White House Unveils Guidelines to Thwart Hackers

The Obama administration released its cybersecurity framework, but it’s unclear how much good it will do.

A person claiming to speak for activist hacker group Anonymous is seen issuing a warning throught a video circulated online to 'go to war' with the Singapore government over recent Internet licensing rules on November 1, 2013.
National Journal
Brendan Sasso
Add to Briefcase
See more stories about...
Brendan Sasso
Feb. 12, 2014, 9 a.m.

The White House on Wed­nes­day is­sued a highly-an­ti­cip­ated set of guidelines to help busi­nesses de­fend them­selves from hack­ers.

Pres­id­ent Obama ordered his ad­min­is­tra­tion to cre­ate the cy­ber­se­cur­ity frame­work last year after con­gres­sion­al Re­pub­lic­ans blocked his pre­ferred le­gis­la­tion. White House of­fi­cials trum­peted the frame­work Wed­nes­day, say­ing it will help up­grade the na­tion’s de­fenses against cy­ber­at­tacks.

But the guidelines are en­tirely vol­un­tary. Without le­gis­la­tion, the ad­min­is­tra­tion can’t force com­pan­ies to fol­low the rules, and it’s un­clear how much the gov­ern­ment can do to en­cour­age com­pli­ance. Of­fi­cials said they won’t even be able to track which com­pan­ies are ad­opt­ing the stand­ards.

“While I be­lieve today’s frame­work marks a turn­ing point, it’s clear that much more work needs to be done to en­hance our cy­ber­se­cur­ity,” Obama said in a state­ment.

“I again urge Con­gress to move for­ward on cy­ber­se­cur­ity le­gis­la­tion that both pro­tects our na­tion and our pri­vacy and civil liber­ties. Mean­while, my ad­min­is­tra­tion will con­tin­ue to take ac­tion, un­der ex­ist­ing au­thor­it­ies, to pro­tect our na­tion from this threat.”

For years, the Obama ad­min­is­tra­tion has been warn­ing that cy­ber­at­tacks rep­res­ent one of the gravest threats to na­tion­al se­cur­ity and that many crit­ic­al sys­tems re­main woe­fully un­der­prepared for a soph­ist­ic­ated at­tack.

Hack­ers could de­rail trains, shut­down power grids, cause planes to col­lide, or ru­in the wa­ter sup­ply, of­fi­cials warned in con­gres­sion­al testi­mony, pub­lic speeches, and op-eds.

In 2012, the White House lob­bied Con­gress to pass le­gis­la­tion re­quir­ing crit­ic­al in­fra­struc­ture op­er­at­ors, such as tele­com com­pan­ies, banks, and elec­tric util­it­ies, to meet gov­ern­ment cy­ber­se­cur­ity stand­ards. But Re­pub­lic­ans ar­gued that man­dat­ory reg­u­la­tions would bur­den com­pan­ies and do little to com­bat the con­stantly evolving threat of cy­ber­at­tacks.

Demo­crats scaled back their le­gis­la­tion so that busi­nesses would be pres­sured — but not forced — to fol­low the cy­ber­se­cur­ity stand­ards. But Re­pub­lic­ans still ob­jec­ted and suc­cess­fully fili­bustered the Cy­ber­se­cur­ity Act, which was au­thored by in­de­pend­ent Sen. Joe Lieber­man and Re­pub­lic­an Sen. Susan Collins and backed by most Demo­crats.

Fol­low­ing the de­feat of the bill, Obama signed an ex­ec­ut­ive or­der in­struct­ing the Na­tion­al In­sti­tute of Stand­ards and Tech­no­logy, a Com­merce De­part­ment agency, to work with the private sec­tor to de­vel­op vol­un­tary cy­ber­se­cur­ity guidelines for crit­ic­al in­fra­struc­ture.

The frame­work is a set of broad strategies to help com­pan­ies de­fend their sys­tems and con­tains few spe­cif­ic re­com­mend­a­tions. The doc­u­ment is di­vided in­to five cy­ber­se­cur­ity ac­tions: identi­fy, pro­tect, de­tect, re­spond, and re­cov­er.

Busi­nesses are urged to take steps such as train­ing their em­ploy­ees, cata­loging the soft­ware they use, man­aging re­mote ac­cess to their sys­tems, and back­ing up their data. In the event of an at­tack, they should identi­fy the ma­li­cious com­puter code, share in­form­a­tion with oth­er groups, as­sess the dam­age, and re­store their sys­tems.

The stand­ards are largely based on ex­ist­ing in­dustry best-prac­tices, and of­fi­cials said they plan to keep them up-to-date as threats and se­cur­ity meas­ures evolve. 

The stand­ards can ap­ply to re­tail­ers like Tar­get, which suffered a massive data breach that com­prom­ised mil­lions of cred­it card num­bers late last year.

