The White House on Wednesday released the final version of the voluntary cybersecurity standards that President Barack Obama called for the creation of exactly one year ago in an effort to reduce risks to the United States’ critical infrastructure.
But after 12 whole months of development, tech experts aren’t sure if the latest effort to strengthen cybersecurity among the players involved in the nation’s power sector, telecommunications sphere and other at-risk realms meets what they think is warranted.
During his 2013 State of the Union address, Pres. Obama acknowledged that earlier that day he signed an executive order intended to strengthen the country’s cyber defenses “by increasing information sharing and developing standards to protect our national security, our jobs and our privacy.” That executive order compelled the director of the National Institute of Standards and Technology, or NIST, to develop a framework intended to help entities reduce cyber risks faced by the nation’s most crucial assets. Government officials announced one year to the day that they were ready to begin rolling-out those standards to interested industry partners during a White House press conference on Wednesday.
“Threats are becoming more sophisticated,” White House Chief of Staff Denis McDonough said during the event that afternoon, and “…the only way to address these threats effectively is through a true partnership between the government and the private sector.” Soon, however, participation in the program is expected to be mandated among government contractors.
When the president signed the order last February, he warned that the threat from cyberattacks has worsened in recent years and cited money-hungry hackers and malicious foreign nation-states as being among the biggest culprits behind attacks on America’s computer systems. One year later that threat has arguably only intensified — especially in light of the recent security breaches suffered at the hands of Target, Neiman Marcus and others — and the Obama administration hopes that companies that consider adopting the new framework will find themselves less likely to be brought down by highly-skilled hackers.
The framework, its authors write, “uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.” According to its executive summary it “enables organizations – regardless of size, degree of cybersecurity risk or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure” by providing “organization and structure to today’s multiple approaches to cybersecurity by assembling standards, guidelines and practices that are working effectively in industry today.”
Over the course of 47 pages, the document outlines a framework composed of five core functions — identify, protect, deter, respond and recover — intended to provide participating entities with a strategic view of how they match up against varying levels of attack. Elsewhere it shows participants how to align with best practices crucial to protecting the systems of critical infrastructure components, and how those groups can manage themselves to assess all sorts of potential risks.
Critical infrastructure, as defined in that report, is composed of “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters,” and includes private sector businesses ranging from telecommunication providers to utility companies.