The Obama administration's new voluntary Cybersecurity Framework for critical infrastructure providers, announced Feb. 12, won't please everyone. But it does bring together for the first time a useful set of federally endorsed practices for private sector security. It also represents a welcome reprieve from the frosty government-industry relationship on matters of cybersecurity preparedness.
Industry leaders as well as President Obama were quick to acknowledge that the framework is just a first step in creating a cybersecurity playbook for the nation's 16 critical infrastructure sectors, including financial services, communications, and energy providers. It establishes an important precedent not only by defining common security standards, but also by offering carrots to the private sector rather than wielding a regulatory stick. The framework also serves notice to a gridlocked Congress that the White House can give traction to issues of national importance.
Critics will fault the framework as little more than a compilation of established industry security practices -- created to help companies identify security risks and protect themselves against, respond to, and recover from common attacks and breaches. It also includes standards and approaches for industrial control systems.
Four factors, however, make the framework more than just a reference manual.
First, the framework has cred, as its recommendations come not from Washington regulators, but from industry experts who've combatted cyberattacks. In pulling together the framework, the National Institute of Standards and Technology went to great lengths to collect, distill, and incorporate feedback from security professionals. More than 3,000 individuals and organizations contributed to the framework.
[Learn more about the Cybersecurity Framework. Read Feds Launch Cyber Security Guidelines For US Infrastructure Providers]
Second, while the framework avoids laying out incentives for companies to adopt the recommendations, it appeals to the best interests of companies and their shareholders.
The cybersecurity framework doesn't tell companies what to do or what tools to buy. But it does standardize the questions all CEOs should ask about their companies' security practices as well as those of their suppliers, partners, and customers. And it shows them what the answers ought to look like. The economic pain hackers caused to Target and its CEO, Gregg W. Steinhafel, may be incentive enough for other CEOs to adopt NIST's recommendations.
A third and even more powerful factor is the likelihood that even without legislation, the framework will become the de facto standard for private sector cybersecurity in the eyes of US lawyers and regulators. That's the view of Gerald Ferguson, who specializes in intellectual property and technology issues for law firm BakerHostetler, as expressed in a recent opinion column he wrote for InformationWeek.
Fourth, the cybersecurity framework isn't just another set of NIST guidelines, but the outcome of President Obama's Executive Order on "Improving Critical Infrastructure Cybersecurity," which he announced in his 2013 State of the Union address.
"Cyber threats pose one of the gravest national security dangers that the United States faces," the president said earlier this week, a point reinforced in a new Defense News poll that found that nearly half of national security leaders think cyber warfare is bigger threat to the US than terrorism.
But not everyone thinks the president's cybersecurity framework provides the right set of standards or adequately addresses how to make networks resilient against inevitable attacks.
Gerald Cauley, CEO of the North American Electric Reliability Corp., which develops reliability standards for power companies, argues that NIST's framework could undermine existing -- and in some cases more advanced -- cybersecurity practices already in effect.
Cauley also maintains that NIST and the Department of Homeland Security, which plays a lead role in coordinating national cybersecurity efforts, must do more to clarify incentives for following the framework, and how organizations can benefit from them, before companies will invest in them.
Russell Schrader, senior associate general council for Visa, voiced support for NIST's efforts to centralize best-practices, but cautioned NIST "to avoid centralizing implementation of security measures across a diverse economy." Schrader warned of "unintended consequences that inhibit innovation," particularly for global companies. "The ability to globally scale an effort like cybersecurity [makes it] important to avoid confusing, duplicative, or contradictory standards," he said.
Even Defense Department experts, in pre-release comments about the framework, observed that it "does not address the cybersecurity challenges of industries or sectors as a whole." The DoD recommends that NIST encourage "threat sharing" across sectors and greater attention to privacy concerns.
Though not highlighted in the final version of the framework, the preliminary draft acknowledged a number of other issues, including the need for better authentication practices, guidance on sharing threat alerts automatically, and establishing assessment activities that affirm practices conform with industry standards. Meeting the demand for workers skilled in cybersecurity and big data analytics remains another concern.
Questions also remain on how to align US and global cybersecurity practices and divergent privacy standards and manage the risks inherent in today's global, just-in-time supply chains. NIST left these issues out of its final release, characterizing them as "important but evolving areas."
White House officials said the framework would continue to evolve. They also envision it will eventually be turned over to industry, or an industry-led not-for-profit group, to administer.
"The administration was very clear that they are not looking to expand regulations," one senior official said, "but instead want to align the regulatory structure to support the adoption of the framework."
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.Wyatt Kash is a former Editor of InformationWeek Government, and currently VP for Content Strategy at ScoopMedia. He has covered government IT and technology trends since 2004, as Editor-in-Chief of Government Computer News and Defense Systems (owned by The Washington Post ... View Full Bio