White House Unveils Guidelines to Thwart Hackers

The Obama administration released its cybersecurity framework, but it’s unclear how much good it will do.

A person claiming to speak for activist hacker group Anonymous is seen issuing a warning throught a video circulated online to 'go to war' with the Singapore government over recent Internet licensing rules on November 1, 2013.
National Journal
Brendan Sasso
Add to Briefcase
See more stories about...
Brendan Sasso
Feb. 12, 2014, 9 a.m.

The White House on Wed­nes­day is­sued a highly-an­ti­cip­ated set of guidelines to help busi­nesses de­fend them­selves from hack­ers.

Pres­id­ent Obama ordered his ad­min­is­tra­tion to cre­ate the cy­ber­se­cur­ity frame­work last year after con­gres­sion­al Re­pub­lic­ans blocked his pre­ferred le­gis­la­tion. White House of­fi­cials trum­peted the frame­work Wed­nes­day, say­ing it will help up­grade the na­tion’s de­fenses against cy­ber­at­tacks.

But the guidelines are en­tirely vol­un­tary. Without le­gis­la­tion, the ad­min­is­tra­tion can’t force com­pan­ies to fol­low the rules, and it’s un­clear how much the gov­ern­ment can do to en­cour­age com­pli­ance. Of­fi­cials said they won’t even be able to track which com­pan­ies are ad­opt­ing the stand­ards.

“While I be­lieve today’s frame­work marks a turn­ing point, it’s clear that much more work needs to be done to en­hance our cy­ber­se­cur­ity,” Obama said in a state­ment.

“I again urge Con­gress to move for­ward on cy­ber­se­cur­ity le­gis­la­tion that both pro­tects our na­tion and our pri­vacy and civil liber­ties. Mean­while, my ad­min­is­tra­tion will con­tin­ue to take ac­tion, un­der ex­ist­ing au­thor­it­ies, to pro­tect our na­tion from this threat.”

For years, the Obama ad­min­is­tra­tion has been warn­ing that cy­ber­at­tacks rep­res­ent one of the gravest threats to na­tion­al se­cur­ity and that many crit­ic­al sys­tems re­main woe­fully un­der­prepared for a soph­ist­ic­ated at­tack.

Hack­ers could de­rail trains, shut­down power grids, cause planes to col­lide, or ru­in the wa­ter sup­ply, of­fi­cials warned in con­gres­sion­al testi­mony, pub­lic speeches, and op-eds.

In 2012, the White House lob­bied Con­gress to pass le­gis­la­tion re­quir­ing crit­ic­al in­fra­struc­ture op­er­at­ors, such as tele­com com­pan­ies, banks, and elec­tric util­it­ies, to meet gov­ern­ment cy­ber­se­cur­ity stand­ards. But Re­pub­lic­ans ar­gued that man­dat­ory reg­u­la­tions would bur­den com­pan­ies and do little to com­bat the con­stantly evolving threat of cy­ber­at­tacks.

Demo­crats scaled back their le­gis­la­tion so that busi­nesses would be pres­sured — but not forced — to fol­low the cy­ber­se­cur­ity stand­ards. But Re­pub­lic­ans still ob­jec­ted and suc­cess­fully fili­bustered the Cy­ber­se­cur­ity Act, which was au­thored by in­de­pend­ent Sen. Joe Lieber­man and Re­pub­lic­an Sen. Susan Collins and backed by most Demo­crats.

Fol­low­ing the de­feat of the bill, Obama signed an ex­ec­ut­ive or­der in­struct­ing the Na­tion­al In­sti­tute of Stand­ards and Tech­no­logy, a Com­merce De­part­ment agency, to work with the private sec­tor to de­vel­op vol­un­tary cy­ber­se­cur­ity guidelines for crit­ic­al in­fra­struc­ture.

The frame­work is a set of broad strategies to help com­pan­ies de­fend their sys­tems and con­tains few spe­cif­ic re­com­mend­a­tions. The doc­u­ment is di­vided in­to five cy­ber­se­cur­ity ac­tions: identi­fy, pro­tect, de­tect, re­spond, and re­cov­er.

Busi­nesses are urged to take steps such as train­ing their em­ploy­ees, cata­loging the soft­ware they use, man­aging re­mote ac­cess to their sys­tems, and back­ing up their data. In the event of an at­tack, they should identi­fy the ma­li­cious com­puter code, share in­form­a­tion with oth­er groups, as­sess the dam­age, and re­store their sys­tems.

The stand­ards are largely based on ex­ist­ing in­dustry best-prac­tices, and of­fi­cials said they plan to keep them up-to-date as threats and se­cur­ity meas­ures evolve. 

The stand­ards can ap­ply to re­tail­ers like Tar­get, which suffered a massive data breach that com­prom­ised mil­lions of cred­it card num­bers late last year.

