Banks to Utilities Given U.S. Standards to Fight HackersChris Strohm
President Barack Obama’s administration proposed standards for banks, utilities and other companies to voluntarily follow to prevent hackers from infiltrating their computer networks.
The measures are intended to help companies that provide critical services inside the U.S. -- such as electricity, financial transactions and health care -- improve their digital defenses, according to the National Institute of Standards and Technology.
“The national and economic security of the United States depends on the reliable functioning of critical infrastructure,” according to the document. “Due to the increasing pressures from external threats, organizations responsible for critical infrastructure need to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk.”
Obama issued an executive order in February to create the voluntary guidelines. While it called for offering incentives to companies responsible for protecting critical infrastructure to encourage them to adopt the standards, the proposal doesn’t discuss any.
Incentives under consideration by the White House include protecting companies that adopt the standards from lawsuits if their networks are attacked, Michael Daniel, Obama’s cybersecurity coordinator, wrote in an Aug. 6 blog post.
Obama issued his order after the U.S. Chamber of Commerce, the largest U.S. business lobby, led opposition last year to legislation backed by the president that would have created mandates for companies to protect their networks.
The draft proposal was due Oct. 10 and delayed because of the partial government shutdown, which ended Oct. 17. A final version of the framework is due in February.
The proposal outlines five areas companies should focus on to manage their cybersecurity risks: identify, protect, detect, respond and recover.
Within each area are recommended standards that should be considered. For example, in order to protect networks companies should ensure that access to data and facilities are limited to authorized personnel, according to the document.
When responding to hacking attacks, companies should arrange for mitigation activities to be performed to prevent an intrusion from expanding, the document states.
The document also includes recommendations to safeguard personal information of employees and customers so cybersecurity operations don’t violate privacy laws.
“The framework is designed to complement existing business and cybersecurity operations,” the document said. “It can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing program.”
A bill from Representative Mike Rogers, a Michigan Republican and chairman of the House intelligence committee, would give companies legal protections for sharing cyberthreat data between each other and with the government.
Rogers’ effort to move the bill through Congress has stalled since June, when former National Security Agency contractor Edward Snowden began leaking details about the extent of the government’s spying programs.
The House passed the bill, H.R. 624, in April by a vote of 288-127. Obama vowed to veto the bill because it didn’t have adequate privacy protections. The Senate has yet to take up the measure.