Today, President Obama is releasing his final budget proposal of his Administration. It's a strong reflection of what investments he believes will move our country forward and keep our country and the American people safe.

A key part of that involves the strength of our nation's cybersecurity. From buying products, to running businesses, to chatting with the people we love, our online world has fundamentally reshaped the way we live our lives. But living in a digital age also makes us more vulnerable to malicious cyber activity.

We have to adapt to this national threat. That's why President Obama has worked for more than seven years to aggressively and comprehensively confront this challenge. So today, he is directing the Administration to implement a Cybersecurity National Action Plan (CNAP) -- the capstone of our national cybersecurity efforts. 

So what's the CNAP all about? How will the President's plan help you protect your identity? What's he calling for in his budget?  Here are a few answers to some questions Americans might have about the President's plan to strengthen our cybersecurity: 

What are the cybersecurity threats we currently face? 

From the beginning of his administration, President Obama has made it clear that cybersecurity is one of the most important challenges we face as a nation -- and for good reason. Criminals, terrorists, and countries that wish to do us harm have realized that attacking us online is often easier than physically attacking us in person. And with more and more sensitive data being stored online, the consequences of those cyber incidents are only growing more significant. For example, identity theft is now the fastest growing crime in America. Think about it: Are you on Facebook, or Venmo? Do you use DropBox? While tools like these make our lives much simpler and help power the innovation of today’s world, our personal information exists online in a way it never has before. 

And remember the Sony hack? Our innovators and entrepreneurs have reinforced our global leadership and grown our economy, but with each new story of a high-profile company hacked or a neighbor defrauded, more Americans are left to wonder whether technology’s benefits could risk being outpaced by its costs. 

The President believes that meeting these new threats is necessary and within our grasp. But it requires a bold reassessment of the way we approach security in the digital age and a significant investment to ensure we can implement the best security strategies. In short, if we’re going to be connected, we need to be protected. That’s what the CNAP is all about. 

What is the President’s Cybersecurity National Action Plan (CNAP)?

It’s the capstone of more than seven years of effort from this administration that takes near-term actions and puts in place a long-term strategy to ensure the federal government, the private sector, and American citizens can take better control of our digital security. 

The President’s plan takes new action both now and in the long-term to help the conditions we need to improve our approach on cybersecurity across the federal government, the private sector, and our personal lives. Here’s a brief look at what it does: 

• Establishes a Commission on Enhancing National Cybersecurity that will bring top strategic, business, and technical thinkers from outside the government to make critical recommendations on how we can use  new technical solutions and best practices to protect our privacy and public safety
• Transforms how the government will manage cybersecurity through the proposal of a $3.1 billion Information Technology Modernization Fund and a new Federal Chief Information Security Officer to help retire, replace, and modernize legacy IT across the government
• Empowers Americans to secure their online accounts by using additional security tools – like multi-factor authentication and other identity processing steps – and by working with Google, Facebook, DropBox, Microsoft, Visa, PayPal, and Venmo to secure online accounts and financial transactions
• Invests more than $19 billion for cybersecurity as part of the President’s budget – a more than 35 percent increase from last year’s request to secure our nation in the future

You can dig into all of the specifics the CNAP here.

What does his plan do to help protect my privacy online? 

While there is no silver bullet to fully guarantee our data security, the President has done a lot to enhance security measures on a lot of our daily activities to protect our private information. Last year, he took executive action as part of his BuySecure Initiative to help drive the market toward more secure payments by pushing companies to use microchips instead of magnetic strips or PINs on credit, debit, and other payment cards.

Building on those actions, the President called on Americans to think differently about how they log on. For example, instead of just a basic password, Americans should leverage multiple factors of authentication when logging-in to online accounts. Have a Gmail account? Check out their two-step authenticator as a way to better protect your privacy. Are you on Twitter? Your account can have two-step verification, too.

Along with your personal information, it’s also important that you protect your financial transactions with businesses. As of today, we have supplied over 2.5 million more secure Chip-and-PIN payment cards, more than any other country in the world, and under his new plan we will also offer cybersecurity training to reach over 1.4 million small businesses.

We’re doing a lot to prevent cybercrime, but if you’re a victim of identity theft, you don’t have to deal with the consequences alone. Check out IdentityTheft.gov to report identity theft, create a personal recovery plan, and print pre-filled letters and forms to send to credit bureaus, businesses, and debt collectors.

What about the personal info I give the government to receive benefits or services it provides? Is that safe? 

Make no mistake: safeguarding data in the possession of the U.S. Government, preventing its theft, and ensuring privacy is fundamental to preserving the trust of the American public. That is why the President directed the Administration to put in place a plan that will accelerate simple, secure, user-friendly access to public-facing consumer services and information -- like your tax data or benefit information -- while protecting your privacy.   

And the President is setting up a Federal Privacy Council to make sure that the government does a better job of protecting your privacy online. 

There are a lot of devices or systems that rely on an online network – like electric grids or some medical devices. What is the President doing to protect them? 

This is a major national security and economic security issue and the President has been working since day one to ensure our systems are secure.  That’s why he issued executive orders to protect critical infrastructure in 2013 and information sharing in 2015. 

The President’s CNAP takes a few vital steps to enhance our resilience by creating a National Center for Cybersecurity Resilience where companies and sector-wide organizations can test the security of systems in a contained environment, like by subjecting a replica electric grid to cyber attack.

It will also double the number of cybersecurity advisors available to help private sector organizations implement best practices. It ensures the U.S. government and industry partners develop a Cybersecurity Assurance Program to test and certify networked devices within the “Internet of Things,” whether they be refrigerators or medical infusion pumps, so that when you buy a new product, you can be sure that it has been certified to meet security standards. For a full rundown of what CNAP will do for our infrastructure, go here. 

What about cyber criminals and bad actors? What is the President doing to go after them? 

President Obama recently took executive action to provide the U.S. government with a way to prevent the worst cybercriminals around the world from damaging our critical infrastructure, disrupting or hijacking our networks, stealing trade secrets from American companies, or compromising the personal information of American citizens. It’s one of the latest tools to combat the most significant cyber threats, and you can read about it here.  

Building on that action, the Administration is increasing funding for cybersecurity-related activities by more than 23 percent for the Department of justice, including the Federal Bureau of Investigation, to improve their capabilities to identify, disrupt, and apprehend cyber criminals and bad actors. We are also building a Cyber Mission Force that’s 6,200 people strong to support U.S. government objectives across the spectrum of cyber operations. The Cyber Mission Force will be fully operational in 2018.

But cybercrime knows no borders. We must pursue cybercriminals in concert with our allies and partners around the world to effectively deter and disrupt their malicious activities. In 2015, members of the G20 joined with the United States in affirming important norms, including the applicability of international law to cyberspace, the idea that states should not conduct the cyber-enabled theft of intellectual property for commercial gain, and in welcoming the report of a United Nations Group of Governmental Experts, which included a number of additional norms to promote international cooperation, prevent attacks on civilian critical infrastructure, and support computer emergency response teams providing reconstitution and mitigation services. The Administration intends to institutionalize and implement these norms through further bilateral and multilateral commitments and confidence building measures.

