The Obama administration unveiled Wednesday a long-awaited plan for bolstering the cybersecurity of critical-infrastructure providers — including big information technology and communications companies — and is gearing up to try to enlist smaller Silicon Valley shops in its battle against hackers.
Top officials at the White House presented the so-called Cybersecurity Framework, a 39-page plan for the federal government and critical-infrastructure providers (both private and public) to share more data with each other about cyber threats. It was spurred by an executive order that President Obama signed in February 2013 calling for the National Institute of Standards and Technology and private firms to craft a voluntary framework for thwarting cyber attacks from nefarious hackers and nation states.
The new framework “provides, for lack of a better phrase, a common language to discuss cybersecurity,” Lisa Monaco, Obama’s counterterrorism adviser, said in an afternoon presentation.
The plan has three main parts, starting with a “core” set of cybersecurity activities it says critical-infrastructure companies should carry out — which fall under five functions: identify, protect, detect, respond and recover. The other two parts of the framework include “profiles,” which are intended to help firms craft their specific security plans, and “tiers” that label the state of different companies’ cyber-risk-management processes. The program is voluntary, so the Department of Homeland Security is crafting incentives — which are not yet finalized — to make it sweet for critical-infrastructure entities to opt in.
So, that’s what this new framework does for 16 sectors of critical-infrastructure providers — the sizable IT and communications companies, utilities, banks and the like. The administration, though, is not ignoring the smaller technology companies, according to Phyllis Schneck, the deputy undersecretary for cybersecurity at the Department of Homeland Security.
Schneck said Wednesday at a think-tank event in Washington, D.C., that the cyber-resilience of Silicon Valley companies that don’t fall under the definition of “critical infrastructure” is a “huge, huge part of what concerns me personally.” She cited the links such firms have to Americans’ lives and the innovation happening at them.
“I would like to use this framework as a catalyst to — and we’re looking at this already — address that with the executives and the technologists out on that (West) Coast, to look at how we enable cybersecurity to be part of their decision process,” Schneck said at the event, which was sponsored by the Center for National Policy and The Christian Science Monitor. “This is a key part of our country, I want to learn more about what drives those decisions.”
Schneck, a former chief technology officer at McAfee, said she understands that Washington’s actions are not “a big part of what drives the thought process of Silicon Valley.”
“But, we need to make sure that we take good things in cybersecurity, get their input … (from the innovators in Silicon Valley) … get their opinions, and make sure that we are addressing all that,” she said. Administration cyber officials will travel to northern California “within the next few months,” she said, adding she “will be personally involved.”
The new cybersecurity framework is not as strong as actual law, which is why the administration is crafting the incentives. Those perks could include cybersecurity insurance, technical assistance and grant funding. Department of Homeland Security Secretary Jeh Johnson on Wednesday said the framework’s success also will depend on salesmanship.
“Our challenge is for the cyber geeks among us to be able to properly, in plain terms, convey the extent of concerns to the broader American public,” Johnson said at the White House.
Obama issued the cybersecurity executive order last year because he was frustrated that members of Congress could not agree on legislation to either encourage or outright mandate the private sector and government to share more details about cyber intrusions.
The new framework received mixed reaction on Wednesday. While trade groups including the Information Technology Industry Council lauded it, the U.S. Chamber of Commerce said much “still remains to be seen in terms of how the cyber framework is implemented and revised, especially the roles that regulatory agencies and departments will play.” The chamber also said the framework will remain incomplete unless Congress passes accompanying information-sharing legislation.
Image via Shutterstock