White House Unveils Guidelines to Thwart Hackers

The Obama administration released its cybersecurity framework, but it’s unclear how much good it will do.

A person claiming to speak for activist hacker group Anonymous is seen issuing a warning throught a video circulated online to 'go to war' with the Singapore government over recent Internet licensing rules on November 1, 2013.
National Journal
Brendan Sasso
Add to Briefcase
See more stories about...
Brendan Sasso
Feb. 12, 2014, 9 a.m.

The White House on Wed­nes­day is­sued a highly-an­ti­cip­ated set of guidelines to help busi­nesses de­fend them­selves from hack­ers.

Pres­id­ent Obama ordered his ad­min­is­tra­tion to cre­ate the cy­ber­se­cur­ity frame­work last year after con­gres­sion­al Re­pub­lic­ans blocked his pre­ferred le­gis­la­tion. White House of­fi­cials trum­peted the frame­work Wed­nes­day, say­ing it will help up­grade the na­tion’s de­fenses against cy­ber­at­tacks.

But the guidelines are en­tirely vol­un­tary. Without le­gis­la­tion, the ad­min­is­tra­tion can’t force com­pan­ies to fol­low the rules, and it’s un­clear how much the gov­ern­ment can do to en­cour­age com­pli­ance. Of­fi­cials said they won’t even be able to track which com­pan­ies are ad­opt­ing the stand­ards.

“While I be­lieve today’s frame­work marks a turn­ing point, it’s clear that much more work needs to be done to en­hance our cy­ber­se­cur­ity,” Obama said in a state­ment.

“I again urge Con­gress to move for­ward on cy­ber­se­cur­ity le­gis­la­tion that both pro­tects our na­tion and our pri­vacy and civil liber­ties. Mean­while, my ad­min­is­tra­tion will con­tin­ue to take ac­tion, un­der ex­ist­ing au­thor­it­ies, to pro­tect our na­tion from this threat.”

For years, the Obama ad­min­is­tra­tion has been warn­ing that cy­ber­at­tacks rep­res­ent one of the gravest threats to na­tion­al se­cur­ity and that many crit­ic­al sys­tems re­main woe­fully un­der­prepared for a soph­ist­ic­ated at­tack.

Hack­ers could de­rail trains, shut­down power grids, cause planes to col­lide, or ru­in the wa­ter sup­ply, of­fi­cials warned in con­gres­sion­al testi­mony, pub­lic speeches, and op-eds.

In 2012, the White House lob­bied Con­gress to pass le­gis­la­tion re­quir­ing crit­ic­al in­fra­struc­ture op­er­at­ors, such as tele­com com­pan­ies, banks, and elec­tric util­it­ies, to meet gov­ern­ment cy­ber­se­cur­ity stand­ards. But Re­pub­lic­ans ar­gued that man­dat­ory reg­u­la­tions would bur­den com­pan­ies and do little to com­bat the con­stantly evolving threat of cy­ber­at­tacks.

Demo­crats scaled back their le­gis­la­tion so that busi­nesses would be pres­sured — but not forced — to fol­low the cy­ber­se­cur­ity stand­ards. But Re­pub­lic­ans still ob­jec­ted and suc­cess­fully fili­bustered the Cy­ber­se­cur­ity Act, which was au­thored by in­de­pend­ent Sen. Joe Lieber­man and Re­pub­lic­an Sen. Susan Collins and backed by most Demo­crats.

Fol­low­ing the de­feat of the bill, Obama signed an ex­ec­ut­ive or­der in­struct­ing the Na­tion­al In­sti­tute of Stand­ards and Tech­no­logy, a Com­merce De­part­ment agency, to work with the private sec­tor to de­vel­op vol­un­tary cy­ber­se­cur­ity guidelines for crit­ic­al in­fra­struc­ture.

The frame­work is a set of broad strategies to help com­pan­ies de­fend their sys­tems and con­tains few spe­cif­ic re­com­mend­a­tions. The doc­u­ment is di­vided in­to five cy­ber­se­cur­ity ac­tions: identi­fy, pro­tect, de­tect, re­spond, and re­cov­er.

Busi­nesses are urged to take steps such as train­ing their em­ploy­ees, cata­loging the soft­ware they use, man­aging re­mote ac­cess to their sys­tems, and back­ing up their data. In the event of an at­tack, they should identi­fy the ma­li­cious com­puter code, share in­form­a­tion with oth­er groups, as­sess the dam­age, and re­store their sys­tems.

The stand­ards are largely based on ex­ist­ing in­dustry best-prac­tices, and of­fi­cials said they plan to keep them up-to-date as threats and se­cur­ity meas­ures evolve. 

The stand­ards can ap­ply to re­tail­ers like Tar­get, which suffered a massive data breach that com­prom­ised mil­lions of cred­it card num­bers late last year.