Those are some of the key areas that the CNAP delves into, but the President’s plan is so much more comprehensive. From improving our incident response to enhancing student loan forgiveness programs for cybersecurity experts joining the federal workforce, the CNAP – and the President’s budget – will go a long way to help ensure that America is secure, resilient, and prepared to combat the threats and protect the opportunities of the 21st century. And through the new Commission on Enhancing National Cybersecurity, the President is helping set forth a roadmap for how to tackle these challenges in the decades to come.

Learn everything you need to know about the President’s plan here and the President’s record on cybersecurity here. 

Michael Daniel is a Special Assistant to the President and Cybersecurity Coordinator. Tony Scott is the U.S. Chief Information Officer. Dr. Ed Felten is the Deputy U.S. Chief Technology Officer. 

"Starting today, we’re giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American companies or the personal information of American citizens for profit." -- President Obama

For the first time, President Obama is giving our country a new tool to combat the most significant cyber threats to our national security, foreign policy, or economy. It's an important step, and many people may be wondering how it will work. Take a look at a few answers to some questions you may have on how the President's latest Executive Order will bolster our cybersecurity: 

1. Why is President Obama issuing an Executive Order? 

We live in an information age – almost every aspect of our daily lives is entwined in some way with the Internet. Here’s the problem: The very networks that we rely on to enable many aspects of our increasingly digital lives are vulnerable to cyberattack. Every day, malicious actors are targeting our businesses, trade secrets and critical infrastructure, and sensitive information – and many of these attacks originate from outside our borders.  

When it comes to the worst actors, one of the biggest challenges we currently face is developing tools that will allow us to respond appropriately, proportionately, and effectively to malicious cyber-enabled activities, and to deter others from engaging in similar activities. With this Order, President Obama is taking action to give America a new way to confront the growing threat posed by significant malicious cyber actors that may be beyond the reach of our existing capabilities.

2. What does the Executive Order do exactly? 

This Executive Order authorizes the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions on those individuals and entities that he determines to be responsible for or complicit in malicious cyber-enabled activities that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, economic health, or financial stability of the United States.

3. What kinds of malicious cyber-enabled activities does this Exectuive Order cover? 

The Executive Order is tailored to address and respond to the harms caused by significant malicious cyber-enabled activities. These activities include:

• Harming or significantly compromising the provision of services by entities in a critical infrastructure sector
• Significantly disrupting the availability of a computer or network of computers, including through a distributed denial-of-service attack
• Misappropriating funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain
• Knowingly receiving or using trade secrets that were stolen by cyber-enabled means for commercial or competitive advantage or private financial gain
• Attempting, assisting, or providing material support for any of the harms listed above

Our focus will be on the most significant cyber threats we face – namely, on actors whose malicious activities could pose a significant threat to the national security, foreign policy, economic health, or financial stability of the United States.

4. Who will we target with this new tool? 

This tool will be used to go after the worst of the worst of malicious cyber actors: Those whose cyber activities – whether directed against our critical infrastructure, our companies, or our citizens – could threaten the national security, foreign policy, economic health, or financial stability of the United States.

5. How effective will sanctions really be? 

Malicious cyber actors often rely on U.S. infrastructure to commit the acts described in the Order, and they often use our financial institutions or partners to transfer their money. By sanctioning these actors, we can limit their access to the U.S. financial system and U.S. technology supply and infrastructure. Basically, sanctioning them can harm their ability to both commit these malicious acts and to profit from them.

6. What about the Sony Pictures hack? Could this Executive Order have been used then? 

The President signed an Executive Order in January 2015 authorizing additional sanctions on the Democratic People’s Republic of Korea (DPRK). That Executive Order was a response to the DPRK Government’s ongoing provocative, destabilizing, and repressive actions and policies, particularly its destructive and coercive cyber attack against Sony Pictures Entertainment and threats against movie theaters and moviegoers. 

President Obama took the Sony attack seriously and you can read more about that Executive Order and his response here.

7. If this is just one tool, what are the other ways we can respond to cyber threats? 

The President is using a broad range of tools – including diplomatic engagement, trade policy, and law enforcement mechanisms – to address cybersecurity threats like these. We are bolstering the government’s network defenses, sharing more information with the private sector, and standing up the Cyber Threat Intelligence Integration Center (CTIIC) to provide integrated analysis of foreign cyber threats within the federal government and help ensure that our government centers that are responsible for cybersecurity and network defense have access to the intelligence they need to perform their missions. 

Moreover, we have sent Congress legislation to further enhance our cybersecurity by strengthening protections for victims of identity theft, modernizing law enforcement tools for investigating and deterring cybercrimes, and promoting increased cyber threat information-sharing among the private sector and government.

8. So when and how will the U.S. government decide to actually use these sanctions? 

This authority will be used in a targeted and coordinated manner in response to the most significant cyber threats we face, whether they are directed against our critical infrastructure, our companies, or our citizens, when the activities could threaten the national security, foreign policy, the economic health, or financial stability of the United States.

In addition, it’s important to know who we are not targeting. These sanctions will in no way target the victims of cyberattacks, like people whose computers are unwittingly hijacked by botnets or hackers. Nor is this Order designed to prevent or interfere with the cybersecurity research community when they are working with companies to identify vulnerabilities so they can improve their cybersecurity. The targets of these sanctions are malicious actors whose actions undermine our national security. 

Dig Deeper: 

• President Obama explains the latest tool in cybersecurity
• An in-depth look at the need for this new tool against cyber threats

President Barack Obama tours the National Cybersecurity and Communications Integration Center in Arlington, Virginia. He is accompanied by Homeland Security Secretary Jeh Johnson, Lisa Monaco, Assistant to the President for Homeland Security and Counterterrorism, and tour guides Dr. Phyllis Schneck, Deputy Under Secretary for Cybersecurity & Communications, and Brigadier General Greg Touhill, (Ret.), Deputy Assistant Secretary for Cybersecurity Operations and Programs. January 13, 2015. (Official White House Photo by Pete Souza)

This week is a big one for cybersecurity. 

President Obama is using the week before his State of the Union to highlight the importance of cybersecurity and to outline the steps this Administration is taking to tackle this problem head-on. As many companies and government agencies know far too well, the cyber threat is only increasing in breadth, pace, sophistication, and impact. The events of the past year, including numerous breaches into major retailers, a widespread encryption vulnerability known as Heartbleed, and the recent destructive and coercive cyber attack against Sony Pictures Entertainment, clearly demonstrate the need to accelerate collective efforts to increase our nation’s cybersecurity and to preserve and protect our core values as a nation.

