Members of the tech industry heralded the White House's announcement of a set of voluntary guidelines for businesses to improve their cybersecurity posture, suggesting that the document could spur private-sector operators of critical infrastructure to prioritize the issue within their firms.
The administration's cybersecurity framework offers a far-ranging template for businesses in various sectors of the economy, including core functions such as threat identification and response, assessment tools and guidance for aligning security with a company's business objectives.
The blueprint grew out of an executive order on cybersecurity that President Barack Obama issued last February and came as a welcome step forward for members of the tech community who have been advocating for the government to do more to encourage the private sector to improve its digital defenses.
"We believe they produced something that's very positive, that actually is a good framework for looking at cybersecurity," says Tim Molino, director of government relations at BSA, a trade group representing software and hardware companies.
'Flexible' Framework Offers Broad Guidelines
It remains to be seen the extent to which businesses will incorporate the voluntary framework into their internal cybersecurity operations, but some industry officials praise the administration for avoiding technical prescriptions and instead producing broader guidelines that can be tailored to fit in organizations across the 16 sectors of the economy that the government has designated as critical infrastructure.
"The framework is an inherently flexible, adaptable document, and because of that we believe that just about any organization can benefit from it — no matter its size or level of sophistication," says Jeff Greene, senior policy counsel at the security software vendor Symantec. "We are using it internally, and we think it likely that it will be a part of many organizations' overall security program in the coming years."
The government is actively encouraging businesses to adopt the framework, an effort led by the Department of Homeland Security, which has set up the Critical Infrastructure Cyber Community (C3) Voluntary Program to support that effort. Through that program, DHS offers companies resources and support staff to help implement the framework. The department says it's committed to forging stronger partnerships with private-sector firms and will support efforts to develop industry-specific guidance where appropriate.
Several tech groups praised the framework's focus on risk management, rather than pushing out a mandate for industry adoption that could simply create another compliance burden without advancing real security.
"The emphasis on voluntary standards provides the greatest likelihood that the framework will be broadly adopted," Mike Hettinger, senior vice president of the public sector division of the trade group TechAmerica, said in a statement.
Cybersecurity Framework Just Preliminary, 'Foundational' Step
Some security experts would have liked to see the administration go further.
One is Tom Kellermann, managing director with the professional services firm Alvarez & Marsal, who served on the Commission on Cybersecurity for the 44th Presidency. Kellermann lauds the intent of the framework, though he describes it as "foundational," an important step, but a preliminary one. He points to the report produced by the advisory group on which he served — noting that, of the 25 recommendations it made for the incoming administration in December 2008, more than two-thirds have yet to be implemented.
Kellermann would have preferred for the cybersecurity framework to carry more of a mandate, though he credits the administration with raising the profile of the issue with a White House endorsement and for emphasizing that security must be entwined with business objectives.
"It elevates the issue to the board level, and proactive CIOs should be pleased with this, because they're going to get more resources," Kellermann says. "For too, long there's been this argument that security had no ROI."
He suggests that adoption of the framework will be uneven across the private sector. Early adopters will likely include companies that have suffered serious security breaches, as well as firms in sectors such as healthcare, financial services and government contracting.
Over time, Kellermann hopes market conditions will evolve to a point where security becomes a chief differentiator in the eyes of customers, with firms that continue with a lax approach losing share. "I think it's in their best interest from a competitive advantage perspective and a risk management perspective to embrace this."
The BSA's Molino suggests that many IT companies — among the 16 designated critical infrastructure sectors — commonly have an advanced security apparatus in place that generally comports with the new framework. But tech vendors could find the document useful when working with customers in other sectors that have weaker security operations. "It's a way for us to then talk to our customers about how to build up their cybersecurity."
Even Security-savvy Firms Can Learn From Framework
Even for businesses that have devoted considerable resources to digital security, the administration's blueprint could still prove valuable.
Asked about the extent to which the cybersecurity framework will reshape the way businesses approach security, Symantec's Greene says it should be approached on a case-by-case basis. Organizations without a cybersecurity program in place now have a good framework for building a program that suits their needs, he says. Organizations that already have a sophisticated program can use the framework to examine the programs they have in place and challenge their existing assumptions about how to do security.
"For all organizations," Green concludes, "the framework creates a relatively simple, common language that organizations can use to communicate about security internally and with each other."
The National Institute of Standards and Technology, the division of the Commerce Department that drafted the blueprint, has provided a roadmap for advancing the framework, calling it a "living document." The agency says it will continue to reach out to industry — with which it worked extensively in developing the framework — to help business leaders understand and adopt the guidance.
In that role, NIST will collaborate with DHS in the voluntary adoption program. For its part, DHS emphasizes the voluntary nature of the framework; it's unclear how it might incentivize industry adoption, though, or if it will develop a formal certification process for companies that implement the guidance.
In Congress, where lawmakers have unsuccessfully floated various bills to improve cybersecurity, debate has focused on what role the government should play — if any — in setting industry standards. To incentivize adoption of the cybersecurity framework, the government could offer tax benefits or certain legal immunities to companies that have implemented it. But DHS can't take either of those steps on its own.
"It would take an act of Congress — otherwise known as an act of God," Kellermann says.
After midterm elections, he says, DHS could start making more noise about concrete steps to drive adoption of the framework. Without the aid of Congress, the government could be expected to use its market power as the largest single purchaser of IT to drive security — but that alone can't be expected to bring a voluntary framework into universal adoption.
"The next step is a very hard one," Molino says. "The next step is just trying to implement it and getting companies to rally around it and adopt it. How that rollout happens is another challenge."