlying Trump executive order, Clinton said.
“DHS is reaching out to the private sector,” Clinton said, adding that “substantive policy discussions are underway.”
Clinton concluded that “a lot of this is carried over from the Obama administration -- and that's very powerful, it's an enhancement of the consensus approach to cybersecurity.” -- Charlie Mitchell (cmitchell@iwpnews.com)