Since taking office, this Administration has made cybersecurity a priority. We have focused on better protecting our critical infrastructure, improving the security of federal networks, enhancing our ability to respond to and manage incidents, building international coalitions, and shaping cyberspace to be more secure in the future. Many of my previous blog posts have highlighted our efforts in these areas, and we have indeed made progress. As we start 2015, though, it is clear that a lot more remains to be done. This Administration will continue to pursue all appropriate efforts to defend our citizens, our companies, and our nation from those threats.

So this week, the President is kicking off the new year by launching a series of key policy initiatives designed to tackle some of our most pressing cybersecurity problems in these priority areas. Yesterday, the President focused on consumer protection and privacy. Those actions will help cybersecurity as well, because the more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy. This week, the President is announcing several specific cybersecurity steps, which in turn will also improve consumer protection and privacy, as better cybersecurity results in better data protection. These efforts are mutually reinforcing.

Legislation:

In 2014, Congress passed important cybersecurity measures focused on improving how the federal government protects its own networks and how we are organized to carry out our cybersecurity missions, including: the Federal Information Security Modernization Act of 2014, the National Cybersecurity Protection Act of 2014, the Cybersecurity Enhancement Act of 2014, and the Cybersecurity Workforce Assessment Act of 2014. The passage of these bills, which the Administration strongly supported, demonstrates that when the politics are put aside, we can do a lot together on cybersecurity. The Members who worked on these bills deserve credit for working diligently to ensure that these important bills made it through at the very end of the term.

Congress should build on this momentum and pass additional legislation to increase information sharing with the government, modernize the tools needed by law enforcement to fight cybercrime, and standardize the requirements for when companies must notify customers of data breaches. Yesterday, the Administration released an updated legislative proposal that addresses these three areas:

• Enabling Cybersecurity Information Sharing: While not a panacea, increased information sharing is a key element in improving our cybersecurity. The Administration’s updated proposal promotes better cybersecurity information sharing between the private sector and government, and it enhances collaboration and information sharing amongst the private sector. Specifically, the proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) which will then share it (in as close to real-time as practicable) with relevant federal agencies and with private sector-developed and -operated Information Sharing and Analysis Organizations (ISAOs). This information sharing will be facilitated by providing targeted liability protection for companies that share information with these entities. The legislation also encourages the formation of these private sector-led Information Sharing and Analysis Organizations. The Administration’s proposal would also safeguard Americans’ personal privacy by requiring private entities to comply with certain privacy restrictions -- such as removing unnecessary personal information and taking appropriate measures to protect any personal information that must be shared -- in order to qualify for liability protection. The proposal further requires the Secretary of Homeland Security and the Attorney General, in consultation with the Privacy and Civil Liberties Oversight Board and others, to develop receipt, retention, use, and disclosure guidelines for the federal government. Finally, the Administration intends this proposal to complement and not limit existing effective relationships between government and the private sector. These existing relationships between law enforcement and other federal agencies are critical to the cybersecurity mission.
• Modernizing Law Enforcement Authorities to Combat Cyber Crime: Law enforcement must have appropriate tools to investigate, disrupt and prosecute cyber crime. The Administration’s proposal contains provisions that would allow for the prosecution of the sale of botnets; would criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers; would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft; and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity. It also reaffirms important components of 2011 proposals; specifically, it would update the Racketeering Influenced and Corrupt Organizations Act (RICO), a key piece of law used to prosecute organized crime, so that it applies to cybercrimes, clarifies the penalties for computer crimes, and makes sure these penalties are in line with other similar non-cyber crimes. Finally, the proposal modernizes the Computer Fraud and Abuse Act by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.
• National Data Breach Reporting: As announced yesterday, the Administration has also updated its proposal on security breach reporting. State laws have helped consumers protect themselves against identity theft while also encouraging business to improve cybersecurity to help prevent identity theft. These laws require businesses that have suffered an intrusion to notify consumers, if consumers’ personal information has been compromised. The Administration’s updated proposal helps business and consumers by simplifying and standardizing the existing patchwork of 46 state laws (plus the District of Columbia and several territories) that contain data breach reporting requirements into one federal statute, and it puts in place a single, clear requirement to ensure that companies notify their employees and customers about security breaches on a timely basis.

White House Cybersecurity Summit:

Cybersecurity is an inherently shared mission between the government and the private sector. No single agency within the government can undertake cybersecurity alone, but even more importantly, the federal government cannot address the cybersecurity threat by itself. We must truly collaborate with the private sector on many levels in order to make our cybersecurity efforts effective. 

In that vein, the President also announced that we are planning a White House Cybersecurity Summit, which will take place on February 13 at Stanford University. This event was previewed in October, when the President launched the BuySecure Initiative, and it is the next step in the Administration’s ongoing work to build consumer confidence by enhancing public and private sector consumer financial protection efforts. The Summit will bring together major stakeholders on cybersecurity and consumer financial protection issues -- including senior leaders from the White House and across the federal government, CEOs from a wide range of industries including the financial services industry, technology and communications companies, computer security companies and the retail industry, as well as state government leaders, law enforcement officials, consumer advocates, technical experts, and students. Topics at the Summit will include increasing public-private partnerships and cybersecurity information sharing, creating and promoting improved cybersecurity practices and technologies, and improving adoption and use of more secure payment technologies.

Cybersecurity Workforce:

We know that a robust cyber workforce is needed to ensure that we have enough trained professionals to meet the nation’s growing need for cyber defenders. Right now, there is a large and growing demand for these workers chasing a smaller supply. Acknowledging that this is a problem for everyone -- the federal government, state and local governments, and the private sector -- we have been working to develop a unity of effort to accelerate progress in this area. In this spirit, the Vice President will announce on Thursday that the Department of Energy will provide $25 million in grants over the next five years to support a cybersecurity education consortium consisting of 13 Historically Black Colleges and Universities and two national labs. This will build on our existing work under the National Initiative for Cybersecurity Education. 

Collectively, this week’s announcements kick off a new year in which we intend to make real progress in improving the nation’s cybersecurity. These actions demonstrate that we are taking steps to mobilize every element of our nation to rise to the challenge. I look forward to continued progress across all our cybersecurity priority areas in the run up to the Cybersecurity Summit and beyond. Over the coming year, the Administration will continue to press forward doing everything it can to improve cybersecurity, both domestically and internationally. We know that legislation, education, and a summit by themselves won't solve the cybersecurity problem. So the actions outlined above are just the start of our work in 2015 -- we've got more to come.

Today is far and away the busiest online shopping day of the year. Last year, according to Adobe, online shopping sales were over $2.29 billion for just one day. IBM said that shopping was up 20.6 percent over 2012 and experts expect a rise again this year. Along with increased convenience, shopping online also brings with it the potential for increased risks of theft, fraud, and abuse.

President Obama is taking action on cybersecurity. His 2013 Executive Order on Cybersecurity created an industry driven Cybersecurity Framework that has helped strengthen our businesses and networks. In October, he signed a consumer financial protection Executive Order that will move the government forward to invest in technologies that increase the financial protection and cybersecurity for everyone.

