The White House on Wednesday released the first version of
its cyber
security framework for protecting critical infrastructure. Critics say
these voluntary guidelines enshrine the status quo.
The White House on Wednesday released the first version of
its cyber security
framework for protecting critical infrastructure. It's a catalog of industry
best-practices and standards that creates a voluntary template for companies to
use in developing better security programs.
The Framework for Improving Critical Infrastructure Cybersecurity "enables
organizations -- regardless of size, degree of cybersecurity
risk, or cybersecurity sophistication -- to apply the principles and
best-practices of risk management to improving the security and resilience of
critical infrastructure," the White House said in a statement.
Although the document was hailed by administration officials
as a "major turning point" in cybersecurity, it
contains little that is revolutionary or even new. The National Institute of
Standards and Technology,
working with the Homeland Security
Department and industry stakeholders, has compiled a set of known, publicly
vetted standards that can be applied to identify, protect from, detect, respond
to, and recover from risks.
The framework is technology-neutral and does not
specify tools or applications to be used. Choices of technology are left to the
user in addressing each category of risk management.
The framework is built on three basic components:
-
Core. A set
of common activities that should be used in all programs, providing a
high-level view of risk management.
-
Profiles. These
help each organization align cybersecurity
activities with its own business requirements, and to evaluate current risk
management activities and prioritize improvements.
-
Tiers. Tiers
allow users to evaluate cybersecurity
implementations and manage risk. Four tiers describe the rigor of risk
management and how closely it is aligned with business requirements.
The framework is one leg of a three-pronged program set out
in a presidential executive order on protecting privately-owned critical
infrastructure, issued one year ago in response to Congress's failure to pass
cybersecurity legislation. The second leg involves information sharing among
companies and between the public and private sectors. The third leg attempts to
address the protection of privacy and civil liberties.
Privacy was a difficult area for stakeholders to come to a
consensus on during the five public workshops and multiple iterations of the
document. Some protections are incorporated in instructions for using the
framework, but privacy was identified as an area that needs to be better
addressed in future versions.
Although it would be difficult today for any attack to cause
widespread, long-lasting damage to the nation's critical infrastructures,
cyberattacks are becoming more effective. Demonstrated weaknesses in the IT
systems that control and support the energy, transportation, financial services
industries, and others leave them vulnerable to these attacks.
President
Obama calls the latest cyber security framework "a turning point."
(Source:
White House)
Although the framework is voluntary and will depend
primarily on "enlightened self-interest" to drive its use, it is not
entirely without teeth. Regulatory agencies are working to harmonize existing
regulations with the document, and government procurement requirements are
likely to include conformance to the framework for contractors and suppliers.
But one White House official said during a briefing,
"The goal is not to expand regulation."
Other incentives for adoption are expected to include public
recognition, cyber insurance and cost recovery programs, all of which can be
implemented without legislation. Administration officials said they will ask
Congress for additional authority as needed, for protections such as
limitations on liability for companies adopting the framework. But given the
slow pace of legislation in the current Congress the administration's goal is
to convince companies operating critical infrastructure that using the
framework would be a good business decision.
Drafters said the framework creates a shared vocabulary for
discussing and describing cybersecurity that can be used by a broad range of
companies in different industries to create and evaluate risk-management
programs. Gaps in programs can be identified and plans tailored to meet the
specific needs for each user.
Focus
on resilience
In an effort to support adoption of the framework by the
private sector, the Department of Homeland Security is also launching a
voluntary Critical Infrastructure Cyber Community program. According to DHS
Secretary Jeh Johnson, the program will provide a "single point of
access" to the department's cybersecurity experts for anyone needing help
or advice.
Although the program is just getting underway, one of its
services, the Cyber Resilience Review, has already been widely used by
industry. The review lets organizations assess their current programs and
determine how well they are aligned with the practices and standards of the
framework. More than 300 of the reviews have been carried out.
President Obama, in a prepared statement, called the
framework a turning point, but added, "It's clear that much more work
needs to be done," a sentiment shared by the document's supporters and
detractors alike.
Bob Dix, VP of global government affairs and public policy
for Juniper Networks, called it "a laudable first step," but said
"there is more that government and industry must do together to address
basic cyber hygiene as well as the most sophisticated and persistent threats to
critical infrastructure."
Because the framework is based on existing practices and
standards, it has been criticized as enshrining the status quo rather than
advancing cybersecurity. NIST officials said it is a living document that will
be regularly updated.
A preliminary draft of the framework laid out areas for
improvement to be addressed in future versions. These include authentication,
automated information sharing, assessing compliance with standards, workforce
development, big data analytics, international impacts, privacy standards, and
supply chain management.
Find out how a government program is putting cloud computing
on the fast track to better security. Also in the Cloud Security issue of
InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps
everyone.
No comments:
Post a Comment