White House Unveils Guidelines to Thwart Hackers

The Obama administration released its cybersecurity framework, but it’s unclear how much good it will do.

A person claiming to speak for activist hacker group Anonymous is seen issuing a warning throught a video circulated online to 'go to war' with the Singapore government over recent Internet licensing rules on November 1, 2013.
National Journal
Brendan Sasso
Add to Briefcase
Brendan Sasso
Feb. 12, 2014, 9 a.m.

The White House on Wed­nes­day is­sued a highly-an­ti­cip­ated set of guidelines to help busi­nesses de­fend them­selves from hack­ers.

Pres­id­ent Obama ordered his ad­min­is­tra­tion to cre­ate the cy­ber­se­cur­ity frame­work last year after con­gres­sion­al Re­pub­lic­ans blocked his pre­ferred le­gis­la­tion. White House of­fi­cials trum­peted the frame­work Wed­nes­day, say­ing it will help up­grade the na­tion’s de­fenses against cy­ber­at­tacks.

But the guidelines are en­tirely vol­un­tary. Without le­gis­la­tion, the ad­min­is­tra­tion can’t force com­pan­ies to fol­low the rules, and it’s un­clear how much the gov­ern­ment can do to en­cour­age com­pli­ance. Of­fi­cials said they won’t even be able to track which com­pan­ies are ad­opt­ing the stand­ards.

“While I be­lieve today’s frame­work marks a turn­ing point, it’s clear that much more work needs to be done to en­hance our cy­ber­se­cur­ity,” Obama said in a state­ment.

“I again urge Con­gress to move for­ward on cy­ber­se­cur­ity le­gis­la­tion that both pro­tects our na­tion and our pri­vacy and civil liber­ties. Mean­while, my ad­min­is­tra­tion will con­tin­ue to take ac­tion, un­der ex­ist­ing au­thor­it­ies, to pro­tect our na­tion from this threat.”

For years, the Obama ad­min­is­tra­tion has been warn­ing that cy­ber­at­tacks rep­res­ent one of the gravest threats to na­tion­al se­cur­ity and that many crit­ic­al sys­tems re­main woe­fully un­der­prepared for a soph­ist­ic­ated at­tack.

Hack­ers could de­rail trains, shut­down power grids, cause planes to col­lide, or ru­in the wa­ter sup­ply, of­fi­cials warned in con­gres­sion­al testi­mony, pub­lic speeches, and op-eds.

In 2012, the White House lob­bied Con­gress to pass le­gis­la­tion re­quir­ing crit­ic­al in­fra­struc­ture op­er­at­ors, such as tele­com com­pan­ies, banks, and elec­tric util­it­ies, to meet gov­ern­ment cy­ber­se­cur­ity stand­ards. But Re­pub­lic­ans ar­gued that man­dat­ory reg­u­la­tions would bur­den com­pan­ies and do little to com­bat the con­stantly evolving threat of cy­ber­at­tacks.

Demo­crats scaled back their le­gis­la­tion so that busi­nesses would be pres­sured — but not forced — to fol­low the cy­ber­se­cur­ity stand­ards. But Re­pub­lic­ans still ob­jec­ted and suc­cess­fully fili­bustered the Cy­ber­se­cur­ity Act, which was au­thored by in­de­pend­ent Sen. Joe Lieber­man and Re­pub­lic­an Sen. Susan Collins and backed by most Demo­crats.

Fol­low­ing the de­feat of the bill, Obama signed an ex­ec­ut­ive or­der in­struct­ing the Na­tion­al In­sti­tute of Stand­ards and Tech­no­logy, a Com­merce De­part­ment agency, to work with the private sec­tor to de­vel­op vol­un­tary cy­ber­se­cur­ity guidelines for crit­ic­al in­fra­struc­ture.

The frame­work is a set of broad strategies to help com­pan­ies de­fend their sys­tems and con­tains few spe­cif­ic re­com­mend­a­tions. The doc­u­ment is di­vided in­to five cy­ber­se­cur­ity ac­tions: identi­fy, pro­tect, de­tect, re­spond, and re­cov­er.

Busi­nesses are urged to take steps such as train­ing their em­ploy­ees, cata­loging the soft­ware they use, man­aging re­mote ac­cess to their sys­tems, and back­ing up their data. In the event of an at­tack, they should identi­fy the ma­li­cious com­puter code, share in­form­a­tion with oth­er groups, as­sess the dam­age, and re­store their sys­tems.

The stand­ards are largely based on ex­ist­ing in­dustry best-prac­tices, and of­fi­cials said they plan to keep them up-to-date as threats and se­cur­ity meas­ures evolve. 

The stand­ards can ap­ply to re­tail­ers like Tar­get, which suffered a massive data breach that com­prom­ised mil­lions of cred­it card num­bers late last year.

Al­though the guidelines are vol­un­tary, the White House is ur­ging reg­u­lat­ory agen­cies to up­date their ex­ist­ing reg­u­la­tions to match the frame­work. So the Fed­er­al Com­mu­nic­a­tions Com­mis­sion, which already has broad power over tele­com com­pan­ies, may re­vise cer­tain reg­u­la­tions to more closely align with the guidelines.