However, we can’t do this alone. Cybersecurity is a shared responsibility, and we each have a role to play when it comes to staying safe online.

With that in mind, we want to encourage you to shop online securely today by following three tips that come from Stop Think Connect -- a partnership between the Department of Homeland Security and industry.

1. Avoid Suspicious Links

Thieves online often use links to compromise your computer. It is so easy to click a legitimate looking link, but end up compromising your security. You are just generally safer to type in the address yourself or look it up on a search engine and follow that link.

2.Check for https://

When you are banking and shopping look for web addresses that start with “https://” or “shttp://” This means that the sites are encrypting your information from the browser to their site. It doesn’t solve every security concern, but it is much more secure than sites that do not take these extra steps. Sites that only say http:// do not have the same level of security.

3. Know Your Wi-Fi

When you connect your machine, you should only use legitimate Wi-Fi hot spots. You may also need to adjust the security settings on your computer or smart phone to limit who can access your machine when you are connecting through Wi-Fi other than at your home.

Of course, these suggestions don’t solve every issue, but they will absolutely help make you more secure as you shop. You can find a lot more tips at StopThinkConnect.org.

Meanwhile, we continue to work to solve the longer-term issues related to cybersecurity. Early next year, the President will sponsor a White House Summit on Cybersecurity and Consumer Protection, and we will continue working with Congress, companies, and security and privacy experts to continue to develop policy and technology solutions that can alleviate this problem.

But there are some relatively simple steps that we can take to make those investments more effective against the $500 tool. Just as a neighborhood bands together to raise its collective safety, we can work as a community to strengthen our collective defenses to make it harder for those who wish to cause harm. 

First, we can broaden how we think about cybersecurity to make our defenses more effective. The Cybersecurity Framework issued earlier this year helps us do that. The Framework’s greatest strength is that it is deeply rooted in how businesses actually manage risk in the real world. In taking a risk management approach, the Framework recognizes that no organization can or will spend unlimited amounts on cybersecurity. Instead, it enables a business to make decisions about how to prioritize and optimize its cybersecurity investments.

We want to hear from the community, so the National Institute of Standards and Technology (NIST) recently issued a Request for Information to gather experiences on use of the Framework, with a comment period that goes until October 10. I encourage you to send us your thoughts. Please go here to submit comments.

Next, we can talk with each other more. Clearly, we’ve been discussing information sharing for some time, but what I am talking about goes beyond the broad concepts to build on the day-to-day sharing that already occurs. Collectively, we need to understand what the government can do and we need to understand what the private sector can do. Then, based on that understanding, we can decide what actions we might want to take in certain situations; for example, what concrete actions both the government and private sector might take to defeat a distributed denial of service attack. From that understanding would flow the information requirements to take those actions, and it would define who needs to provide what kind of information to whom on what timeline.

In going through this process, we will certainly identify barriers to sharing the information we need. But such a process will give us a better idea about how to knock down those barriers. To get to this level of detail, we need more trusted groups around functions, topics, regions, and industries. While we can do a lot under current law, there will be some barriers we cannot overcome under existing authorities. We again urge Congress to move forward on cybersecurity legislation that protects our nation as well as our privacy and civil liberties. 

Finally, we can build our capacity to jointly respond and recover from significant incidents. Many have argued that cyberspace has no borders. I would argue that this is not entirely correct. There are borders and boundaries throughout cyberspace – everywhere a network or a router touches in fact. And we are creating more borders every day. Everyone “lives” and operates at the border. Therefore, unlike the physical world, we cannot just assign the role of border security to the federal government. Cybersecurity is an inherently shared function. Therefore, we must build on our understanding of each of our capabilities and authorities to develop a collaborative approach to effectively responding to and recovering from significant incidents before they escalate.

We can make it harder for the bad actors, and we can make the millions invested in defense more effective at defeating cheap hacking tools. But to do so, we must work together to create new and better versions of trusted networks that can adapt rapidly based on the threat we jointly face. Working through the Department of Homeland Security and the other lead federal agencies, we are working to create exactly these kinds of partnerships with our private-sector partners. Some companies and sectors are already moving in this direction and I appreciate their forward-leaning efforts. Over the coming months, we will look to deepen these nascent partnerships and expand our efforts more broadly. 

Cybersecurity touches so much of our lives now that we need a rich and continuing dialogue that includes the broadest possible set of stakeholders. So one of the great things about coming to forums such as this one is that I get the opportunity to engage and interact with a diverse range of cybersecurity practitioners from across the private sector, all levels of government, and academia. All organizations face many of the same challenges in keeping networks and information secure, and it is encouraging to talk to so many people who are working on these problems and sharing their ideas to develop community-wide solutions.

In my remarks, I outlined some of the ongoing “wicked” problems we face in cybersecurity and some of the approaches the U.S. government is taking in trying to make progress on these challenges.

In an overall strategic context, I think that we need to continue to work on how we can flip the economics of cyberspace; specifically, how we can change our overall approach to cybersecurity to more directly address economic and human behavioral factors. For example, we need to figure out how to use economic incentives to create a market for systems that are secure by default and that increase cost of conducting malicious activities in cyberspace. In the end, what makes cybersecurity hard is the non-technical aspects of it. As a result, cybersecurity requires a holistic approach that takes into account human behaviors and economics, as well as the technical factors.

You can read the text of my remarks here, and I look forward to continuing to engage with the cybersecurity community at events in the future.

In light of this commitment, the President’s Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” called on Executive Branch agencies to assess whether and how existing cybersecurity regulation could be streamlined and better aligned with the Cybersecurity Framework launched in February 2014. It is important to understand that an Executive Order can only direct Executive Branch agencies, not independent regulators. Much of critical infrastructure is regulated by independent regulators; therefore, the analysis conducted pursuant to EO 13636 represents a limited subset of critical infrastructure sectors: water, health, transportation, and chemical. Independent regulatory agencies may engage in similar analysis but are not required to under this EO.

The EO directs Executive Branch departments and agencies with responsibility for regulating the security of private-sector critical infrastructure to: (1) assess the sufficiency of existing regulatory authority to establish requirements based on the Cybersecurity Framework to address current and projected cyber risks; and (2) identify proposed changes in order to address insufficiencies identified. The Cybersecurity Framework articulates a risk management approach based on best practices and globally recognized standards. It is a voluntary tool that organizations can use to strengthen cyber risk management.

After extensive research, we determined that the following departments and agencies were required to submit reports: Environmental Protection Agency (drinking water and waste-water), Department of Health and Human Services (medical devices, electronic health records, health exchanges), and the Department of Homeland Security (chemical facilities and transportation). I encourage you to read their individual reports located here: DHS, HHS, EPA.