Al­though the guidelines are vol­un­tary, the White House is ur­ging reg­u­lat­ory agen­cies to up­date their ex­ist­ing reg­u­la­tions to match the frame­work. So the Fed­er­al Com­mu­nic­a­tions Com­mis­sion, which already has broad power over tele­com com­pan­ies, may re­vise cer­tain reg­u­la­tions to more closely align with the guidelines.

The Home­land Se­cur­ity De­part­ment will also de­vel­op a pro­gram to try to in­centiv­ize com­pan­ies to fol­low the rules. Phyl­lis Sch­neck, DHS deputy un­der­sec­ret­ary for cy­ber­se­cur­ity, said Monday morn­ing dur­ing an event at the Cen­ter for Na­tion­al Policy that cy­ber­se­cur­ity in­sur­ance may be avail­able to com­pan­ies that fol­low the guidelines but are breached any­way.

Adam Segal, a cy­ber­se­cur­ity fel­low at the Coun­cil on For­eign Re­la­tions, said the frame­work isn’t a re­place­ment for le­gis­la­tion.

“This is the best we’re go­ing to get right now,” he said. “Giv­en the polit­ic­al con­straints and the real­ity, this is a good first step.”

Busi­ness groups praised the ad­min­is­tra­tion for pur­su­ing vol­un­tary guidelines in­stead of cre­at­ing a new reg­u­lat­ory re­gime.

“They’ve done some really good things here in try­ing to be help­ful and not fo­cus on reg­u­la­tion,” Tom Pat­ter­son, the head of cy­ber­se­cur­ity con­sult­ing for Com­puter Sci­ences Corp., said. “Had it res­ul­ted in a simple check­list, it wouldn’t be nearly as ef­fect­ive as giv­ing real guid­ance.”

Al­though busi­ness groups have fought against any at­tempts for man­dat­ory cy­ber­se­cur­ity reg­u­la­tion, they do want Con­gress to pass le­gis­la­tion al­low­ing great­er in­form­a­tion-shar­ing between com­pan­ies and the gov­ern­ment.

The com­pan­ies want leg­al pro­tec­tion from li­ab­il­ity for in­form­a­tion they share with oth­er com­pan­ies or the gov­ern­ment about at­tacks on their sys­tems. Al­though Obama’s ex­ec­ut­ive or­der en­cour­aged the gov­ern­ment to share more cy­ber­se­cur­ity in­form­a­tion with the private sec­tor, there is little the ad­min­is­tra­tion can do on li­ab­il­ity pro­tec­tion without le­gis­la­tion.

Key law­makers praised the frame­work and re­it­er­ated their sup­port for le­gis­la­tion Wed­nes­day. But Re­pub­lic­an op­pos­i­tion con­tin­ues to mean that man­dat­ory reg­u­la­tions and even gov­ern­ment pres­sure are un­likely to pass Con­gress any time soon.

And the rev­el­a­tions about Na­tion­al Se­cur­ity Agency sur­veil­lance have also heightened fears about the gov­ern­ment’s ac­cess to private data, mean­ing that any cy­ber-in­form­a­tion-shar­ing bills are a longer shot than ever be­fore.

What We're Following See More »
THE PLAN ALL ALONG?
Manchin Drops Objections, Clearing Way for Spending Deal
21 hours ago
THE LATEST

"The Senate standstill over a stopgap spending bill appeared headed toward a resolution on Friday night. Senators who were holding up the measure said votes are expected later in the evening. West Virginia Democrat Joe Manchin had raised objections to the continuing resolution because it did not include a full year's extension of retired coal miners' health benefits," but Manchin "said he and other coal state Democrats agreed with Senate Democratic leaders during a caucus meeting Thursday that they would not block the continuing resolution, but rather use the shutdown threat as a way to highlight the health care and pension needs of the miners."

Source:
UNCLEAR WHAT CAUSED CHANGE OF HEART
Giuliani Out of Running For State
1 days ago
BREAKING

Donald Trump transition team announced Friday afternoon that top supporter Rudy Giuliani has taken himself out of the running to be in Trump's cabinet, though CNN previously reported that it was Trump who informed the former New York City mayor that he would not be receiving a slot. While the field had seemingly been narrowed last week, it appears to be wide open once again, with ExxonMobil CEO Rex Tillerson the current favorite.

Source:
ALSO VICE-CHAIR OF TRUMP’S TRANSITION TEAM
Trump Taps Rep. McMorris Rodgers for Interior Secretary
1 days ago
BREAKING
SHUTDOWN LOOMING
House Approves Spending Bill
2 days ago
BREAKING

The House has completed it's business for 2016 by passing a spending bill which will keep the government funded through April 28. The final vote tally was 326-96. The bill's standing in the Senate is a bit tenuous at the moment, as a trio of Democratic Senators have pledged to block the bill unless coal miners get a permanent extension on retirement and health benefits. The government runs out of money on Friday night.

HEADS TO OBAMA
Senate Approves Defense Bill
2 days ago
THE LATEST

The Senate passed the National Defense Authorization Act today, sending the $618 billion measure to President Obama. The president vetoed the defense authorization bill a year ago, but both houses could override his disapproval this time around.

Source:
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login