Al­though the guidelines are vol­un­tary, the White House is ur­ging reg­u­lat­ory agen­cies to up­date their ex­ist­ing reg­u­la­tions to match the frame­work. So the Fed­er­al Com­mu­nic­a­tions Com­mis­sion, which already has broad power over tele­com com­pan­ies, may re­vise cer­tain reg­u­la­tions to more closely align with the guidelines.

The Home­land Se­cur­ity De­part­ment will also de­vel­op a pro­gram to try to in­centiv­ize com­pan­ies to fol­low the rules. Phyl­lis Sch­neck, DHS deputy un­der­sec­ret­ary for cy­ber­se­cur­ity, said Monday morn­ing dur­ing an event at the Cen­ter for Na­tion­al Policy that cy­ber­se­cur­ity in­sur­ance may be avail­able to com­pan­ies that fol­low the guidelines but are breached any­way.

Adam Segal, a cy­ber­se­cur­ity fel­low at the Coun­cil on For­eign Re­la­tions, said the frame­work isn’t a re­place­ment for le­gis­la­tion.

“This is the best we’re go­ing to get right now,” he said. “Giv­en the polit­ic­al con­straints and the real­ity, this is a good first step.”

Busi­ness groups praised the ad­min­is­tra­tion for pur­su­ing vol­un­tary guidelines in­stead of cre­at­ing a new reg­u­lat­ory re­gime.

“They’ve done some really good things here in try­ing to be help­ful and not fo­cus on reg­u­la­tion,” Tom Pat­ter­son, the head of cy­ber­se­cur­ity con­sult­ing for Com­puter Sci­ences Corp., said. “Had it res­ul­ted in a simple check­list, it wouldn’t be nearly as ef­fect­ive as giv­ing real guid­ance.”

Al­though busi­ness groups have fought against any at­tempts for man­dat­ory cy­ber­se­cur­ity reg­u­la­tion, they do want Con­gress to pass le­gis­la­tion al­low­ing great­er in­form­a­tion-shar­ing between com­pan­ies and the gov­ern­ment.

The com­pan­ies want leg­al pro­tec­tion from li­ab­il­ity for in­form­a­tion they share with oth­er com­pan­ies or the gov­ern­ment about at­tacks on their sys­tems. Al­though Obama’s ex­ec­ut­ive or­der en­cour­aged the gov­ern­ment to share more cy­ber­se­cur­ity in­form­a­tion with the private sec­tor, there is little the ad­min­is­tra­tion can do on li­ab­il­ity pro­tec­tion without le­gis­la­tion.

Key law­makers praised the frame­work and re­it­er­ated their sup­port for le­gis­la­tion Wed­nes­day. But Re­pub­lic­an op­pos­i­tion con­tin­ues to mean that man­dat­ory reg­u­la­tions and even gov­ern­ment pres­sure are un­likely to pass Con­gress any time soon.

And the rev­el­a­tions about Na­tion­al Se­cur­ity Agency sur­veil­lance have also heightened fears about the gov­ern­ment’s ac­cess to private data, mean­ing that any cy­ber-in­form­a­tion-shar­ing bills are a longer shot than ever be­fore.

What We're Following See More »
Morning Consult Poll: Clinton Decisively Won Debate
2 days ago

"According to a new POLITICO/Morning Consult poll, the first national post-debate survey, 43 percent of registered voters said the Democratic candidate won, compared with 26 percent who opted for the Republican Party’s standard bearer. Her 6-point lead over Trump among likely voters is unchanged from our previous survey: Clinton still leads Trump 42 percent to 36 percent in the race for the White House, with Libertarian nominee Gary Johnson taking 9 percent of the vote."

Trump Draws Laughs, Boos at Al Smith Dinner
2 days ago

After a lighthearted beginning, Donald Trump's appearance at the Al Smith charity dinner in New York "took a tough turn as the crowd repeatedly booed the GOP nominee for his sharp-edged jokes about his rival Hillary Clinton."

McMullin Leads in New Utah Poll
3 days ago

Evan McMul­lin came out on top in a Emer­son Col­lege poll of Utah with 31% of the vote. Donald Trump came in second with 27%, while Hillary Clin­ton took third with 24%. Gary John­son re­ceived 5% of the vote in the sur­vey.

Quinnipiac Has Clinton Up by 7
3 days ago

A new Quin­nipi­ac Uni­versity poll finds Hillary Clin­ton lead­ing Donald Trump by seven percentage points, 47%-40%. Trump’s “lead among men and white voters all but” van­ished from the uni­versity’s early Oc­to­ber poll. A new PPRI/Brook­ings sur­vey shows a much bigger lead, with Clinton up 51%-36%. And an IBD/TIPP poll leans the other way, showing a vir­tu­al dead heat, with Trump tak­ing 41% of the vote to Clin­ton’s 40% in a four-way match­up.

Trump: I’ll Accept the Results “If I Win”
3 days ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.