The major outcome is that the Administration’s analysis supports our current voluntary approach to address cyber risk. Most of these departments have responsibility to regulate in general; some have existing cybersecurity-specific regulations, some do not, and some do not have clear authority to regulate for cybersecurity. Additionally, the degree in which the current authorities are used to regulate for cybersecurity ranges from high-level requirements to voluntary guidance. At this time, though, the Administration has determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information.

Now, this doesn’t mean that we don’t have more work to do to secure our critical systems and information throughout the country. Nor does it mean that we can stop working to ensure that regulations as written are clear, streamlined, and harmonized. It does mean that agencies with regulatory authority have determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to those systems. Over the next two years, these departments and agencies will jointly investigate and leverage opportunities to improve the efficiency, clarity, and coordination of existing regulations.

I am greatly encouraged by the progress we have made to date. The threat to our systems and information is dynamic and rapidly evolving; we must build equally agile and responsive capabilities not bound by outdated and inflexible rules and procedures. Industry has demonstrated their commitment to using the voluntary Cybersecurity Framework. We in the federal government are equally committed to removing obstacles and stimulating positive incentives for strengthening cyber risk management across all critical infrastructure sectors.

While we had no prior knowledge of the existence of Heartbleed, this case has re-ignited debate about whether the federal government should ever withhold knowledge of a computer vulnerability from the public. As with so many national security issues, the answer may seem clear to some, but the reality is much more complicated. One thing is clear: This administration takes seriously its commitment to an open and interoperable, secure and reliable Internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. This has been and continues to be the case. 

This spring, we re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities – so that everyone can have confidence in the integrity of the process we use to make these decisions. We rely on the Internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else. 

But there are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.

Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area. 

We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:

• How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
• Does the vulnerability, if left unpatched, impose significant risk?
• How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
• How likely is it that we would know if someone else was exploiting it?
• How badly do we need the intelligence we think we can get from exploiting the vulnerability?
• Are there other ways we can get it?
• Could we utilize the vulnerability for a short period of time before we disclose it?
• How likely is it that someone else will discover the vulnerability?
• Can the vulnerability be patched or otherwise mitigated?

Enabling transparency about the intersection between cybersecurity and intelligence and providing the public with enough information is complicated.  Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation.  We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake.  I hope this post will instill some confidence that your government is acting responsibly in the handling of this important issue.

Although much of the attention around the development and implementation of the Framework, and the implementation of E.O. 13636, has focused on the private sector, our state, local, tribal, and territorial government stakeholders are critical partners in our overall drive to improve cybersecurity protections for the nation’s critical infrastructure. These government entities operate critical infrastructure where cybersecurity protections can be increased, and they house considerable amounts of information about residents – everything from driver’s licenses to school records – that must be protected.

These entities are also the first line of response when something goes wrong for our people – individuals and local businesses that are the victims of cyber crime or malicious incidents in cyberspace are likely to reach out to their local law enforcement and related government agencies first for help. At the same time, these local governments present a complex landscape for cybersecurity: they vary widely in governance structure, technical connectivity, and resources available for securing systems and information. 

To help navigate this complex yet important landscape requires a team effort. Recognizing that, the White House convened a broad array of stakeholders including government representatives, local-government-focused associations, private sector technology companies, and partners from multiple federal agencies to discuss ways to help this community implement the Framework as a tool for improving cybersecurity. Over 100 cybersecurity and technology leaders attended the event in person, and nearly as many participated virtually via a webinar, representing entities from Hawaii to Michigan (click here to read the Michigan Chief Security Officer’s detailed blog on the event).

Participating organizations included: NCCoE, NIST, the National Governors Association, the National Association of State CIOs, DHS Office of Cybersecurity and Communications, DHS Office of Intergovernmental Affairs, and the Multi-State Information Sharing and Analysis Center. (Click here to access materials provided by participating organizations.) Additionally, the chief information security officer for the State of Maryland moderated a panel of technology industry leaders (including representatives from AT&T, Intel, Microsoft, Symantec, and the Information Technology Industry Council) who shared their organizations’ experiences in implementing the Framework.  

Collectively, this group shared information about their approaches to working with the Framework, their current initiatives involving cybersecurity, and many of the resources and programs that are available for this community. (For example, DHS has specific resources available to assist these government entities.) The good news is there are a lot of groups working on local-government cybersecurity issues. This means there are many opportunities for governments to engage on cyber issues, to leverage and share the work of various groups, and to divide up future efforts.

The event concluded with a discussion of future needs to support Framework implementation and cybersecurity improvements for local governments. Some items cited as areas for future collective work included:

• Craft a use case involving local government cybersecurity for NCCoE to pilot.
• Develop a local government overlay for the Framework.
• Leverage existing surveys to baseline Framework implementation and develop useful metrics.
• Develop tools, such as sample cybersecurity legislation, that can be reused by the community to speed knowledge transfer and share best practices among local governments.
• Develop local government-specific goals for the National Initiative for Cybersecurity Education (NICE) to help close the cyber workforce gap.
• Share a calendar of outreach events planned by federal partners and associations, to enable personnel to connect with local events.

Clearly, there’s a lot of work to do for the community that comprises state, local, tribal, and territorial government entities. By working together, these groups and their federal partners can make real progress.

Developed in 2011, the National Strategy for Trusted Identities in Cyberspace (NSTIC) is a key Administration initiative to work collaboratively with the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of sensitive online transactions. NSTIC calls for the creation of an Identity Ecosystem – an online environment in which individuals can trust each other because they follow agreed-upon standards to authenticate their digital identities. What this means for individual users is that they will be able to choose from a variety of more secure, privacy-enhancing identity solutions that they can use in lieu of passwords for safer, more convenient experiences everywhere they go online.

The NSTIC also helps multiple sectors in the online marketplace, because trusted identities provide a variety of benefits: enhanced security, improved privacy, new types of transactions, reduced costs, and better customer service. The National Institute of Standards and Technology (NIST) is leading implementation of the NSTIC.

NIST is also leading the development of a voluntary framework for reducing cyber risks to critical infrastructure. This latter work is being done in response to Executive Order 13636 “Improving Critical Infrastructure Cybersecurity,” which President Obama issued in recognition of the fact that the national and economic security of the United States depends on the reliable functioning of critical infrastructure. On October 29, NIST released a preliminary version of the Cybersecurity Framework, developed using information collected through the Request for Information (RFI) that was published in the Federal Register on February 26, 2013, a series of public workshops, and other discussions.

How are these two national cybersecurity efforts related? While the Executive Order focuses on critical infrastructure, managing identities is a foundational enabler for cybersecurity efforts across all sectors. The NSTIC complements the goals and objectives of President Obama’s Executive Order by promoting the use of trusted identity solutions in lieu of passwords, which will help strengthen the cybersecurity of critical infrastructure. Trusted identities offer owners and operators of critical infrastructure more secure, privacy-enhancing, and easy-to-use solutions to help secure IT systems from potential attack.