Al­though the guidelines are vol­un­tary, the White House is ur­ging reg­u­lat­ory agen­cies to up­date their ex­ist­ing reg­u­la­tions to match the frame­work. So the Fed­er­al Com­mu­nic­a­tions Com­mis­sion, which already has broad power over tele­com com­pan­ies, may re­vise cer­tain reg­u­la­tions to more closely align with the guidelines.

The Home­land Se­cur­ity De­part­ment will also de­vel­op a pro­gram to try to in­centiv­ize com­pan­ies to fol­low the rules. Phyl­lis Sch­neck, DHS deputy un­der­sec­ret­ary for cy­ber­se­cur­ity, said Monday morn­ing dur­ing an event at the Cen­ter for Na­tion­al Policy that cy­ber­se­cur­ity in­sur­ance may be avail­able to com­pan­ies that fol­low the guidelines but are breached any­way.

Adam Segal, a cy­ber­se­cur­ity fel­low at the Coun­cil on For­eign Re­la­tions, said the frame­work isn’t a re­place­ment for le­gis­la­tion.

“This is the best we’re go­ing to get right now,” he said. “Giv­en the polit­ic­al con­straints and the real­ity, this is a good first step.”

Busi­ness groups praised the ad­min­is­tra­tion for pur­su­ing vol­un­tary guidelines in­stead of cre­at­ing a new reg­u­lat­ory re­gime.

“They’ve done some really good things here in try­ing to be help­ful and not fo­cus on reg­u­la­tion,” Tom Pat­ter­son, the head of cy­ber­se­cur­ity con­sult­ing for Com­puter Sci­ences Corp., said. “Had it res­ul­ted in a simple check­list, it wouldn’t be nearly as ef­fect­ive as giv­ing real guid­ance.”

Al­though busi­ness groups have fought against any at­tempts for man­dat­ory cy­ber­se­cur­ity reg­u­la­tion, they do want Con­gress to pass le­gis­la­tion al­low­ing great­er in­form­a­tion-shar­ing between com­pan­ies and the gov­ern­ment.

The com­pan­ies want leg­al pro­tec­tion from li­ab­il­ity for in­form­a­tion they share with oth­er com­pan­ies or the gov­ern­ment about at­tacks on their sys­tems. Al­though Obama’s ex­ec­ut­ive or­der en­cour­aged the gov­ern­ment to share more cy­ber­se­cur­ity in­form­a­tion with the private sec­tor, there is little the ad­min­is­tra­tion can do on li­ab­il­ity pro­tec­tion without le­gis­la­tion.

Key law­makers praised the frame­work and re­it­er­ated their sup­port for le­gis­la­tion Wed­nes­day. But Re­pub­lic­an op­pos­i­tion con­tin­ues to mean that man­dat­ory reg­u­la­tions and even gov­ern­ment pres­sure are un­likely to pass Con­gress any time soon.

And the rev­el­a­tions about Na­tion­al Se­cur­ity Agency sur­veil­lance have also heightened fears about the gov­ern­ment’s ac­cess to private data, mean­ing that any cy­ber-in­form­a­tion-shar­ing bills are a longer shot than ever be­fore.

What We're Following See More »
THROUGH AN INTERMEDIARY
Manafort Offered Russian Billionaire Briefings During Campaign
2 hours ago
THE LATEST

"Less than two weeks before Donald Trump accepted the Republican presidential nomination, his campaign chairman offered to provide briefings on the race to a Russian billionaire closely aligned with the Kremlin, according to people familiar with the discussions. Paul Manafort made the offer in an email to an overseas intermediary, asking that a message be sent to Oleg Deripaska, an aluminum magnate with whom Manafort had done business in the past, these people said. 'If he needs private briefings we can accommodate,' Manafort wrote in the July 7, 2016, email.

Source:
RAISE LATER THIS YEAR POSSIBLE
Interest Rates Don’t Change
4 hours ago
THE DETAILS

"The Federal Reserve left its benchmark interest rate unchanged and said Wednesday that it would begin to withdraw some of the trillions of dollars that it invested in the American economy after the 2008 financial crisis. The widely expected announcement reflected the Fed’s confidence in continued economic growth...most Fed officials predicted in a new round of economic forecasts that the Fed would increase rates later this year."

Source:
INCLUDES COMEY FIRING
Mueller Looking For White House Docs
4 hours ago
THE LATEST

Special Counsel Robert Mueller "has asked the White House for documents about some of President Trump’s most scrutinized actions since taking office, including the firing of his national security adviser and F.B.I. director...Mueller is also interested in an Oval Office meeting Mr. Trump had with Russian officials in which he said the dismissal of the F.B.I. director had relieved 'great pressure' on him."

Source:
BUT WILL MCCAIN VOTE YES?
Graham-Cassidy to Get a Floor Vote Next Week
5 hours ago
THE LATEST
3.5M PEOPLE
All of Puerto Rico Without Power
5 hours ago
THE LATEST

"Hurricane Maria has knocked out power to the entire island of Puerto Rico, home to 3.5m residents, emergency officials have said."

Source:
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login