White House Uploads U.S. Cybersecurity Framework

President Barack Obama's administration on Feb. 12 released its much-anticipated voluntary cybersecurity framework, giving U.S. companies a common handbook on how they can try to fend off hackers.

Framework Announced

The Framework for Improving Critical Infrastructure Cybersecurity, put out by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST), is intended to help banks, utilities, technology companies and other businesses that work with critical infrastructure better appraise their risks from hackers and fortify themselves from cyberattacks. The guidelines, which NIST said it will update as warranted, came one year after Obama signed an Executive Order to provide companies with best practices to mitigate cyberrisk.

“Today I was pleased to receive the Cybersecurity Framework, which reflects the good work of hundreds of companies, multiple federal agencies and contributors from around the world,” Obama said in a written statement. “This voluntary Framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge.” See the full statement at http://1.usa.gov/1f9FsyN.

The 41-page framework (available at http://1.usa.gov/1jNYIEa) focuses on what businesses can do to improve their cybersecurity, practices based on the policies they already have in place and what they're hoping to accomplish. As Patrick X. Fowler, a partner with Snell & Wilmer L.L.P in Phoenix, AZ, told e-Commerce Law & Strategy: “Boiled down, the Framework literally provides a risk-based reference structure that can be used to assist organizations without a cybersecurity program to establish one, or to assist those organizations with an existing cybersecurity program to strengthen it while aligning with industry practices.”

NIST says the Framework isn't a “one-size-fits-all approach” to improving critical infrastructure cybersecurity, noting that companies can use it in different ways. But the agency listed several steps businesses can take to help them utilize the framework.

NIST recommends that companies begin by prioritizing their business objectives and identifying the digital threats to those priorities. Businesses then should determine how they would identify, protect against, detect, respond to and recover from a cyberattack.

Next, companies should perform a risk assessment and define their cybersecurity objectives. Finally, businesses should determine the gaps that exist between their current cybersecurity profiles and the profiles they want, allowing them to develop their own action plan.

Next Steps

“The focus over the last year was on developing the Framework and making it a collaborative process, which is very important and NIST was very successful in doing,” Venable's James Barnett, retired U.S. Navy Rear Admiral and former Chief of the Public Safety and Homeland Security Bureau for the Federal Communications Commission told e-Commerce Law & Strategy in advance of a webinar hosted by Venable (“New Cybersecurity Framework Released: What You Need to Know” is available at http://bit.ly/NeoMu0). In fact, the plan is to eventually turn control over the Framework to industry. The “NIST Roadmap for Improving Critical Infrastructure Cybersecurity,” Fowler says, signaled its expectation that the governance/stewardship of the Framework would eventually be turned over to one or more “transition partners” in the private sector.

Now that the announcement of the Framework was made, Barnett says the shift is to encouraging adoption. “If it goes on the shelf, it's not useful to anybody. The Framework has the potential to act as a rising floor on cybersecurity,” he says, “but it remains to be seen if the incentives are enough to encourage widespread adoption.”

Fowler says that the NIST also committed to continuing to serve as the “convener and coordinator” of the Framework until at least version 2.0 is released. In regard to future versions, NIST included a laundry list of additional topics that merit additional development, alignment and collaboration. These include dealing with: a) the on-going problem of authentication mechanisms (i.e., passwords, biometric credentials, etc.); b) automated information sharing between organizations to expedite the detection, mitigation and possible prevention of cyberattacks; c) methods for showing that a product, service or system meets specified requirements for managing cybersecurity risks (e.g., some sort of seal of approval or star rating); d) developing a well-skilled cybersecurity workforce; and e) leveraging data analytics to assist in cybersecurity.

Ann Beauchesne, the U.S. Chamber of Commerce's vice president of national security and emergency preparedness, said the U.S. government must do more to improve cybersecurity. The Framework needs the enactment of information-sharing legislation to be effective, she said.

“Businesses need policies that foster public-private partnerships ' unencumbered by legal and regulatory penalties ' so that individuals can experiment freely and quickly to counter evolving threats to U.S. companies,” Beauchesne said in a written statement. “We will continue to work with Congress toward this goal.” See, http://uscham.com/1eMQMLe.

With the release of the Framework, the U.S. Department of Homeland Security launched the Critical Infrastructure Cyber Community program, which is intended to help companies with the NIST guidelines. The Obama administration also continues to work on incentives to encourage companies to implement the framework, such as cybersecurity insurance, reduced tort liability, easier access to federal grants and technical assistance, public recognition and utility rate adjustments. See, “White House Offers Incentives for Cybersecurity Program,” Corporate Counsel.

Does the Framework Go Far Enough?

