Sen. Sheldon Whitehouse, D-R.I., said that he is concerned about the Trump administration’s widespread adoption of the NIST Cybersecurity Framework.
“The NIST Framework has never been adequately validated,” Whitehouse said at FCW’s Big Issues Conference on Nov. 1.
Whitehouse said that he wonders whether agencies have accepted the NIST Framework because it’s effective or because “compliance demands so little effort.” Whitehouse said that the framework needs to be tested.
One way to test the framework would be to assign a white hat hacking team to attempt to breach a system that’s compliant with the framework. Whitehouse said that the Federal government needs a “roving” Investigator General team that has the authority to conduct white hat hacking tests on agency networks to ensure that agency heads are held accountable for the cybersecurity posture of their networks.
The Department of Homeland Security (DHS) already conducts red team penetration operations on a smaller scale to test the security of Federal networks; however, Whitehouse said that he wouldn’t increase DHS’s responsibilities.
“The view that is held around Congress is that giving DHS more authorities is not a great thing,” Whitehouse said. “I care less about its location than I do about its authorities.”
Whitehouse said that he understands why the Department of Defense would be nervous about an IG team of hackers, but he thinks it would work for the civilian agencies.
Whitehouse also said that the overclassification of information about cyberattacks hinders the awareness that the public has about cybersecurity issues. Whitehouse said that the Federal government needs a “discloser in chief” that constantly updates the public about cyberattacks that have occurred in the public and private sectors.
“Over the years, I see more and more people paying attention, which is a good thing,” Whitehouse said.
Whitehouse said that Congress should work to pass his bipartisan Botnet Prevention Act, which would give law enforcement increased authorities to detect and shut down botnets before they’re used to carry out large denial-of-service attacks.
Whitehouse said that the Trump administration took an “important first step” in signing the Cybersecurity Executive Order in May. He also applauded the work being done by Tom Bossert, White House Homeland Security adviser, and Rob Joyce, White House cybersecurity coordinator.
“I see them as knowledgeable, professional, and sincere,” Whitehouse said.
The Cybersecurity Executive Order called for 15 reports from various agencies with due dates spanning from June 2017 to May 2018. Whitehouse said that the administration should begin discussing solutions before the last report gets released.
“We ought not wait until the middle of next year…before we get around to considering legislative steps to improve our cybersecurity,” Whitehouse said. “We need the president and his Cabinet to actually make cybersecurity a priority and to talk to Congress about solutions.”