The White House on Wednesday issued a highly-anticipated set of guidelines to help businesses defend themselves from hackers.
President Obama ordered his administration to create the cybersecurity framework last year after congressional Republicans blocked his preferred legislation. White House officials trumpeted the framework Wednesday, saying it will help upgrade the nation’s defenses against cyberattacks.
But the guidelines are entirely voluntary. Without legislation, the administration can’t force companies to follow the rules, and it’s unclear how much the government can do to encourage compliance. Officials said they won’t even be able to track which companies are adopting the standards.
“While I believe today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said in a statement.
“I again urge Congress to move forward on cybersecurity legislation that both protects our nation and our privacy and civil liberties. Meanwhile, my administration will continue to take action, under existing authorities, to protect our nation from this threat.”
For years, the Obama administration has been warning that cyberattacks represent one of the gravest threats to national security and that many critical systems remain woefully underprepared for a sophisticated attack.
Hackers could derail trains, shutdown power grids, cause planes to collide, or ruin the water supply, officials warned in congressional testimony, public speeches, and op-eds.
In 2012, the White House lobbied Congress to pass legislation requiring critical infrastructure operators, such as telecom companies, banks, and electric utilities, to meet government cybersecurity standards. But Republicans argued that mandatory regulations would burden companies and do little to combat the constantly evolving threat of cyberattacks.
Democrats scaled back their legislation so that businesses would be pressured — but not forced — to follow the cybersecurity standards. But Republicans still objected and successfully filibustered the Cybersecurity Act, which was authored by independent Sen. Joe Lieberman and Republican Sen. Susan Collins and backed by most Democrats.
Following the defeat of the bill, Obama signed an executive order instructing the National Institute of Standards and Technology, a Commerce Department agency, to work with the private sector to develop voluntary cybersecurity guidelines for critical infrastructure.
The framework is a set of broad strategies to help companies defend their systems and contains few specific recommendations. The document is divided into five cybersecurity actions: identify, protect, detect, respond, and recover.
Businesses are urged to take steps such as training their employees, cataloging the software they use, managing remote access to their systems, and backing up their data. In the event of an attack, they should identify the malicious computer code, share information with other groups, assess the damage, and restore their systems.
The standards are largely based on existing industry best-practices, and officials said they plan to keep them up-to-date as threats and security measures evolve.
The standards can apply to retailers like Target, which suffered a massive data breach that compromised millions of credit card numbers late last year.
Although the guidelines are voluntary, the White House is urging regulatory agencies to update their existing regulations to match the framework. So the Federal Communications Commission, which already has broad power over telecom companies, may revise certain regulations to more closely align with the guidelines.
The Homeland Security Department will also develop a program to try to incentivize companies to follow the rules. Phyllis Schneck, DHS deputy undersecretary for cybersecurity, said Monday morning during an event at the Center for National Policy that cybersecurity insurance may be available to companies that follow the guidelines but are breached anyway.
Adam Segal, a cybersecurity fellow at the Council on Foreign Relations, said the framework isn’t a replacement for legislation.
“This is the best we’re going to get right now,” he said. “Given the political constraints and the reality, this is a good first step.”
Business groups praised the administration for pursuing voluntary guidelines instead of creating a new regulatory regime.
“They’ve done some really good things here in trying to be helpful and not focus on regulation,” Tom Patterson, the head of cybersecurity consulting for Computer Sciences Corp., said. “Had it resulted in a simple checklist, it wouldn’t be nearly as effective as giving real guidance.”
Although business groups have fought against any attempts for mandatory cybersecurity regulation, they do want Congress to pass legislation allowing greater information-sharing between companies and the government.
The companies want legal protection from liability for information they share with other companies or the government about attacks on their systems. Although Obama’s executive order encouraged the government to share more cybersecurity information with the private sector, there is little the administration can do on liability protection without legislation.
Key lawmakers praised the framework and reiterated their support for legislation Wednesday. But Republican opposition continues to mean that mandatory regulations and even government pressure are unlikely to pass Congress any time soon.
And the revelations about National Security Agency surveillance have also heightened fears about the government’s access to private data, meaning that any cyber-information-sharing bills are a longer shot than ever before.
What We're Following See More »
Foreign Policy takes a look at the future of mining the estimated "100,000 near-Earth objects—including asteroids and comets—in the neighborhood of our planet. Some of these NEOs, as they’re called, are small. Others are substantial and potentially packed full of water and various important minerals, such as nickel, cobalt, and iron. One day, advocates believe, those objects will be tapped by variations on the equipment used in the coal mines of Kentucky or in the diamond mines of Africa. And for immense gain: According to industry experts, the contents of a single asteroid could be worth trillions of dollars." But the technology to get us there is only the first step. Experts say "a multinational body might emerge" to manage rights to NEOs, as well as a body of law, including an international court.
Not to be outdone by Jeffrey Goldberg's recent piece in The Atlantic about President Obama's foreign policy, the New York Times Magazine checks in with a longread on the president's economic legacy. In it, Obama is cognizant that the economic reality--73 straight months of growth--isn't matched by public perceptions. Some of that, he says, is due to a constant drumbeat from the right that "that denies any progress." But he also accepts some blame himself. “I mean, the truth of the matter is that if we had been able to more effectively communicate all the steps we had taken to the swing voter,” he said, “then we might have maintained a majority in the House or the Senate.”
Ronald Reagan's children and political allies took to the media and Twitter this week to chide funnyman Will Ferrell for his plans to play a dementia-addled Reagan in his second term in a new comedy entitled Reagan. In an open letter, Reagan's daughter Patti Davis tells Ferrell, who's also a producer on the movie, “Perhaps for your comedy you would like to visit some dementia facilities. I have—I didn’t find anything comedic there, and my hope would be that if you’re a decent human being, you wouldn’t either.” Michael Reagan, the president's son, tweeted, "What an Outrag....Alzheimers is not joke...It kills..You should be ashamed all of you." And former Rep. Joe Walsh called it an example of "Hollywood taking a shot at conservatives again."
In a sign that she’s ready to put a longer-than-expected primary battle behind her, former Secretary of State Hillary Clinton (D) is no longer going on the air in upcoming primary states. “Team Clinton hasn’t spent a single cent in … California, Indiana, Kentucky, Oregon and West Virginia, while” Sen. Bernie Sanders’ (I-VT) “campaign has spent a little more than $1 million in those same states.” Meanwhile, Sen. Jeff Merkley (D-OR), Sanders’ "lone backer in the Senate, said the candidate should end his presidential campaign if he’s losing to Hillary Clinton after the primary season concludes in June, breaking sharply with the candidate who is vowing to take his insurgent bid to the party convention in Philadelphia.”
The team behind the bestselling "Clinton Cash"—author Peter Schweizer and Breitbart's Stephen Bannon—is turning the book into a movie that will have its U.S. premiere just before the Democratic National Convention this summer. The film will get its global debut "next month in Cannes, France, during the Cannes Film Festival. (The movie is not a part of the festival, but will be shown at a screening arranged for distributors)." Bloomberg has a trailer up, pointing out that it's "less Ken Burns than Jerry Bruckheimer, featuring blood-drenched money, radical madrassas, and ominous footage of the Clintons."