A key NSTIC initiative is facilitating the work of a private sector-led Identity Ecosystem steering group, which is working to develop an Identity Ecosystem Framework in which different market sectors can implement convenient, interoperable, secure, and privacy-enhancing trusted solutions for digital identity, including within critical infrastructure. This group currently has more than 200 members, including many from critical infrastructure sectors; membership is currently free and we encourage all stakeholders to get involved. Like the NSTIC, the Cybersecurity Framework will result in flexible, voluntary guidelines for industry to implement better cybersecurity practices, with the private sector offering a marketplace of tools and technologies. A key element of success for both the NSTIC and the Cybersecurity Executive Order will be market adoption of their primary deliverables; accordingly, implementation activities around both initiatives include the development of mutually beneficial legal, economic, and other incentives to promote deployment.

To ensure that the Cybersecurity Framework takes full advantage of the trusted identity solutions marketplace, we strongly encourage input on the preliminary Cybersecurity Framework. On October 29, 2013, NIST announced a 45-day public comment period on the preliminary Framework in the Federal Register. Comments are due no later than 5pm EST on December 13, 2013. (Click here for more information on how to submit comments.)

We look forward to your valuable input on how trusted identities can help secure the nation’s critical infrastructure.

This October marks the 10^th anniversary of our efforts to raise awareness, and we’ve come a long way in the past decade. Yet despite the fact that more people than ever before are aware of cyber threats – such as to personal email accounts, banks, and critical infrastructure – and are working to counter them – through secure passwords and good online awareness – we still have a lot to do. Cyber is one of those challenging areas in which there really is no “done.” Even though the internet feels like it’s been around for a long time, we are still learning as a society about how to operate safely and securely online.

As we think about how to best to do that, one factor about the nature of cyberspace becomes particularly relevant – its borders. Traditionally, many have argued that cyberspace has no borders and that that fact is both a strength – in terms of a free flow of information that drives the economy and supports free speech – and a weakness – in that it also allows malicious actors great freedom of movement.

But I would argue that such an emphasis on borders is misplaced. There are borders and boundaries everywhere in cyberspace; everywhere that networks, routers, servers, devices, and people touch the internet there are borders.  Instead, what cyberspace lacks is an interior – there is really no “protected inside” to a network, a space that is far away and insulated from what happens at the edge.

So the very nature of cyberspace and its interconnectedness mean that everything and everyone touches an edge or a border in some fashion.

This reality has profound implications for how we organize ourselves a society to protect ourselves in cyberspace – and how I carry out my role as cybersecurity coordinator. For example, in the physical world, we assign the mission of “border security” to the Federal Government. But if everyone lives at the border in cyberspace, then it’s not physically possible to assign the “border security” mission to just one group or element of our society, even the Federal Government. That means that everyone needs to play a part in protecting our cyber borders. 

That is why National Cyber Security Awareness Month is so important. We need everyone to understand how to participate in their individual, and our collective, defense. Cybersecurity is a shared responsibility, and we all have a role to play – from the government and law enforcement, to the private sector, to the general public. This united effort is necessary to maintain a cyberspace that is safer and more resilient and that remains a source of tremendous opportunity and growth for years to come. And in the end, we cannot afford to only think about cybersecurity awareness just one month out of the year. We need to be aware of our practices and habits each day, and we must remain focused on meeting the evolving challenges in securing cyberspace. 

To promote cybersecurity practices and develop these core capabilities, we are working with critical infrastructure owners and operators to create a Cybersecurity Framework – a set of core practices to develop capabilities to manage cybersecurity risk. These are the known practices that many firms already do, in part or across the enterprise and across a wide range of sectors. The draft Framework will be complete in October. After a final Framework is released in February 2014, we will create a Voluntary Program to help encourage critical infrastructure companies to adopt the Framework. 

While this effort is underway, work on how to incentivize companies to join a Program is also under consideration. While the set of core practices have been known for years, barriers to adoption exist, such as the challenge of clearly identifying the benefits of making certain cybersecurity investments. As directed in the EO, the Departments of Homeland Security, Commerce, and Treasury have identified potential incentives and provided their recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs.

Over the next few months, agencies will examine these options in detail to determine which ones to adopt and how, based substantially on input from critical infrastructure stakeholders. We believe that sharing the findings and our plans for continued work will promote transparency and sustain a public conversation about the recommendations. Publishing these agency reports is therefore an interim step and does not indicate the Administration’s final policy position on the recommend actions. 

The recommendations were developed in a relatively short time frame and with the understanding that the Cybersecurity Framework and Voluntary Program are still under development. Yet, they incorporate significant feedback from many of our stakeholders, including the critical infrastructure community, through the DHS-led existing public-private partnerships with critical infrastructure, and a Notice of Inquiry issued by the Commerce Department. Although each agency prepared separate reports, these reports are complementary. Taken as a whole, the reports point to eight areas where the agencies recommend action to establish incentives to support voluntary adoption of the Cybersecurity Framework. 

Some of the recommended incentives can be put in place quickly under existing authorities after the Voluntary Program is established. Others would require legislative action and additional maturation of the Cybersecurity Framework and Voluntary Program, along with further analysis and dialogue between the Administration, Congress, and private sector stakeholders. We are currently working with the appropriate agencies to prioritize each incentive area and move forward. 

These areas include:

• Cybersecurity Insurance — Agencies suggested that the insurance industry be engaged when developing the standards, procedures, and other measures that comprise the Framework and the Program. The goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market. The Commerce Department’s National Institute of Standards and Technology is taking steps to engage the insurance industry in further discussion on the Framework. This process should continue as the Framework is developed and the Voluntary Program is created.
• Grants — Agencies suggested leveraging federal grant programs. Agencies suggest incentivizing the adoption of the Framework and participation in the Voluntary Program as a condition or as one of the weighted criteria for federal critical infrastructure grants. Over the next six months, agencies will develop such criteria for consideration.
• Process Preference — Agencies offered suggestions on a range of government programs in which participating in the Voluntary Program could be a consideration in expediting existing government service delivery. For example, the government sometimes provides technical assistance to critical infrastructure. Outside of incident response situations, the government could use Framework adoption and participation in the Voluntary Program as secondary criteria for prioritizing who receives that technical assistance. The primary criteria for technical assistance would always remain the criticality of the infrastructure, but for non-emergency situations, technical assistance could be seen as an additional benefit that could help to drive adoption. Agencies currently have the authority to act in these areas without further legislation. As we work with the private sector over the next six months to develop the Voluntary Program, we will simultaneously identify and examine specific programs where this approach could be helpful
• Liability Limitation — Agencies pointed to a range of areas where more information is necessary to determine if legislation to reduce liability on Program participants may appropriately encourage a broader range of critical infrastructure companies to implement the Framework. These areas include reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a Federal legal privilege that preempts State disclosure requirements. As the Framework is developed, agencies will continue to gather information about the specific areas identified in the reports related to liability limitation.
• Streamline Regulations — Agencies will continue to ensure that the Framework and the Voluntary Program interact in an effective manner with existing regulatory structures. As the Framework and Voluntary Program are developed, agencies will recommend other areas that could help make compliance easier, for example: eliminating overlaps among existing laws and regulation, enabling equivalent adoption across regulatory structures, and reducing audit burdens.
• Public Recognition — Agencies suggested further exploration on whether optional public recognition for participants in the Program and their vendors would be an effective means to incentivize participation. DHS will work with the critical infrastructure community to consider areas for optional public recognition as they work together to develop the Voluntary Program.
• Rate Recovery for Price Regulated Industries — Agencies recommended further dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for cybersecurity investments related to complying with the Framework and participation in the Program. 
• Cybersecurity Research — Once the Framework is complete, agencies recommended identifying areas where commercial solutions are available to implement the Framework and gaps where those solutions do not yet exist. The government can then emphasize research and development to meet the most pressing cybersecurity challenges where commercial solutions are not currently available.

