Obama's Cyber Security How-to Guide Gets Lukewarm Reception
At a White House ceremony, Secretary of Homeland Security Jeh Johnson touted the release of the administration's cyber security blueprint as a much needed guide for protecting the nation's critical infrastructure.
The highly anticipated "framework" for cyber security comes a year after the president issued an executive order directing the National Institutes of Standards and Technology to produce voluntary guidelines for protecting critical information networks. The president put out the executive order after cyber security legislation stalled in the Senate and saw no prospect of new legislation in the near term.
Theblueprint unveiled Feb. 12 draws from industry "best practices" and generally has been described by experts as a useful first step that, over time, could help develop stronger protections against cyber attacks and boost cooperation between the government and the private sector.
"The cyber security framework is a good start at providing all organizations with information on practices that should improve overall cyber hygiene," Sedar LaBarre, of Booz Allen Hamilton, wrote in a blog post.
Industry experts said it is remarkable that NIST was able to produce this blueprint in just one year, with input from thousands of companies and universities.
The framework has spurred a heated debate in Washington about the need for cyber security regulations and policies at a time of growing threats such as malware, hackers and spies. Critics have questioned the value of voluntary guidelines and the absence of incentives for companies to adopt the framework. Policy makers at the White House and on Capitol Hill still disagree on whether cyber security should be mandated by the federal government or be treated as a private sector initiative.
"Some of this is going to be a work in progress," said Samuel S. Visner, vice president and general manager for global cyber security at CSC, in Falls Church, Va. This document should be seen as the beginning of what could be a long road toward the creation of cyber security standards for different industry sectors, he said in an interview.
The administration should be credited for providing valuable data to help infrastructure owners and mainstream industries build cyber protections, Visner said. Of note, NIST is not calling for the creation of a new regulatory structure, although DHS is responsible for coordination, he said. It pays "due respect" to sector specific agencies’ roles in overseeing cyber security.
The automotive supply chain for instance, would work directly with the Transportation Department. "The standards are to be implemented by the infrastructure owners and operators with the support of the sector-specific agencies."
It is clear that there is additional work to be done, Visner said. The framework is a valuable vehicle to raise awareness that cyber security is in the public interest, he added. The framework does include an annex on protecting privacy and civil liberties.
“One of the key goals of advancing this nation’s cyber security is building trust and relationships between the government and the private sector,” Johnson said Feb. 12. “Part of that effort includes heightening awareness about the cyber security threat, in plain and simple terms the public can appreciate.”
Industry groups such as the Internet Security Alliance have disputed the practical value of the NIST framework. “Sophisticated attackers, including nation-states and nation-state affiliated sources, and increasingly criminal organizations, will not be substantially deterred by the basic standards and practices in the NIST framework,” said an ISA policy paper.
Anyone who expected NIST to provide immediate solutions missed the point, Visner said. "That was not the goal," he added. "It sets up the process for standards to be generated. This is not a regulatory document."
Setting standards takes time, and they have to come from industry, he said. "I don't think the framework was supposed to create standards." This should not be about penalizing or incentivizing anyone, said Visner. If a company can improve its cyber security, the cost would be part of the business model.
The challenge of developing standards only will become more difficult as cyber threats multiply — from hackers to insider leakers like Edward Snowden to industrial spies. "It is too soon to tell if the framework can address all this," said Visner. Despite many unanswered questions, he added, "I think the glass is well more than half full."
Sanford Reback, senior technology analyst at Bloomberg Government, said he expects DHS officials to begin a major outreach effort to encourage companies to adopt the framework. “The administration is limited in the incentives it can provide to companies to use the framework,” he said Feb. 6 during a Bloomberg webinar. One of the most divisive issues that stalled cyber security legislation last year was disagreement on whether the government could offer companies liability protection in exchange for sharing information. “That's not something that the Obama administration could provide, although it would be an important incentive,” he said. One question now is how the NIST framework might influence future cyber legislation, if Congress decides to bring it back.
Danielle Kriz, director of global cyber security policy at the Information Technology Industry Council, said Washington tends to get worked up about these initiatives. She credited the administration for trying to create a “culture of cyber security,” regardless of whether one finds the framework useful. Although the blueprint is aimed at critical infrastructure, it could be applicable to any sector, she said.
LaBarre said some industries will move quickly to use the framework while others will consider the return on investment. “Booz Allen expects more dialogue on how the cyber security community can bridge the gap between fast-changing technology and risk management so organizations of any type or size in industry and government are prepared for the ongoing waves of cyber attacks.”
Speaking at the White House Feb. 12, Johnson announced that DHS now offers free cyber security help to companies that provide critical services. “They will have direct access to cyber experts at
DHS at no cost,” he said. The program, called Critical Infrastructure Cyber Community, or “C Cubed” was launched this month to coincide with the release of the NIST framework. “The C3 program gives companies that provide critical services like cell phones, email, banking, energy, and state and local governments, direct access to cyber security experts within the Department of Homeland Security,” Johnson said. C3 is also available for immediate advice and assistance in the event of an actual cyber attack.