Industry leaders and President Obama call the framework just
a first step in creating a cybersecurity
playbook for 16 US critical infrastructure sectors. But this is more than just
a reference manual.
The Obama administration's new voluntary Cybersecurity
Framework for critical infrastructure providers, announced Feb. 12, won't please
everyone. But it does bring together for the first time a useful set of
federally endorsed practices for private sector security. It also
represents a welcome reprieve from the frosty government-industry relationship
on matters of cybersecurity preparedness.
Industry leaders as well as President Obama were quick to
acknowledge that the framework is just a first step in creating a cybersecurity
playbook for the nation's 16 critical infrastructure sectors, including
financial services, communications, and energy providers. It establishes an
important precedent not only by defining common security standards, but also by
offering carrots to the private sector rather than wielding a regulatory stick.
The framework also serves notice to a gridlocked Congress that the White House
can give traction to issues of national importance.
First, the framework has cred, as its recommendations come
not from Washington regulators, but from industry experts who've combatted cyberattacks. In pulling
together the framework, the National Institute of Standards and Technology
went to great lengths to collect, distill, and incorporate feedback from
security professionals. More than 3,000 individuals and organizations
contributed to the framework.
Learn more about the Cybersecurity
Framework.
The cybersecurity
framework doesn't tell companies what to do or what tools to buy. But it does
standardize the questions all CEOs should ask about their companies' security
practices as well as those of their suppliers, partners, and customers. And it
shows them what the answers ought to look like. The economic pain hackers caused
to Target and its CEO, Gregg W. Steinhafel, may be incentive enough for other
CEOs to adopt NIST's recommendations.
A third and even more powerful factor is the likelihood that
even without legislation, the framework will become the de facto standard for
private sector cybersecurity in the eyes of US lawyers and regulators. That's
the view of Gerald Ferguson, who specializes in intellectual property and technology
issues for law firm BakerHostetler, as expressed in a recent opinion column he
wrote for InformationWeek.
Illustration of core functions
and activities to support cybersecurity from NIST Framework for Improving
Critical Infrastructure Cybersecurity 1.0
Fourth, the cybersecurity
framework isn't just another set of NIST guidelines, but the outcome of
President Obama's Executive Order on "Improving Critical Infrastructure Cybersecurity,"
which he announced in his 2013 State of the Union address.
"Cyber threats pose one of the gravest national
security dangers that the United States faces," the president said earlier
this week, a point reinforced in a new Defense News poll that found that nearly
half of national security leaders think cyber warfare is bigger threat to the
US than terrorism.
But not everyone thinks the president's cybersecurity
framework provides the right set of standards or adequately addresses how to
make networks resilient against inevitable attacks.
Gerald Cauley, CEO of the North American Electric
Reliability Corp., which develops reliability standards for power companies,
argues that NIST's framework could undermine existing -- and in some cases more
advanced -- cybersecurity practices already in effect.
No comments:
Post a Comment