The defense industrial base is among the critical infrastructure identified by the Obama administration as needing better protection from cyber threats. (Lockheed Martin)
Almost a year after President Obama issued an executive order aimed at bolstering protections against computer hacking attacks, a key juncture comes next month when the government releases a framework for reducing the risks of cyber threats.
“I think it’s very highly anticipated,” said Scott Montgomery, vice president and chief technology officer for the public sector at McAfee, an information security firm. If the final framework is seen as a way for people to “make their organizations better, without spending a ton of money,” Montgomery said, “I think it will be widely utilized, well received.”
The job of developing the framework rests with the National Institute of Standards and Technology, a branch of the Commerce Department. A preliminary version of the plan released in October attracted more than 200 comments from businesses, federal agencies and others. The final version is scheduled for publication Feb. 13. While there will be some changes to the draft, they will not be significant, NIST spokeswoman Jennifer Huergo said.
In his order, which came after Congress failed to act on cybersecurity legislation, Obama defined critical infrastructure as any system or assets whose destruction would have “a debilitating impact” on security, national economic security and national public health or safety. The Department of Homeland Security has designated 16 sectors — including chemical plants, government facilities and the defense industrial base — as falling under that umbrella. The online hacking threat to such sectors ranks among “the most serious national security challenges” facing the nation, Obama wrote.
One factor that stymied congressional approval of a cybersecurity bill was industry fear of government heavy-handedness. As much as possible, the framework is supposed to incorporate “consensus standards and industry best practices,” the order adds. For businesses and other entities, adoption will be voluntary.
A key goal is to encourage organizations to take cybersecurity threats as seriously as they deal with safety risks and other pitfalls that are typically part of operating routines. The framework’s preliminary version spells out a core set of commonly used cybersecurity approaches, methods for determining whether those approaches are working and suggestions on how to implement them.
NIST consulted with more than 3,000 individual and organizations in crafting the document.
“We want to turn today’s best practices into common practices,” Patrick Gallagher, the agency’s director, said in a news release announcing release of the preliminary version.
The final document will come out as the fallout is still settling from the disclosure that online thieves stole credit card data and other personal information late last year for tens of millions of customers of the Target store chain.
Rep. Elijah Cummings of Maryland, the top Democrat on the House Oversight and Government Reform Committee, is seeking a hearing on the breach. While retailing is not deemed critical infrastructure, the episode underscores the economic ramifications of network hacking, said Eric Burger, director of Georgetown University’s Security and Software Engineering Research Center.
“Certainly if I were a director at Target, I would be asking, ‘Does this apply?’ ” Burger said of the framework.
But the framework needs to be voluntary and flexible, said Steve Kester, director of government affairs at Advanced Micro Devices, a technology firm involved in cybersecurity research and development, who called the preliminary draft a good step forward.
Once the final version is out, it will need to be under continual review, he added, “because it’s dealing with a constantly evolving ecosystem.” ■