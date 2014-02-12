By Alina Selyukh
WASHINGTON Feb 12 The U.S. government on
Wednesday released the final version of standards meant to help
companies in nationally critical industries better defend
against cyber attacks, and officials now face the challenge of
getting the private sector to adopt the voluntary measures.
Criticized for being too vague and toothless, the so-called
cybersecurity framework turned a vast amount of industry input
into guidelines designed for 16 different sectors whose
disruption could be devastating to the country, such as food and
agriculture, energy or transportation systems.
The release from the National Institute of Standards and
Technology comes exactly one year after President Barack Obama
issued an executive order directing the agency to compile
voluntary minimum cybersecurity standards as one step to counter
the lack of progress on cybersecurity law in Congress.
"While I believe today's Framework marks a turning point,
it's clear that much more work needs to be done to enhance our
cybersecurity," Obama said in a statement.
"I again urge Congress to move forward on cybersecurity
legislation that both protects our nation and our privacy and
civil liberties," he said. "Meanwhile, my Administration will
continue to take action, under existing authorities, to protect
our nation from this threat."
The framework, drafted by the nonregulatory agency in
consultation with thousands of industry experts, offers broad
benchmarks for companies to measure the effectiveness of their
cyber defenses.
The Obama administration had faced intense resistance from
the private sector on its earlier push to mandate cyber defense
standards, which contributed to stalled legislation. Now, the
White House hopes companies voluntarily adopt the framework they
have helped draft.
"This voluntary Framework is a great example of how the
private sector and government can, and should, work together to
meet this shared challenge," Obama said, and a senior
administration official called the framework the beginning of a
"continuing common-sense conversation" about protecting the
nation's critical assets from cyber attacks.
The framework was widely welcomed by various industries,
including telecommunications and financial services, and at the
White House event to mark the rollout, AT&T Inc Chief
Executive Officer Randall Stephenson suggested it may be used in
selection of companies in the supply chain.
"I think that the NIST standards will become over the next
year or two, while we are waiting for legislation, the de facto
best practices, just because they are accessible and current,"
said Jonathan Fairtlough, managing director at Kroll Advisory
Solutions' cyber investigations practice.
(To view the framework, see)
WILL THEY ADOPT?
Cybersecurity experts warn that relentless efforts to hack
into U.S. banks and financial institutions, the power grid and
other critical infrastructure, paired with instances of
disruptive attacks abroad, pose a national security threat.
The issue recently became a household topic after hackers
stole about 40 million credit and debit card records and 70
million other records with personal customer data from the
third-largest U.S. retailer, Target Corp.
Many experts have expressed alarm about the lack of
awareness or reluctance among some companies' leaders to spend
more money on cyber defenses. The framework could force the
issue into more executive suites, analysts say.
"At a minimum, it's going to force this conversation up the
food chain, out of the CEO office into the boardroom," said Tom
Kellermann, a former member of Obama's Commission on Cyber
Security and software company executive now with professional
services firm Alvarez & Marsal.
But it is unclear whether the private sector, always
concerned about liabilities attached to any standards, would
widely adopt the voluntary framework.
The departments of Homeland Security, Commerce and Treasury
are reviewing potential incentives for adoption, though some
companies worry that incentives will come with strings attached
and prompt more regulatory oversight or threat of lawsuits.
The White House has emphasized the voluntary nature of the
framework and the need for companies to view cybersecurity as a
business decision, part of its risk-management strategy.
"We may not ever know how widely the framework has been
adopted, because obviously there's not a requirement," a second
senior Obama administration official said on Wednesday. "There's
an enlightened sense here that we're counting on."
Department of Homeland Security on Wednesday also announced
a program called Critical Infrastructure Cyber Community that
would help companies reach out to the government for assistance
in adopting the framework, and that participation may help gauge
the popularity of the standards, the official said.
'GETS MURKY REALLY FAST'
It is also unclear how effective the framework will prove in
practice.
"At that high level, they got it right. ... Further down, it
gets murky really fast," said Andrew Ginter, vice president of
industrial security at Waterfall Security Solutions, whose
clients include power plants and water-treatment facilities.
"The NIST framework never uses the word 'firewall.' It's
that abstract," he said, referring to a common standard
component of network security.
The framework offers sweeping categories such as "access
control" or "data security" to evaluate how effectively a
company identifies and protects network assets, and detects,
responds to and recovers from breaches, on a one-to-four-tier
scale for implementation.
The categories then break into subcategories, such as
keeping inventories of used software platforms and applications,
ensuring that top executives know roles and responsibilities,
and setting information security policies.
The document also incorporates how the companies could do
that while protecting privacy and civil liberties, coming under
fire for being focused on privacy both too much and not enough.