The Home­land Se­cur­ity De­part­ment will also de­vel­op a pro­gram to try to in­centiv­ize com­pan­ies to fol­low the rules. Phyl­lis Sch­neck, DHS deputy un­der­sec­ret­ary for cy­ber­se­cur­ity, said Monday morn­ing dur­ing an event at the Cen­ter for Na­tion­al Policy that cy­ber­se­cur­ity in­sur­ance may be avail­able to com­pan­ies that fol­low the guidelines but are breached any­way.

Adam Segal, a cy­ber­se­cur­ity fel­low at the Coun­cil on For­eign Re­la­tions, said the frame­work isn’t a re­place­ment for le­gis­la­tion.

“This is the best we’re go­ing to get right now,” he said. “Giv­en the polit­ic­al con­straints and the real­ity, this is a good first step.”

Busi­ness groups praised the ad­min­is­tra­tion for pur­su­ing vol­un­tary guidelines in­stead of cre­at­ing a new reg­u­lat­ory re­gime.

“They’ve done some really good things here in try­ing to be help­ful and not fo­cus on reg­u­la­tion,” Tom Pat­ter­son, the head of cy­ber­se­cur­ity con­sult­ing for Com­puter Sci­ences Corp., said. “Had it res­ul­ted in a simple check­list, it wouldn’t be nearly as ef­fect­ive as giv­ing real guid­ance.”

Al­though busi­ness groups have fought against any at­tempts for man­dat­ory cy­ber­se­cur­ity reg­u­la­tion, they do want Con­gress to pass le­gis­la­tion al­low­ing great­er in­form­a­tion-shar­ing between com­pan­ies and the gov­ern­ment.

The com­pan­ies want leg­al pro­tec­tion from li­ab­il­ity for in­form­a­tion they share with oth­er com­pan­ies or the gov­ern­ment about at­tacks on their sys­tems. Al­though Obama’s ex­ec­ut­ive or­der en­cour­aged the gov­ern­ment to share more cy­ber­se­cur­ity in­form­a­tion with the private sec­tor, there is little the ad­min­is­tra­tion can do on li­ab­il­ity pro­tec­tion without le­gis­la­tion.

Key law­makers praised the frame­work and re­it­er­ated their sup­port for le­gis­la­tion Wed­nes­day. But Re­pub­lic­an op­pos­i­tion con­tin­ues to mean that man­dat­ory reg­u­la­tions and even gov­ern­ment pres­sure are un­likely to pass Con­gress any time soon.

And the rev­el­a­tions about Na­tion­al Se­cur­ity Agency sur­veil­lance have also heightened fears about the gov­ern­ment’s ac­cess to private data, mean­ing that any cy­ber-in­form­a­tion-shar­ing bills are a longer shot than ever be­fore.

What We're Following See More »
HAPPENED LAST WEEK
Bannon Subpoenaed By Mueller
45 minutes ago
THE LATEST

"The move marked the first time Mr. Mueller is known to have used a grand jury subpoena to seek information from a member of Mr. Trump’s inner circle. ...Mr. Mueller is likely to allow Mr. Bannon to forgo the grand jury appearance if he agrees to instead be questioned by investigators in the less formal setting of the special counsel’s offices in Washington."

Source:
RYBICKI TO DISCUSS CLINTON’S EMAIL SERVER
Wray Chief of Staff to Meet with House Investigators Thursday
1 hours ago
THE LATEST

"The chief of staff and senior counselor to FBI Director Christopher Wray is expected to meet with the House Oversight Committee Thursday. A spokesperson for House Oversight confirmed to the Washington Examiner that Jim Rybicki is expected to testify as part of the committee’s investigation into the Department of Justice’s probe in Hillary Clinton’s private email server, and the decision by then-FBI Director James Comey to announce there would be no criminal charges against the former secretary of state and 2016 Democratic presidential nominee."

Source:
WON’T SAY WHETHER NORWAY IS PREDOMINATELY WHITE
Nielsen Defends Trump Before Senate Judiciary
1 hours ago
THE LATEST

"Homeland Security Kristjen Nielsen confirmed that President Trump used 'tough language' in an Oval Office meeting last week over immigration policy, but she said she did not hear him describe some African countries and Haiti as 'shithole countries,' as has been reported." When pressed she, also said she "didn't know" whether Norway was a predominately white country.

Source:
TICKS UP TO 12.2%
Uninsured Rate Rose in 2017
2 hours ago
THE DETAILS

"The percentage of Americans without health insurance ticked up 1.3 percentage points in 2017, ending the year at 12.2%, according to the latest data from Gallup. That’s still a lot lower than it was before the Affordable Care Act’s coverage expansion took effect, but this is the biggest single-year increase under the ACA."

Source:
TESTIMONY COULD HAPPEN AS SOON AS FRIDAY
Hicks to Meet with House Intel Committee
3 hours ago
THE LATEST

"White House Communications Director Hope Hicks is expected to meet with the House Intelligence Committee as soon as this week, making her one of President Donald Trump's closest confidantes to be privately interviewed in the panel's Russia investigation, multiple sources with knowledge of the matter told CNN." She could testify as soon as Friday.

Source:
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login