NSTAC Report Seeks 'Urgent Action' on Cyberthreats, Better Coordination

The administration looked closely at “decades' worth” of work by NSTAC as it nears release of the strategy, said Rob Knake, acting principal deputy to the national cyber director. The strategy is “in its final stage of review and is expected to be released soon,” he said. “When it is, you will see much of your work reflected in it,” he told NSTAC.

Brandon Wales, executive director of the Center for Internet Security, said industry and government made “tremendous progress” on cybersecurity over the past year. “There has been certainly more focused, robust collaboration between the public and private sector in deterring and responding to recent and emerging cybersecurity threats,” he said.

“Sustained effort, especially within the federal government, is required to research, deploy and operationalize security technologies,” said Scott Charney, Microsoft vice president-security policy, who presented the report approved Tuesday.

Communications systems are subject to “continuous and expanding cyber threats,” the report says: “With some systems becoming obsolete, software components being increasingly reused, systems becoming more complex with more permeable boundaries, and IT and [operational technology] environments increasingly connected, defenders need to take urgent and sustained action to mitigate risks.”

The report stresses the importance of government involvement at the highest levels. “White House visibility into and prioritization of security issues facilitates increased interagency collaboration and improved public-private partnerships that can significantly advance cybersecurity outcomes,” it says. The report also stresses the importance of developing consensus-based standards and calls for cooperation between industry and the government.

“Focus on simplicity, consistency, and harmony in setting purchasing standards, thus making it easier for vendor communities to prove their products and services satisfy requirements,” the report advises the government: “Evaluate and adjust … compliance programs to recognize and accept consensus standards and machine-readable records; and move towards compliance schemes that increase the use of automation and the reuse of compliance artifacts, and that use process- or framework-based evaluations versus point in time certifications.”

NSTAC also got an update by leaders of its new Addressing the Misuse of Domestic Infrastructure by Foreign Malicious Actors Subcommittee. A report is due in August. Subcommittee co-Chair Hock Tan, Broadcom CEO, said the initial focus is determining the project's scope. “This tasking from the president is timely,” Han said.

The subcommittee will take a close look at “various factors that unintentionally aid and abet the ability of foreign actors to unleash cyberattacks,” Tan said. It will examine how U.S. laws and regulations help, or slow, government efforts to respond to attacks, he said. “The U.S. government depends on the private sector to initiate preventive actions and to share information,” he said. The first line of defense is usually voluntary action or reaction by companies, he said.

The subcommittee needs to develop a better understanding “of the scope of the issue from the government’s perspective,” said co-Chair Stephen Schmidt, Amazon chief security officer. If the group doesn’t do a good job of defining the scope, “I worry we’ll risk including topics which fall too far outside the original core issues,” he said: “We need to have a better handle on what the government is most concerned about, so we can consider what else the private sector can do to address these concerns.”

The topics being addressed by NSTAC “closely align [with] and support the priorities of this administration, and we appreciate the hard work that goes into digging into these tough issues,” said Steve Kelly, special assistant to the president-cybersecurity and emerging technology.