At any time a hacker could disable the electrical grid in the United States, or shutdown the financial industry, or interfere with other parts of the nation’s critical infrastructure. Now the United States has announced it is putting measures in place to guard against such potentially catastrophic attacks.
The Cybersecurity Framework announced by the White House on Feb. 12 describes voluntary industry standards and best practices aimed at preventing cyberattacks that would threaten the nation’s security, economic security, public health, or safety. President Obama directed the development of the Framework in an executive order issued one year ago—on Feb. 12, 2013.
In a statement on Wednesday, Obama said, “Cyber threats pose one the gravest national security dangers that the United States faces.”
Obama said he believes “today’s Framework marks a turning point,” yet noted there is still work to be done to guard against cyber threats.
While the voluntary framework is available for all businesses to follow, it is mainly intended for critical infrastructure. Critical infrastructure refers to 16 industries and services necessary to keep the country running, and includes the energy grid and the financial sector.
The Framework was put together by the National Institute of Standards and Technology, which consulted with the private sector.
The National Institute’s report describing the Framework states that it has three parts, which aim to help companies develop cybersecurity strategies tailored to their individual needs.
“The Framework enables organizations—regardless of size, degree of cybersecurity risk, or cybersecurity sophistication—to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure,” it states.
The framework makes clear that it’s not a grand solution to cyberthreats, and that organizations will still face risks unique to their companies. It refers to the new standards as a “next step” toward improving security of critical infrastructures.
One of the strongest criticisms typically made of government policies to fight cyberthreats is that threats adapt quickly and bureaucracy moves slowly.
The authors of the framework seem to be aware of this criticism. They call the framework a “living document” which they’ll continue to update and improve based on feedback.
“This will ensure it is meeting the needs of critical infrastructure owners and operators in a dynamic and challenging environment of new threats, risks, and solutions,” the report states.
There are existing programs to guard critical infrastructure, particularly the National Infrastructure Protection Plan, which also has a program to share information on cybersecurity. Critics have argued Obama’s executive order on cybersecurity offers little that wasn’t already in place.
A Long Time Coming
The framework has been close to three years in the making. When risks of cyberthreats came to the forefront in 2010, discussion began over the need for clear systems to guard the United States and its allies from cyberattacks.
NATO announced its cybersecurity plan during the December 2010 NATO Lisbon Summit. The U.S. military released its cybersecurity strategy in July 2011.
As for the national strategy, however, there were initially two competing bills. One was Obama’s 2011 Cybersecurity Legislative Proposal. The other came through the Senate’s Homeland Security and Governmental Affairs Committee. Later in 2011, the House put forward several bills to address cybersecurity.
There was strong disagreement over the national strategy, with a flashpoint being how much power it would grant the president.
The White House proposal would have updated the Federal Information Security Management Act and placed the Department of Homeland Security (DHS) in charge of managing cybersecurity. DHS is under the White House.
The Senate committee’s proposal would have created a White House Office of Cybersecurity, and the leader of the office would have to be confirmed by the Senate. The Committee criticized the White House proposal, as granting too much power to the president.
Both pieces of legislation failed to pass.
Disagreements came to a boiling point the following year when a Republican filibuster in the Senate blocked another piece of cybersecurity legislation, S. 3414, on Aug. 2, 2012.
Soon after, rumors started that Obama would address the issue with an executive order. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, resulted in the just-released framework, but that framework lacks mandatory measures and tougher oversight proposed in the various pieces of congressional legislation.