The White House released a plan today for actions power plants, financial networks and other critical services can take to protect their computer networks from hacker attacks with potentially devastating consequences.
After a year of work involving President Barack Obama’s administration and businesses, the “cybersecurity framework” identifies actions and technical standards companies can voluntarily follow. It doesn’t require banks, utilities and other essential services to do anything and lacks a way to measure whether the nation’s defenses improve.
The document also doesn’t include financial incentives like tax breaks and legal protections that trade groups representing Bank of America Corp., Alliant Energy Corp., General Electric Co. and other companies say are necessary to help offset the cost of computer and network security upgrades.
“No one should imagine that this is a cure all,” Stewart Baker, a former assistant secretary for policy at the Department of Homeland Security, said in a phone interview today. “I don’t see a commitment across the board from industry to do the things that are necessary to keep hackers out of their systems.”
Obama issued an executive order last year to create the framework after failing to get Congress to require companies to better defend their networks. While the order called for incentives, the administration couldn’t work them out in time and some will require legislation or regulatory approval.
“America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet,” Obama said in a statement. While saying the framework is a “turning point,” he adds “it’s clear that much more work needs to be done to enhance our cybersecurity.”
The framework is “just a first step and there is more that government and industry must do together to address basic cyber hygiene as well as the most sophisticated and persistent threats to critical infrastructure,” Robert Dix, vice president of government affairs for Sunnyvale, California-based Juniper Networks, said in a statement today.
Companies and government agencies spent more than $88 billion in 2013 on cybersecurity, more than double the $40 billion spent in 2006, according to research conducted by the Ponemon Institute based in Traverse City, Michigan.
The framework identifies five broad categories -- identify, protect, detect, respond and recover -- that companies should consider in cybersecurity planning, a senior administration official told reporters today. Each category includes subcategories outlining actions to take and the corresponding technical standards to be used to improve security, said the official, who was not authorized to speak on the record before the framework was formally announced.
The Department of Homeland Security will manage a program to encourage companies to use the framework. It may never be possible to know how many companies use the framework, said another senior administration official who was not authorized to speak on the record.
The two officials said they believe companies will use the framework based on the participation and interest they saw as it was developed during the last year.
The administration also will work on incentives that could include legal protections for companies that adopt the guidelines and still get attacked, tax breaks, insurance discounts and preferences for being awarded federal contracts and grants. No timeline has been established for coming up with incentives.
The framework establishes a baseline for cybersecurity, said Baker, a partner at the Washington law firm Steptoe & Johnson LLP.
“If you suffer an intrusion and your customers are harmed, you’re going to be sued,” Baker said. “If you haven’t followed a standard that the government recommends you follow, there’s likely to be a presumption of negligence.”
To make the framework more effective, DHS should be given authority to monitor how companies are complying with the guidelines and challenge businesses that fall short, he said.
Agencies responsible for regulating the security of critical infrastructure are due to report to the White House today whether they have sufficient authorities to address cyber risks, according to Obama’s executive order. Agencies that determine their authorities are insufficient then will have 90 days to propose remedies.
The U.S. Chamber of Commerce wants legal protections to ensure that threat and vulnerability information companies share with the government or each other will not lead to frivolous lawsuits, be publicly disclosed or used in regulatory actions, Ann Beauchesne, the group’s vice president of national security and emergency preparedness, said in a statement.
Congress would need to pass legislation giving companies liability protection for information sharing, and that’s unlikely anytime soon. Many lawmakers are outraged at the reach of National Security Agency spy programs exposed in documents leaked by former government contractor Edward Snowden and may be reluctant to approve bills that would give the government more visibility into what’s happening on private networks.
The Chamber is the nation’s largest business lobby and led opposition to legislation that would have created cybersecurity mandates.