While these reports do not yet represent a final Administration policy, they do offer an initial examination of how the critical infrastructure community could be incentivized to adopt the Cybersecurity Framework as envisioned in the Executive Order. We will be making more information on these efforts available as the Framework and Program are completed. 

The government’s senior-most civilian, military, and intelligence professionals all agree that inadequate cybersecurity within this critical infrastructure poses a grave threat to the security of the United States.  Most recently, we have seen an increased interest in targeting public and private critical infrastructure systems by actors who seek to threaten our national and economic security. Along with dissuading their actions, we must better protect the critical systems that support our way of life.

Because of the importance of our cyber critical infrastructure, and the seriousness of the threats, the President issued an Executive Order yesterday directing federal departments and agencies to use their existing authorities to provide better cybersecurity for the Nation. These efforts will by necessity involve increased collaboration with the private sector and a whole-of-government approach.

In developing the order, the Administration sought input from stakeholders of all viewpoints in industry, the public sector, the legislative branch, and the advocacy community. Their input has been vital in crafting an order that incorporates the best ideas and lessons learned from industry experience, legislative efforts, and successful federal efforts. Over the course of the past six months, we hosted over 30 organizations, representing all 18 critical infrastructure sectors, and heard from over 200 companies directly. We also met with trade associations representing an additional 6,000 companies, over $7 trillion in annual economic activity, and over 15 million employees to discuss their concerns and ideas for solutions.  As a result of our outreach, numerous stakeholders responded positively to the Executive Order.

The Executive Order: Improving security for our cyber critical infrastructure presents a set of complex issues. The Executive Order addresses the three areas that are necessary to address the problem holistically: information sharing, a flexible risk-based Framework of core practices based on existing standards, and privacy protections. (For more details, see our Fact Sheet on the Executive Order.)

Information Sharing. It is a national priority to efficiently, effectively, and appropriately increase the volume, timeliness, and quality of cyber threat information shared with authorized individuals and companies. One of the primary efforts of the Executive Order is to better enable information sharing on cyber threats between the private sector and all levels of government.  The Executive Order fosters improved public-private sharing in three important ways.

First, it expands the Department of Homeland Security’s Enhanced Cybersecurity Services program to provide near real-time sharing of information on cyber threats with critical infrastructure companies and state and local governments.

Second, it directs federal agencies to provide timely notification to companies if we have information indicating that a company is the target or victim of a cyber intrusion. Finally, the Executive Order directs DHS to expedite the processing of clearances for appropriate state and local government and private sector personnel to enable the federal government to efficiently share cyber threat information at the sensitive and classified level.

Cybersecurity Framework: The Executive Order directs the National Institute of Standards and Technology (NIST) to lead the development of a framework to reduce cyber risks to critical infrastructure. NIST will work with industry to identify existing voluntary consensus standards and industry best practices to incorporate into the framework.

The Administration recognizes that there are private-sector cyber leaders in our critical infrastructure sectors who are already implementing strong cybersecurity controls, policies, and procedures. Rather than burdening such organizations with more to do, the Executive Order puts these innovators at the core of informing and driving the development of voluntary best practices for the framework.  In this way, we can distil common cybersecurity practices from the experts that know them best and leverage them to improve the security of the Nation’s critical infrastructure.

The framework does not dictate “one-size fits all” technological solutions. Instead, it promotes a collaborative approach to encourage innovation and recognize the differing needs among critical infrastructure sectors. Organizations who want to upgrade their cybersecurity will have the flexibility to decide how best to do so using a wide range of innovative products and services available in the marketplace.

Privacy and Civil Liberties Protections: The Executive Order reflects the Administration’s deep commitment to ensuring that processes for sharing cyber threat and incident information between the federal government, state, and local government, and private companies incorporates rigorous protections for individual privacy and civil liberties. Accordingly, the Executive Order directs departments and agencies to incorporate privacy and civil liberties protections into cybersecurity activities based upon widely-accepted Fair Information Practice Principles, and other applicable privacy and civil liberties frameworks and polices. The Executive Order also requires regular privacy assessments and public reporting of any privacy and civil liberties impacts.

More Action is Needed: This Executive Order represents an important step in improving cybersecurity protections for our critical infrastructure, and reflects recommendations from many different groups, including the bi-partisan Commission on Cybersecurity for the 44^th Presidency and the Recommendations of the House Republican Cybersecurity Task Force.  However, more is needed.  Executive action alone cannot create the new tools and authorities needed to meet the Nation’s collective cybersecurity challenges. The Administration continues to urge Congress to pass legislation to more fully address our Nation’s cybersecurity needs.

For decades, industry and all levels of government have worked together to protect the physical security of critical assets that reside in private hands - from airports and seaports to national broadcast systems and nuclear power plants. Similarly, we must now work in partnership to protect the cyber critical infrastructure systems upon which so much of our economic well-being, national security, and daily lives depend.

As we have made clear, industry has a significant role to play as well. As a first step, I would urge Chief Executive Officers (CEOs) to ask their team these five questions and ensure that they are satisfied with the answers. Additionally, I ask that industry, academia, the advocacy community, and all who are interested, participate in the NIST process to develop the Cybersecurity Framework. Visit NIST’s website to view NIST’s request for information (RFI) and find out how to participate.

As the President’s Cybersecurity Coordinator, I look forward to engaging all stakeholders in this important national mission.

Michael Daniel is Special Assistant to the President and Cybersecurity Coordinator.

The United States went to the WCIT prepared to negotiate revisions to a telecommunications treaty, last revised in 1988. These changes would have reflected the realities of the modern world while staying true to the charter of the Conference. Unfortunately, a small number of vocal states at the WCIT which do not endorse the principles of economic opportunity and free expression sought, in proposal after proposal, to instead focus on the Internet. Because of those efforts, the Conference  missed a significant opportunity to encourage economic growth through greater broadband deployment.

