The National Institute of Standards and Technology yesterday released the first version of the long-awaited cybersecurity framework, a voluntary set of guidelines designed to help improve cyber-defenses across a wide range of privately owned and operated critical infrastructures.
President Barack Obama called the Framework for Improving Critical Infrastructure Cybersecurity an important step toward securing the nation’s economic prosperity and national security, as well as protecting the civil liberties of ordinary Americans.
“Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property,” Obama said in a statement released by the White House. “Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.”
During a background briefing with journalists, a senior administration official described the framework as the best means for organizations to establish a “credible” cybersecurity posture because it is based on “well-conceived” and “proven” methods of managing cybersecurity risks.
The framework “represents the beginning of what I hope will be a continuing, common-sense conversation” about critical infrastructure cybersecurity, the senior administration official said. “One of the biggest cybersecurity issues facing critical infrastructure companies in all of these sectors — transportation, financial, health care, communications, energy — is simply this: When are you doing enough? When do you know you’ve done the best you can to protect your company, your suppliers, your customers from the adverse effects of cybersecurity threats?”
Coming on the heels of several recent cyber-attacks that compromised more than 100 million customer records at major retail outlets, administration officials said they are hoping the framework will help spur change across the nation.
Obama referred to the framework as a “turning point” in the nationwide discussion about cybersecurity, and said the 39-page document is “a great example of how the private sector and government can, and should, work together to meet this shared challenge.”
The White House released statements it received from prominent private industry groups and executives showing support for the framework.
“The framework helps advance security and privacy by providing flexible guidance for cybersecurity risk management, focusing on what organizations should do without being overly prescriptive as to how they do it,” said Scott Charney, corporate vice president of the Trustworthy Computing Group at Microsoft Corp.
While Obama stressed his intentions “to take action, under existing authorities, to protect our nation from this threat,” he acknowledged the need for Congressional action on cybersecurity.
But there remain significant questions about the ability of a voluntary framework to lift the bar dramatically across the cybersecurity landscape of critical infrastructure owners and operators without Congress stepping in and providing some sort of financial or liability protection incentives in return for adherence.
“There will be a role for Congress,” said NIST Director Patrick Gallagher during a press briefing in October. “But I don’t think it’s an issue of whether the framework can succeed without Congress.” Rather, the framework can provide “a real lens” for looking at the incentive discussion, he said.
“From the beginning, the president envisioned this as a voluntary effort that would be based on consensus standards and industry best practices to the extent possible,” Gallagher said. “And from the beginning, we wanted to make sure this was something that was flexible and able to be tailored to the needs of individual businesses. This had to be a product of industry.”