Industry leaders and President Obama call the framework just a first step in creating a cybersecurity playbook for 16 US critical infrastructure sectors. But this is more than just a reference manual.
The Obama administration's new voluntary Cybersecurity Framework for critical infrastructure providers, announced Feb. 12, won't please everyone. But it does bring together for the first time a useful set of federally endorsed practices for private sector security. It also represents a welcome reprieve from the frosty government-industry relationship on matters of cybersecurity preparedness.
Industry leaders as well as President Obama were quick to acknowledge that the framework is just a first step in creating a cybersecurity playbook for the nation's 16 critical infrastructure sectors, including financial services, communications, and energy providers. It establishes an important precedent not only by defining common security standards, but also by offering carrots to the private sector rather than wielding a regulatory stick. The framework also serves notice to a gridlocked Congress that the White House can give traction to issues of national importance.
First, the framework has cred, as its recommendations come not from Washington regulators, but from industry experts who've combatted cyberattacks. In pulling together the framework, the National Institute of Standards and Technology went to great lengths to collect, distill, and incorporate feedback from security professionals. More than 3,000 individuals and organizations contributed to the framework.
Learn more about the Cybersecurity Framework.
The cybersecurity framework doesn't tell companies what to do or what tools to buy. But it does standardize the questions all CEOs should ask about their companies' security practices as well as those of their suppliers, partners, and customers. And it shows them what the answers ought to look like. The economic pain hackers caused to Target and its CEO, Gregg W. Steinhafel, may be incentive enough for other CEOs to adopt NIST's recommendations.
A third and even more powerful factor is the likelihood that even without legislation, the framework will become the de facto standard for private sector cybersecurity in the eyes of US lawyers and regulators. That's the view of Gerald Ferguson, who specializes in intellectual property and technology issues for law firm BakerHostetler, as expressed in a recent opinion column he wrote for InformationWeek.
Illustration of core functions and activities to support cybersecurity from NIST Framework for Improving Critical Infrastructure Cybersecurity 1.0
Fourth, the cybersecurity framework isn't just another set of NIST guidelines, but the outcome of President Obama's Executive Order on "Improving Critical Infrastructure Cybersecurity," which he announced in his 2013 State of the Union address.
"Cyber threats pose one of the gravest national security dangers that the United States faces," the president said earlier this week, a point reinforced in a new Defense News poll that found that nearly half of national security leaders think cyber warfare is bigger threat to the US than terrorism.
But not everyone thinks the president's cybersecurity framework provides the right set of standards or adequately addresses how to make networks resilient against inevitable attacks.
Gerald Cauley, CEO of the North American Electric Reliability Corp., which develops reliability standards for power companies, argues that NIST's framework could undermine existing -- and in some cases more advanced -- cybersecurity practices already in effect.