Barnett agrees that ultimately legislation will be needed to take the issue where it needs to go. “The Framework is good as far as it goes and goes as far as it can without legislation,” he says. “But even though the Administration says we don't need legislation, the Framework doesn't address some problems that won't be solved voluntarily, like the communication supply chain, i.e. , Internet route hijacking, which may be as big an issue as cybersecurity.” Barnett says the government is grappling with that issue but “solutions are so big it's not really being discussed and it needs to be.” Legislation, he says, “would provide real incentives, like tax breaks or limited liability.”

Fowler says that “noticeably missing from the Framework was a set of guidelines dealing with protecting privacy and civil liberties within a cybersecurity system. The accompanying 'Roadmap' indicated that NIST intends to host a privacy workshop in the second quarter of 2014 to focus on the advancement of privacy engineering.”

The Center for Democracy and Technology (CDT) had concerns about the Framework, too. Greg Nojeim, director of the privacy advocacy group's Project on Freedom, Security & Technology, says the Framework lacks strong privacy provisions. NIST says it created “a general set” of processes in that area due to differing privacy situations across various industries. “We would have preferred a framework that requires more measurable privacy protections as opposed to the privacy processes that were recommended,” he said in a written statement. “As the Framework is implemented, we are hopeful that such privacy protections are further developed and become standardized.” See, “Cybersecurity Framework Useful, But Falls Short on Privacy,” CDT.org.

Barnett sees a different possible use for the Framework. “It may develop as new standard of care for cybersecurity that could play out in courts,” he says. “It won't be long before a plaintiff brings it up.” And if different courts give different weight to the Framework, adoption could be hampered.

Conclusion

“It's hard to discern how well it will be adopted,” says Barnett. “The incentives may work just fine; the Framework may act as underwriting criteria for cyber-insurance and as an entry point to doing business with the government.” But a senior administration official who wasn't authorized to comment publicly said the incentives won't be the best drivers for adoption of the framework. “Don't get me wrong ' I think the government-based incentives are really important for us to pursue,” the official said. “But at the end of the day, it's the market that's got to drive the business case for the cybersecurity framework.”

The Framework “is a great achievement,” concludes Barnett, “but it's like stopping at the base camp at Mount Everest ' you have to keep going.”

Andrew Ramonas is a Reporter for Corporate Counsel, an ALM sibling of e-Commerce Law & Strategy. Steven Salkin, Esq., is Managing Editor of this newsletter.

President Barack Obama's administration on Feb. 12 released its much-anticipated voluntary cybersecurity framework, giving U.S. companies a common handbook on how they can try to fend off hackers.

Framework Announced

The Framework for Improving Critical Infrastructure Cybersecurity, put out by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST), is intended to help banks, utilities, technology companies and other businesses that work with critical infrastructure better appraise their risks from hackers and fortify themselves from cyberattacks. The guidelines, which NIST said it will update as warranted, came one year after Obama signed an Executive Order to provide companies with best practices to mitigate cyberrisk.

“Today I was pleased to receive the Cybersecurity Framework, which reflects the good work of hundreds of companies, multiple federal agencies and contributors from around the world,” Obama said in a written statement. “This voluntary Framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge.” See the full statement at http://1.usa.gov/1f9FsyN.

The 41-page framework (available at http://1.usa.gov/1jNYIEa) focuses on what businesses can do to improve their cybersecurity, practices based on the policies they already have in place and what they're hoping to accomplish. As Patrick X. Fowler, a partner with Snell & Wilmer L.L.P in Phoenix, AZ, told e-Commerce Law & Strategy: “Boiled down, the Framework literally provides a risk-based reference structure that can be used to assist organizations without a cybersecurity program to establish one, or to assist those organizations with an existing cybersecurity program to strengthen it while aligning with industry practices.”

NIST says the Framework isn't a “one-size-fits-all approach” to improving critical infrastructure cybersecurity, noting that companies can use it in different ways. But the agency listed several steps businesses can take to help them utilize the framework.

NIST recommends that companies begin by prioritizing their business objectives and identifying the digital threats to those priorities. Businesses then should determine how they would identify, protect against, detect, respond to and recover from a cyberattack.

Next, companies should perform a risk assessment and define their cybersecurity objectives. Finally, businesses should determine the gaps that exist between their current cybersecurity profiles and the profiles they want, allowing them to develop their own action plan.

Next Steps

“The focus over the last year was on developing the Framework and making it a collaborative process, which is very important and NIST was very successful in doing,” Venable's James Barnett, retired U.S. Navy Rear Admiral and former Chief of the Public Safety and Homeland Security Bureau for the Federal Communications Commission told e-Commerce Law & Strategy in advance of a webinar hosted by Venable (“New Cybersecurity Framework Released: What You Need to Know” is available at http://bit.ly/NeoMu0). In fact, the plan is to eventually turn control over the Framework to industry. The “NIST Roadmap for Improving Critical Infrastructure Cybersecurity,” Fowler says, signaled its expectation that the governance/stewardship of the Framework would eventually be turned over to one or more “transition partners” in the private sector.

