| WASHINGTON
WASHINGTON Feb 12 The U.S. government is
expected on Wednesday to release the final version of voluntary
standards meant to help U.S. companies in nationally critical
industries better protect themselves against cyber attacks.
Criticized in earlier drafts for being too vague and
toothless, the so-called cybersecurity framework attempts to
turn a vast amount of industry input into guidelines designed
for 16 different sectors whose disruption could be devastating
to the country.
Exactly one year after President Barack Obama issued an
executive order directing a Commerce Department agency to
compile voluntary minimum standards, the National Institute of
Standards and Technology, or NIST, is due to issue guidelines,
which companies have no obligation to adopt.
Drafters of the framework had to allay concerns by many in
the private sector that their voluntary standards could someday
become regulations. The threat of restrictive rules has helped
stall progress on passing a cybersecurity law in Congress.
The framework, drafted by the non-regulatory NIST in
consultation with thousands of industry experts, offers broad
benchmarks for companies to measure the effectiveness of their
cyber defenses.
"The federal government has an overriding interest to
protect critical infrastructure," said Norma Krayem, a former
official at the Transportation, State and Commerce departments
who now works with infrastructure companies as a senior policy
adviser at law firm Patton Boggs.
"But they don't own or control it, and at the moment, the
cyber framework is the means to work collaboratively with
critical infrastructure to address (cybersecurity) concerns."
'GETS MURKY REALLY FAST'
Cybersecurity experts warn that relentless efforts to hack
into U.S. banks and financial institutions, the power grid and
other critical infrastructure, paired with instances of
disruptive attacks abroad, pose a national security threat.
The issue recently became a household topic after hackers
stole about 40 million credit and debit card records and 70
million other records with personal customer data from the
third-largest U.S. retailer, Target Corp.
Many experts have expressed alarm about the lack of
awareness or reluctance among some companies' leadership to
spend more money on cyber defenses. The framework could force
the issue into more executive suites, analysts say.
"At a minimum, it's going to force this conversation up the
food chain, out of the CEO office into the boardroom," said Tom
Kellermann, a former member of Obama's Commission on Cyber
Security and software company executive now with professional
services firm Alvarez & Marsal.
But it is unclear whether the private sector, always
concerned about liabilities attached to any standards, would
widely adopt the voluntary framework. The Departments of
Homeland Security, Commerce and Treasury are reviewing potential
incentives for adoption.
It is also unclear how effective the framework will prove in
practice.
"At that high level, they got it right. ... Further down, it
gets murky really fast," said Andrew Ginter, vice president of
industrial security at Waterfall Security Solutions, whose
clients include power plants and water-treatment facilities.
"The NIST framework never uses the word 'firewall.' It's
that abstract," he said, referring to a common standard
component of network security.
According to earlier drafts, the framework offers sweeping
categories such as "access control" or "data security" to
evaluate how effectively a company identifies and protects
network assets, and detects, responds to and recovers from
breaches, on a one-to-four-tier scale for implementation.
The categories then break into slightly narrower areas, such
as keeping inventories of used software platforms and
applications, ensuring that top executives know roles and
responsibilities, and setting information security policies.
The document also incorporates how the companies could do
that while protecting privacy and civil liberties.
The voluntary standards are meant to complement and fill the
gaps left by existing regulations that apply to some of the
sectors, such as energy and financial services.