Government // Cybersecurity
News
2/12/2014
05:00 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Feds Launch Cyber Security Guidelines For US Infrastructure Providers

The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. Critics say these voluntary guidelines enshrine the status quo.

6 Cool Apps From Uncle Sam
6 Cool Apps From Uncle Sam
(click image for larger view and slideshow)

The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. It's a catalog of industry best-practices and standards that creates a voluntary template for companies to use in developing better security programs.

The Framework for Improving Critical Infrastructure Cybersecurity "enables organizations -- regardless of size, degree of cybersecurity risk, or cybersecurity sophistication -- to apply the principles and best-practices of risk management to improving the security and resilience of critical infrastructure," the White House said in a statement.

Although the document was hailed by administration officials as a "major turning point" in cybersecurity, it contains little that is revolutionary or even new. The National Institute of Standards and Technology, working with the Homeland Security Department and industry stakeholders, has compiled a set of known, publicly vetted standards that can be applied to identify, protect from, detect, respond to, and recover from risks.

The framework is technology-neutral and does not specify tools or applications to be used. Choices of technology are left to the user in addressing each category of risk management.

[Experts believe NIST's voluntary Cybersecurity Framework will become the de facto standard for litigators and regulators. Read NIST Cybersecurity Framework: Don't Underestimate It.]

The framework is built on three basic components:

  • Core. A set of common activities that should be used in all programs, providing a high-level view of risk management.
  • Profiles. These help each organization align cybersecurity activities with its own business requirements, and to evaluate current risk management activities and prioritize improvements.
  • Tiers. Tiers allow users to evaluate cybersecurity implementations and manage risk. Four tiers describe the rigor of risk management and how closely it is aligned with business requirements.

The framework is one leg of a three-pronged program set out in a presidential executive order on protecting privately-owned critical infrastructure, issued one year ago in response to Congress's failure to pass cybersecurity legislation. The second leg involves information sharing among companies and between the public and private sectors. The third leg attempts to address the protection of privacy and civil liberties.  

Privacy was a difficult area for stakeholders to come to a consensus on during the five public workshops and multiple iterations of the document. Some protections are incorporated in instructions for using the framework, but privacy was identified as an area that needs to be better addressed in future versions.

Although it would be difficult today for any attack to cause widespread, long-lasting damage to the nation's critical infrastructures, cyberattacks are becoming more effective. Demonstrated weaknesses in the IT systems that control and support the energy, transportation, financial services industries, and others leave them vulnerable to these attacks.

President Obama calls the latest cyber security framework 'a turning point.' (Source: White House)
President Obama calls the latest cyber security framework "a turning point."
(Source: White House)

Although the framework is voluntary and will depend primarily on "enlightened self-interest" to drive its use, it is not entirely without teeth. Regulatory agencies are working to harmonize existing regulations with the document, and government procurement requirements are likely to include conformance to the framework for contractors and suppliers.

But one White House official said during a briefing, "The goal is not to expand regulation."

Other incentives for adoption are expected to include public recognition, cyber insurance and cost recovery programs, all of which can be implemented without legislation. Administration officials said they will ask Congress for additional authority as needed, for protections such as limitations on liability for companies adopting the framework. But given the slow pace of legislation in the current Congress the administration's goal is to convince companies operating critical infrastructure that using the framework would be a good business decision.

Drafters said the framework creates a shared vocabulary for discussing and describing cybersecurity that can be used by a broad range of companies in different industries to create and evaluate risk-management programs. Gaps in programs can be identified and plans tailored to meet the specific needs for each user.

Focus on resilience
In an effort to support adoption of the framework by the private sector, the Department of Homeland Security is also launching a voluntary Critical Infrastructure Cyber Community program. According to DHS Secretary Jeh Johnson, the program will provide a "single point of access" to the department's cybersecurity experts for anyone needing help or advice.

Although the program is just getting underway, one of its services, the Cyber Resilience Review, has already been widely used by industry. The review lets organizations assess their current programs and determine how well they are aligned with the practices and standards of the framework. More than 300 of the reviews have been carried out.

President Obama, in a prepared statement, called the framework a turning point, but added, "It's clear that much more work needs to be done," a sentiment shared by the document's supporters and detractors alike.

Bob Dix, VP of global government affairs and public policy for Juniper Networks, called it "a laudable first step," but said "there is more that government and industry must do together to address basic cyber hygiene as well as the most sophisticated and persistent threats to critical infrastructure."

Because the framework is based on existing practices and standards, it has been criticized as enshrining the status quo rather than advancing cybersecurity. NIST officials said it is a living document that will be regularly updated.

A preliminary draft of the framework laid out areas for improvement to be addressed in future versions. These include authentication, automated information sharing, assessing compliance with standards, workforce development, big data analytics, international impacts, privacy standards, and supply chain management.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

William Jackson is a technology writer based in Washington, D.C. He has been a journalist for more than 35 years, most recently covering the $80 billion federal government IT sector for Government Computer News. His coverage has ranged from architecture to international ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
3/7/2014 | 8:25:24 AM
Re: President Obama
Wait until somebody hacks .MIL and sends a nuke to the White House. However Stuxnet was aimed at Iran which recieved much its nuclear know how from Pakistan; Paki nukes are armed and aimed at India. Apparently wasn't hard for NSA to hack their military and someone could send a nuke to Israel or India. Start WWIII.
nathanlm
50%
50%
nathanlm,
User Rank: Apprentice
2/12/2014 | 8:05:55 PM
President Obama
Don't tread on me.
GPStew
50%
50%
GPStew,
User Rank: Apprentice
2/12/2014 | 6:20:46 PM
Re: Industry led
Fadi Chehade, CEO, ICANN - made his point clear that the US control of cyber governance is unsustainable - his interview can be found here - http://siliconangle.tv/explorations-in-cyberspace-international-relations/#_Fadi-Chehade-MIT-ECIR-2014-theCUBE/Fadi-Chehade-President-CEO-ICANN-Visits-theCUBE_
WKash
50%
50%
WKash,
User Rank: Author
2/12/2014 | 5:35:04 PM
Industry led
Worth noting in today's announcements; Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator said that the Cybersecurity Framework will continue to evolve but will ultimately be handed over to industry (or an industry led not-for-profit) to administer.  That's a good sign that the administration understands that for this to succeed, industry needs to own it, not government.

 
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.