In the end, the United States determined that it could not sign the proposed treaty and we were far from alone in our stance. Fifty-four nations in the developed and developing world—including India, Kenya, the Philippines, Colombia, and almost all of Europe—have also chosen not to sign the treaty. Moreover, U.S. industry, Congress, and civil society were united in recognizing the value of a principled decision to protect  the existing multistakeholder governance model of the Internet and not sign a treaty that could have set a dangerous precedent for greater state control of information on the Internet.

We recognize, however, that many states wanted something from this Conference that it did not provide, but could have: increased investment in broadband to connect more people around the world to the digital future. And to those nations, we reaffirm that our Administration is committed to connecting more across the globe to modern technology — and will do so both directly, and in forums positioned to address real needs in a constructive way.

The United States believes that expanded global access to telecommunications services and broadband Internet—combined with an inclusive Internet governance model—remains the best path towards economic growth that benefits everyone. We know that the WCIT was not the last place that those opposed to an inclusive Internet will try to gain legitimacy for their approach. As a result, the U.S. remains committed to upholding our principles in all our international engagements. The Obama Administration looks forward to continued discussions with all parties, from other nations to industry to civil society, on how best to promote the growth of this infrastructure so the world can continue to enjoy the benefits of digital innovation.

Several White House officials were on hand for the Conference’s opening days, where the hosts in the United Arab Emirates welcomed delegates and took some positive steps to address concerns the Conference be accessible to those outside its halls. As a crossroads in the interconnected global economy, Dubai is a natural venue to bring together the diversity of voices and views at the WCIT.

From the start, the U.S. position has been clear: the WCIT should be about updating a public telecommunications treaty to reflect today’s market-based realities — not a new venue to create regulations on the Internet, private networks, or the data flowing across them. 

This month, we recognize the role we all play in ensuring our information and communications infrastructure is interoperable, secure, reliable, and open to all. NCSAM reminds us that being safer and more secure online is a shared responsibility. That’s why, during the month of October we pay special attention to “Achieving Cybersecurity Together.”

While increased connectivity has enormous benefits, it has also increased the importance and complexity of our shared risk. Many of our lives depend on technology, which makes cybersecurity one of our country’s most important national security priorities. Our economy and critical infrastructure depend upon the Internet, as nearly all public and private sector entities conduct business and store critical data on Internet-connected networks.

Emerging cyber threats require engagement from the entire American community. This morning, I met with public and private leaders from the financial sector – individuals in the vanguard for securing our online banking systems, financial transactions and e-commerce. This afternoon, I’ll engage with the U.S. Secret Service’s Electronic Crimes Task Force to examine law enforcement’s coordinated efforts to combat cybercrime. Cybersecurity is a shared responsibility, from government and law enforcement to the private sector and members of the public, working together to create a safe, secure, and resilient cyber environment.

We know it only takes a single infected computer to potentially infect thousands and perhaps millions of others. It’s our goal to make basic cybersecurity practices as reflexive as putting on a seatbelt – using antivirus software, being careful which websites you visit, not opening emails or attachments that look suspicious. These basic measures can improve both our individual and our collective safety online.

At the White House, we are committed to achieving these shared goals, and we encourage you to take a few basic steps to be more secure: 

• Set strong passwords, and don’t share them with anyone.
• Keep a clean machine – install regular updates to your operating system, browser, and other critical software applications.
• Maintain an open dialogue with your family, friends, and community about Internet safety.
• Carefully choose the amount of personal information you post online and use privacy settings to avoid sharing information widely.
• Be cautious about what you receive or read online – if it sounds too good to be true, it probably is.
• Please help us continue to spread the word about how to stay safe online.

For more information on NCSAM 2012 or the Stop.Think.Connect. Campaign, visit www.dhs.gov/national-cyber-security-awareness-month or www.dhs.gov/stopthinkconnect.

Like many tough issues, cybersecurity is a cross-cutting problem, affecting not only all Federal agencies, but also state and local governments, the private sector, non-governmental organizations, academia, and other countries. It is a national security, homeland security, economic security, network defense, and law enforcement issue all rolled into one. As a result, it takes a truly cross-cutting response to address the problem, with the public and private sector working collaboratively. Within the government and the private sector, many organizations will need to work together in new and sometimes initially uncomfortable ways.   We will also need a combination of technical, policy, and legislative tools to respond. 

Let me highlight a few recent initiatives where voluntary, cooperative actions are helping to improve the nation’s overall cybersecurity:

• The Defense Industrial Base (DIB) Cybersecurity/Information Assurance (CS/IA) program helps companies protect critical information related to Department of Defense programs and missions. The government shares cybersecurity threat and mitigation information with DIB companies, and in turn, DIB companies can report known intrusions. 
• The National Strategy for Trusted Identities in Cyberspace (NSTIC) seeks an "Identity Ecosystem" where individuals will soon be able to choose from a variety of more secure, convenient and privacy-enhancing technologies in lieu of passwords when they log in to different websites. The initial meeting of the Identity Ecosystem Steering Group, the private sector-led body that will help develop Ecosystem standards and policies, is happening next week.
• The Electric Sector Cybersecurity Capability Maturity Model helps firms in the electric sector evaluate and strengthen their cybersecurity capabilities; it also enables the prioritization of network protection investments. This White House-initiated effort, led by the Department of Energy and in coordination with Department of Homeland Security, provides valuable insights to inform investment planning, research and development, and public-private partnership efforts in the electric sector.
• In End-User Cybersecurity Protection, the government is participating in four linked initiatives across the IT industry, law enforcement, the financial sector, and government to counter the threat of malicious software – known as ‘bots.’ This voluntary, public-private effort ties together the capabilities of different sectors to identify compromised computers and help their owners fix them.

You likely already know that we are also working with Congress to update cybersecurity legislative authorities. There are many things that the Executive Branch can do with existing authorities, including some of the programs I just discussed. But, there are some things that require Congressional action. In particular, we urgently need legislation that enables both enhanced information sharing and the collaborative development of cybersecurity standards for the nation’s core critical infrastructure. The information sharing component is critical – government and the private sector both need access to more information than they currently have, under a framework with robust privacy protections. But information sharing alone is not enough. Our critical infrastructure is fundamental to our economy and our national security. This infrastructure needs hardened and resilient networks to cope with the threats emanating from cyberspace; one necessary component of this hardening is the adoption of minimum security standards. These standards must be developed in concert with industry and not be overly burdensome, but it will take incentives only available through legislation to make such a process viable.   

This ongoing work lays an excellent foundation, but there’s more to be done. We will need to continue our efforts to make federal networks more secure and improve our ability to assist the private sector in protecting critical infrastructure. We must upgrade our ability to identify, categorize, and respond to threats in a timely and effective manner. We have to engage internationally with our partners, ensuring that the Internet retains its multi-stakeholder, open nature and remains an engine for economic growth. And we need to help shape the future of cyberspace, working towards a time when our computers and networks are secure right out of the box. 

I look forward to this challenging work and the ongoing conversations needed to achieve our goals. 

Michael Daniel is the White House Cybersecurity Coordinator.