By Debra Cope
Cybersecurity is just one of many issues Bruce H. Andrews juggles in his role as U.S. Deputy Secretary of Commerce. The department, after all, has a large portfolio that is as varied as promoting international trade, overseeing the National Weather Service and keeping the U.S Patent and Trademark Office humming.
But cybersecurity has a special pull on Andrews, the department’s standard bearer on the issue. And that is not simply because his purview as the No. 2 official at the Commerce Department includes the National Institute of Standards and Technology, the author and keeper of the NIST Cybersecurity Framework.
Andrews cut his teeth on cybersecurity in the spring of 2009 upon joining the Senate Commerce Committee as general counsel. Then-Chairman Jay Rockefeller (D-W.Va.) put him straight to work on the first draft of comprehensive cybersecurity legislation. Though the bill was debated extensively, it became a political football and was not enacted; Rockefeller did, however, have some influence on President Obama’s decision to issue the 2013 executive order that yielded the NIST framework. “I worked intensively on the issue for two and a half years,” Andrews says. “And how the debate has changed over the course of time!”
A key difference is that only six years ago, “most people in the private sector, including large technology companies, said ‘we’ve got cybersecurity under control,’” Andrews recounts. Today—a generation later in the warp-speed reality of technological innovation—there is deeper understanding of how critical the risks are and how interlinked entities are. Andrews noted that the number of devices connected to the Internet is expected to triple to 50 billion in the next five years.
“Cybersecurity is a major priority for the Department of Commerce because of the potential economic impact from the breaches we already see taking place, and also because of potential damage from increased cybersecurity threats,” Andrews says.
It is also an area where American innovation has created opportunities. He exudes enthusiasm as he recounts how he recently led a trade mission to Romania and Poland for 20 U.S. cybersecurity companies and held a cybersecurity summit with 11 adjoining countries. Closer to home, he has convened numerous small group and outreach meetings to drive adoption of the NIST framework.
Andrews gives the banking industry solid marks for how it is grappling with threats that include denial-of-service attacks, theft of intellectual property and network and system intrusions. “There is strong recognition in the banking sector of how important and also how existential cyber threats are.” In corporate America broadly, however, “it is a very mixed bag. There are some that frankly have not been taking it as seriously.”