Now that the announcement of the Framework was made, Barnett says the shift is to encouraging adoption. “If it goes on the shelf, it's not useful to anybody. The Framework has the potential to act as a rising floor on cybersecurity,” he says, “but it remains to be seen if the incentives are enough to encourage widespread adoption.”

Fowler says that the NIST also committed to continuing to serve as the “convener and coordinator” of the Framework until at least version 2.0 is released. In regard to future versions, NIST included a laundry list of additional topics that merit additional development, alignment and collaboration. These include dealing with: a) the on-going problem of authentication mechanisms (i.e., passwords, biometric credentials, etc.); b) automated information sharing between organizations to expedite the detection, mitigation and possible prevention of cyberattacks; c) methods for showing that a product, service or system meets specified requirements for managing cybersecurity risks (e.g., some sort of seal of approval or star rating); d) developing a well-skilled cybersecurity workforce; and e) leveraging data analytics to assist in cybersecurity.

Ann Beauchesne, the U.S. Chamber of Commerce's vice president of national security and emergency preparedness, said the U.S. government must do more to improve cybersecurity. The Framework needs the enactment of information-sharing legislation to be effective, she said.

“Businesses need policies that foster public-private partnerships ' unencumbered by legal and regulatory penalties ' so that individuals can experiment freely and quickly to counter evolving threats to U.S. companies,” Beauchesne said in a written statement. “We will continue to work with Congress toward this goal.” See, http://uscham.com/1eMQMLe.

With the release of the Framework, the U.S. Department of Homeland Security launched the Critical Infrastructure Cyber Community program, which is intended to help companies with the NIST guidelines. The Obama administration also continues to work on incentives to encourage companies to implement the framework, such as cybersecurity insurance, reduced tort liability, easier access to federal grants and technical assistance, public recognition and utility rate adjustments. See, “White House Offers Incentives for Cybersecurity Program,” Corporate Counsel.

Does the Framework Go Far Enough?

Barnett agrees that ultimately legislation will be needed to take the issue where it needs to go. “The Framework is good as far as it goes and goes as far as it can without legislation,” he says. “But even though the Administration says we don't need legislation, the Framework doesn't address some problems that won't be solved voluntarily, like the communication supply chain, i.e. , Internet route hijacking, which may be as big an issue as cybersecurity.” Barnett says the government is grappling with that issue but “solutions are so big it's not really being discussed and it needs to be.” Legislation, he says, “would provide real incentives, like tax breaks or limited liability.”

Fowler says that “noticeably missing from the Framework was a set of guidelines dealing with protecting privacy and civil liberties within a cybersecurity system. The accompanying 'Roadmap' indicated that NIST intends to host a privacy workshop in the second quarter of 2014 to focus on the advancement of privacy engineering.”

The Center for Democracy and Technology (CDT) had concerns about the Framework, too. Greg Nojeim, director of the privacy advocacy group's Project on Freedom, Security & Technology, says the Framework lacks strong privacy provisions. NIST says it created “a general set” of processes in that area due to differing privacy situations across various industries. “We would have preferred a framework that requires more measurable privacy protections as opposed to the privacy processes that were recommended,” he said in a written statement. “As the Framework is implemented, we are hopeful that such privacy protections are further developed and become standardized.” See, “Cybersecurity Framework Useful, But Falls Short on Privacy,” CDT.org.

Barnett sees a different possible use for the Framework. “It may develop as new standard of care for cybersecurity that could play out in courts,” he says. “It won't be long before a plaintiff brings it up.” And if different courts give different weight to the Framework, adoption could be hampered.

Conclusion

“It's hard to discern how well it will be adopted,” says Barnett. “The incentives may work just fine; the Framework may act as underwriting criteria for cyber-insurance and as an entry point to doing business with the government.” But a senior administration official who wasn't authorized to comment publicly said the incentives won't be the best drivers for adoption of the framework. “Don't get me wrong ' I think the government-based incentives are really important for us to pursue,” the official said. “But at the end of the day, it's the market that's got to drive the business case for the cybersecurity framework.”

The Framework “is a great achievement,” concludes Barnett, “but it's like stopping at the base camp at Mount Everest ' you have to keep going.”

Andrew Ramonas is a Reporter for Corporate Counsel, an ALM sibling of e-Commerce Law & Strategy. Steven Salkin, Esq., is Managing Editor of this newsletter.