Power plants and other facilities that provide the basic needs of a nation are among the criticial infrastructure that needs protection from cyber attacks. Shown here: The Exelon Byron Nuclear Generating Station, Byron, Ill. (Jeff Haynes / AFP)
The Obama administration has released a framework of best practices and voluntary standards for securing the nation’s critical infrastructure systems.
The 39-page document, released Feb. 12, represents a yearlong effort between industry and government, specifically the National Institute of Standards and Technology, to develop a common language for discussing cybersecurity and consolidate existing security standards that can be used by small and large companies across all industry sectors, their suppliers and other entities they do business with, according to the administration.
The cybersecurity framework is designed to help companies measure their ability to identify the systems they need to protect based on priority and impact to the company’s mission, and how well they can detect, prevent, respond to and recover from a cyber attack. The administration has said the framework will evolve over time as the cyber threat changes and innovative tools are developed to combat those threats.
Last February, President Obama signed an executive order calling for the development of a cyber framework and a means to encourage its adoption across critical infrastructure. But the president said this won’t replace needed cybersecurity legislation from Congress.
“While I believe today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” President Obama said in a statement. “I again urge Congress to move forward on cybersecurity legislation that both protects our nation and our privacy and civil liberties.”
The framework is available for all companies to use, but the administration is particularly focused on companies that own or operate assets or systems that if attacked could cause major economic damage and loss of life.
“It is a minimum level,” Randall Stephenson, chairman and CEO of AT&T, said of the framework’s security standards. “This is what minimum cybersecurity looks like,” Stephenson said, adding that he envisions using the framework with any company bonding with AT&T’s network.
While the framework standards are voluntary, the administration is taking steps to build security into its acquisition processes.
In general, industry’s response to the framework and the collaborative way in which it was developed has been positive.
Broad adoption of the framework will be critical to its success and the administration’s vision of improving cybersecurity, Lisa Monaco, assistant to the president for homeland security and counterterrorism, said at a White House event Wednesday. About 85 percent of the nation’s critical infrastructure is owned and operated by the private sector.
But the administration may never know how widely the framework is adopted because companies don’t have to report if they’re using it, according to one senior official.
The hope is that companies will also opt to join a voluntary program run by the Department of Homeland Security. The administration has not yet finalized what incentives will be offered to entice companies to join, such as tax breaks, cyber insurance, grants, public recognition and preference in government contracting. And some incentives may require congressional action.
The Critical Infrastructure Cyber Community program will provide telecommunications companies, banks and other entities with knowledge about cyber threats, ways to counter them and DHS assistance with designing and building secure systems, said DHS Secretary Jeh Johnson, who also spoke at the White House event.
The free DHS program provides a single point of access for communicating with agency experts, including immediate advice during an attack, Johnson said. DHS has facilitated more than 300 security assessments to help critical infrastructure companies identify their weaknesses.
It still isn’t clear what threshold the government will use to determine whether program participants qualify for future incentives. Companies will have the option of performing self-assessments or in-person facilitated assessments.
Agencies are encouraged to use the framework, including federal regulatory bodies. The goal, however, is not to expand regulation but to streamline existing regulations where possible and align them with the framework, according to another senior White House official.
“At end of the day it’s the market that has to drive the business case,” the official said.