Outreach and Policy Discussions at the RSA Conference

Last week, I had the privilege of speaking with thousands of cybersecurity practitioners and stakeholders at the 2013 RSA Conference USA in San Francisco, CA.  

The conference was an ideal venue for discussing the President’s new Executive Order on Improving Critical Infrastructure Cybersecurity (E.O. 13636) that was announced in this year’s State of the Union address. The E.O. will be the catalyst for a variety of new initiatives to develop cybersecurity standards, improve public-private information sharing, and ensure privacy and civil liberties protections.  With so many cybersecurity professionals in one place, I and several senior leaders from the Department of Homeland Security and the Department of Commerce were able to provide in-depth explanations of the E.O., answer questions on its implementation, and engage with industry partners on how they can help. 

I was truly gratified by the overwhelming response that we received and believe that our extensive outreach to industry while crafting the E.O. was critical. We cannot succeed in implementing the E.O. without active participation in developing the Cybersecurity Framework by our partners in industry, academia, and state and local government, who provide the expertise needed to develop the core practices for securing the nation’s critical infrastructure. My many discussions over the course of the week with these key stakeholders confirmed that we are fortunate to have a wealth of cybersecurity knowledge and experience poised to help in this regard. I look forward to continuing this rich dialogue with our partners over the coming year as the National Institute for Standards and Technology (NIST) coordinates the national effort to build the Cybersecurity Framework. (Anyone interested in being a part of this effort can engage with NIST through their website.)

In addition to discussing the new E.O., I also gave a speech on the current policy dialogue regarding the appropriate role of government in preparation and response to cyber incidents. While the government is here to be a backstop for catastrophic incidents and will act to protect U.S. national interests – whether in cyberspace or otherwise – it cannot and should not respond to the every one of the daily network intrusions and disruptions that are now sadly a part of the “new normal” of operating in cyberspace.  Network owners must invest in and maintain up-to-date cyber protections for their information and systems. But what is the optimal balance between federal assistance and private responsibility?  We will continue this policy discussion while implementing the new E.O. and encouraging Congress to pass cybersecurity legislation to fully address the threats we face.

At the conference, we were also able to announce the latest results in measuring federal progress against the Cybersecurity Cross Agency Priority (CAP) Goal. This incremental step is an important one in providing transparency and driving results for improving the security of federal systems and information.

Finally, I had many opportunities to discuss the Administration’s strategic priorities for securing cyberspace. I listened to a number of good ideas on best practices and lessons learned, and will look into putting good ideas into practice. I hope to continue discussions with all interested parties on ideas for improving the nation’s overall cybersecurity posture.

Overall, it was a great week at the RSA Conference. With the many cybersecurity initiatives the Administration has underway, I anticipate having a lot to discuss with the cybersecurity community next year, too.