New US cybersecurity standards: Will they do enough?

The Obama administration on Wednesday unveiled America’s first-ever cybersecurity standards aimed at helping businesses protect the critical infrastructure they own – to a huge chorus of complaints.

Not enough privacy protections built into the standards, privacy groups complained. Not enough incentives to actually induce companies to use these voluntary standards, security wonks moaned. Not enough backbone to ensure that critical infrastructure – like the power grid – is really safe, others said.

“Inevitably you’re going to have people unhappy with the process because it was a voluntary system with so many factors being considered from a high level,” says Jessica Herrera-Flanigan, a cyberpolicy expert at the Monument Policy Group consultancy. “Is it helpful, yes.... Will it solve all of our cybersecurity problems, probably not. We now need companies to go through and figure out how to implement the concepts in it. This is just the beginning.”

The unveiling of the cyber framework, developed by the National Institute of Standards, comes after the White House tried, and failed, to get tough cybersecurity legislation through Congress last year. Though the executive order issued Feb. 12 cannot compel private companies that own the power grid, for instance, to comply – only legislation can do that – the voluntary standards are an attempt at least to do what is possible to address US vulnerabilities to cyberattack.

At its core, the framework is a set of best practices, standards, and guidelines intended to help organize the way firms think about cyberrisks, benchmark their progress, and improve their overall preparedness, administration officials said.

The framework also aims to increase timely sharing of threat information, digital signatures, and reports between the Department of Homeland Security (DHS) and willing companies, including the issuance of security clearances to critical infrastructure operators.

It also will expand a Department of Defense Enhanced Cybersecurity Initiative that shares threat and protection information with defense contractors to include key infrastructure companies.

Moreover, it adds a new Critical Infrastructure Partnership Advisory Council in which DHS would help orchestrate cybersecurity upgrades for critical infrastructure. DHS would work with specific federal agencies to persuade companies to become involved and upgrade their systems.

Despite acknowledging it as a first step, the administration touted the standards, saying that it had acted where Congress had not for two years – and that the standards at least get the ball rolling on securing the cybersystems that undergird US systems for food, water, transportation, finance, and energy production, to name a few.

“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” President Obama said in a statement Wednesday. “Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property.... I again urge Congress to move forward on cybersecurity legislation that both protects our nation and our privacy and civil liberties.”

But the order largely fell short of many experts’ expectations for what could be done, even voluntarily.

Greg Nojeim, a privacy advocate at the Center for Democracy and Technology, in a statement called the voluntary cybersecurity framework “useful guideposts for companies who want to better secure their data." But privacy measures in the standards were “watered down,” and it’s unlikely that violations could be measured under the new yardstick, he noted.

Still, some companies were positive about the voluntary measures.

“We believe the NIST cyber security framework provides a workable approach to protecting our bulk transmission system and are pleased to have been part of the development effort,” said Bennett Gaines, senior vice president of corporate services and chief information officer at FirstEnergy, an Ohio-based electric utility with about 6 million customers across Ohio, Pennsylvania, and New Jersey.

Administration officials were upbeat, saying the measures could go a long way even using mild incentives such as publicly recognizing companies that had met the standards. Lower insurance costs could result, they said.

“We face an adversary that is faster than we are,” Phyllis Schneck, deputy undersecretary for cybersecurity for the National Protection and Programs Directorate (NPPD) at DHS, told an audience of policy experts at a cybersecurity conference hosted by the Center for National Policy and the Monitor on Wednesday.

“The way we counter an adversary like that is to make their profit model harder. And the way we do that is to make our infrastructure more secure,” she said. "This framework is a huge vehicle to enable companies, to give them a formula almost that they can adopt to their own use.”

True, but spreading the gospel of cybersecurity to all corners of private industry – which owns about 85 percent of it – will require that they see useful results that start in the federal government itself, some at the cybersecurity conference said.

“On the positive side, they did adopt a model that includes detection, response, and resolution,” says Richard Bejtlich, chief security strategist for FireEye, a Silicon Valley computer security firm. “On the bad side, I would prefer to see more action by the federal government in securing their own networks to set an example for how it should be done. That hasn’t happened yet.”