Obama's Cybersecurity Framework revealed (but is it enough?)
President Obama has launched the new Cybersecurity Framework, the Whitehouse's guide for infrastructure providers like gas, electric, and water, as well as banks and power plants to fend off digital attacks. The handiwork of a year's collaboration between the National Institute of Standards and Technology (NIST) and the private sector, the Framework consists of three components – the core, profiles, and tiers – designed to assess existing security levels, bring them (and employee understanding of them) up to a safer level, and then maintain those levels in future. However, there are already criticisms that the plan does not go far enough.
The heart of the Cybersecurity Framework is the "Core", which consists of multiple activities and references designed to help organizations of any type to "Identify, Protect, Detect, Respond, [and] Recover" from digital risks like hackers and malware. Then there are "Profiles" which balance cybersecurity measures with the individual requirements of different types of business, their tolerance to risk, and the resources they have.
Finally, there are the "Tiers" – spanning four levels – which " describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization's overall risk management practices."
"While I believe today's Framework marks a turning point, it's clear that much more work needs to be done to enhance our cybersecurity" President Obama said of the new guidelines today. However, he also called upon Congress to be more forthright in signing into law security legislation.
Without that legal framework, the Framework as it launches today is entirely voluntary for companies to adopt. Security advisors involved have described it as a "shared vocabulary about cybersecurity" that will allow businesses and government to better communicate about the issues involved, but there are no firm ways to tracking which organizations are complying, at least externally.
"The other key message today is that we wanted this framework to be voluntary. And that was important because it encourages the widest possible set of stakeholders to come to the table and work with us. It also ensures that the muscle in this approach comes from the companies themselves. Voluntary standards are a tradition in the United States because they work. When industries get together and determine for themselves what standards describe a quality of a product, these standards are much more likely to be adopted quickly and implemented fully" Senior Administration Official, Whitehouse
One possibility that has been mentioned previously is offering some sort of incentive – whether that be around tax or other support – for businesses wanting to adopt the Framework but concerned about the cost of doing so. However there is no mention of whether such a scheme will be included in this initial release; one administration official said that their potential effectiveness, and how they might be staged, is still under assessment, with more news "over the next few months."
President Obama originally revealed the creation of the Cybersecurity Framework back in February 2013, describing it as essential in the face of escalating online espionage. "We know foreign countries and companies swipe our corporate secrets" he said during his State of the Union speech. "Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems."