White House Unveils Guidelines to Thwart Hackers

The Obama administration released its cybersecurity framework, but it’s unclear how much good it will do.

A person claiming to speak for activist hacker group Anonymous is seen issuing a warning throught a video circulated online to 'go to war' with the Singapore government over recent Internet licensing rules on November 1, 2013.
National Journal
Brendan Sasso
Feb. 12, 2014, 9 a.m.

The White House on Wed­nes­day is­sued a highly-an­ti­cip­ated set of guidelines to help busi­nesses de­fend them­selves from hack­ers.

Pres­id­ent Obama ordered his ad­min­is­tra­tion to cre­ate the cy­ber­se­cur­ity frame­work last year after con­gres­sion­al Re­pub­lic­ans blocked his pre­ferred le­gis­la­tion. White House of­fi­cials trum­peted the frame­work Wed­nes­day, say­ing it will help up­grade the na­tion’s de­fenses against cy­ber­at­tacks.

But the guidelines are en­tirely vol­un­tary. Without le­gis­la­tion, the ad­min­is­tra­tion can’t force com­pan­ies to fol­low the rules, and it’s un­clear how much the gov­ern­ment can do to en­cour­age com­pli­ance. Of­fi­cials said they won’t even be able to track which com­pan­ies are ad­opt­ing the stand­ards.

“While I be­lieve today’s frame­work marks a turn­ing point, it’s clear that much more work needs to be done to en­hance our cy­ber­se­cur­ity,” Obama said in a state­ment.

“I again urge Con­gress to move for­ward on cy­ber­se­cur­ity le­gis­la­tion that both pro­tects our na­tion and our pri­vacy and civil liber­ties. Mean­while, my ad­min­is­tra­tion will con­tin­ue to take ac­tion, un­der ex­ist­ing au­thor­it­ies, to pro­tect our na­tion from this threat.”

For years, the Obama ad­min­is­tra­tion has been warn­ing that cy­ber­at­tacks rep­res­ent one of the gravest threats to na­tion­al se­cur­ity and that many crit­ic­al sys­tems re­main woe­fully un­der­prepared for a soph­ist­ic­ated at­tack.

Hack­ers could de­rail trains, shut­down power grids, cause planes to col­lide, or ru­in the wa­ter sup­ply, of­fi­cials warned in con­gres­sion­al testi­mony, pub­lic speeches, and op-eds.

In 2012, the White House lob­bied Con­gress to pass le­gis­la­tion re­quir­ing crit­ic­al in­fra­struc­ture op­er­at­ors, such as tele­com com­pan­ies, banks, and elec­tric util­it­ies, to meet gov­ern­ment cy­ber­se­cur­ity stand­ards. But Re­pub­lic­ans ar­gued that man­dat­ory reg­u­la­tions would bur­den com­pan­ies and do little to com­bat the con­stantly evolving threat of cy­ber­at­tacks.

Demo­crats scaled back their le­gis­la­tion so that busi­nesses would be pres­sured — but not forced — to fol­low the cy­ber­se­cur­ity stand­ards. But Re­pub­lic­ans still ob­jec­ted and suc­cess­fully fili­bustered the Cy­ber­se­cur­ity Act, which was au­thored by in­de­pend­ent Sen. Joe Lieber­man and Re­pub­lic­an Sen. Susan Collins and backed by most Demo­crats.

Fol­low­ing the de­feat of the bill, Obama signed an ex­ec­ut­ive or­der in­struct­ing the Na­tion­al In­sti­tute of Stand­ards and Tech­no­logy, a Com­merce De­part­ment agency, to work with the private sec­tor to de­vel­op vol­un­tary cy­ber­se­cur­ity guidelines for crit­ic­al in­fra­struc­ture.

The frame­work is a set of broad strategies to help com­pan­ies de­fend their sys­tems and con­tains few spe­cif­ic re­com­mend­a­tions. The doc­u­ment is di­vided in­to five cy­ber­se­cur­ity ac­tions: identi­fy, pro­tect, de­tect, re­spond, and re­cov­er.

Busi­nesses are urged to take steps such as train­ing their em­ploy­ees, cata­loging the soft­ware they use, man­aging re­mote ac­cess to their sys­tems, and back­ing up their data. In the event of an at­tack, they should identi­fy the ma­li­cious com­puter code, share in­form­a­tion with oth­er groups, as­sess the dam­age, and re­store their sys­tems.

The stand­ards are largely based on ex­ist­ing in­dustry best-prac­tices, and of­fi­cials said they plan to keep them up-to-date as threats and se­cur­ity meas­ures evolve. 

The stand­ards can ap­ply to re­tail­ers like Tar­get, which suffered a massive data breach that com­prom­ised mil­lions of cred­it card num­bers late last year.

Al­though the guidelines are vol­un­tary, the White House is ur­ging reg­u­lat­ory agen­cies to up­date their ex­ist­ing reg­u­la­tions to match the frame­work. So the Fed­er­al Com­mu­nic­a­tions Com­mis­sion, which already has broad power over tele­com com­pan­ies, may re­vise cer­tain reg­u­la­tions to more closely align with the guidelines.

The Home­land Se­cur­ity De­part­ment will also de­vel­op a pro­gram to try to in­centiv­ize com­pan­ies to fol­low the rules. Phyl­lis Sch­neck, DHS deputy un­der­sec­ret­ary for cy­ber­se­cur­ity, said Monday morn­ing dur­ing an event at the Cen­ter for Na­tion­al Policy that cy­ber­se­cur­ity in­sur­ance may be avail­able to com­pan­ies that fol­low the guidelines but are breached any­way.

Adam Segal, a cy­ber­se­cur­ity fel­low at the Coun­cil on For­eign Re­la­tions, said the frame­work isn’t a re­place­ment for le­gis­la­tion.

“This is the best we’re go­ing to get right now,” he said. “Giv­en the polit­ic­al con­straints and the real­ity, this is a good first step.”

Busi­ness groups praised the ad­min­is­tra­tion for pur­su­ing vol­un­tary guidelines in­stead of cre­at­ing a new reg­u­lat­ory re­gime.

“They’ve done some really good things here in try­ing to be help­ful and not fo­cus on reg­u­la­tion,” Tom Pat­ter­son, the head of cy­ber­se­cur­ity con­sult­ing for Com­puter Sci­ences Corp., said. “Had it res­ul­ted in a simple check­list, it wouldn’t be nearly as ef­fect­ive as giv­ing real guid­ance.”

Al­though busi­ness groups have fought against any at­tempts for man­dat­ory cy­ber­se­cur­ity reg­u­la­tion, they do want Con­gress to pass le­gis­la­tion al­low­ing great­er in­form­a­tion-shar­ing between com­pan­ies and the gov­ern­ment.

The com­pan­ies want leg­al pro­tec­tion from li­ab­il­ity for in­form­a­tion they share with oth­er com­pan­ies or the gov­ern­ment about at­tacks on their sys­tems. Al­though Obama’s ex­ec­ut­ive or­der en­cour­aged the gov­ern­ment to share more cy­ber­se­cur­ity in­form­a­tion with the private sec­tor, there is little the ad­min­is­tra­tion can do on li­ab­il­ity pro­tec­tion without le­gis­la­tion.

Key law­makers praised the frame­work and re­it­er­ated their sup­port for le­gis­la­tion Wed­nes­day. But Re­pub­lic­an op­pos­i­tion con­tin­ues to mean that man­dat­ory reg­u­la­tions and even gov­ern­ment pres­sure are un­likely to pass Con­gress any time soon.

And the rev­el­a­tions about Na­tion­al Se­cur­ity Agency sur­veil­lance have also heightened fears about the gov­ern­ment’s ac­cess to private data, mean­ing that any cy­ber-in­form­a­tion-shar­ing bills are a longer shot than ever be­fore.

What We're Following See More »
BACKING OUT ON BERNIE
Trump Won’t Debate Sanders After All
3 days ago
THE LATEST

Trump, in a statement: “Based on the fact that the Democratic nominating process is totally rigged and Crooked Hillary Clinton and Deborah Wasserman Schultz will not allow Bernie Sanders to win, and now that I am the presumptive Republican nominee, it seems inappropriate that I would debate the second place finisher. ... I will wait to debate the first place finisher in the Democratic Party, probably Crooked Hillary Clinton, or whoever it may be.”

AKNOWLEDGING THE INEVITABLE
UAW: Time to Unite Behind Hillary
4 days ago
THE DETAILS

"It's about time for unity," said UAW President Dennis Williams. "We're endorsing Hillary Clinton. She's gotten 3 million more votes than Bernie, a million more votes than Donald Trump. She's our nominee." He called Sanders "a great friend of the UAW" while saying Trump "does not support the economic security of UAW families." Some 28 percent of UAW members indicated their support for Trump in an internal survey.

Source:
AP KEEPING COUNT
Trump Clinches Enough Delegates for the Nomination
4 days ago
THE LATEST

"Donald Trump on Thursday reached the number of delegates needed to clinch the Republican nomination for president, completing an unlikely rise that has upended the political landscape and sets the stage for a bitter fall campaign. Trump was put over the top in the Associated Press delegate count by a small number of the party's unbound delegates who told the AP they would support him at the convention."

Source:
TRUMP FLOATED IDEA ON JIMMY KIMMEL’S SHOW
Trump/Sanders Debate Before California Primary?
4 days ago
THE LATEST
CAMPAIGNS INJECTED NEW AD MONEY
California: It’s Not Over Yet
4 days ago
THE LATEST

"Clinton and Bernie Sanders "are now devoting additional money to television advertising. A day after Sanders announced a new ad buy of less than $2 million in the state, Clinton announced her own television campaign. Ads featuring actor Morgan Freeman as well as labor leader and civil rights activist Dolores Huerta will air beginning on Fridayin Fresno, Sacramento, and Los Angeles media markets. Some ads will also target Latino voters and Asian American voters. The total value of the buy is about six figures according to the Clinton campaign." Meanwhile, a new poll shows Sanders within the margin of error, trailing Clinton 44%-46%.

Source:
×