By CHRIS STROHM
The White House released a plan this week for actions power
plants, financial networks and other critical services can
take to protect their computer networks from hacker attacks
with potentially devastating consequences.
After a year of work involving President Barack Obamas
administration and businesses, the cyber security
framework identifies actions and technical standards
companies can voluntarily follow. It doesnt require
banks, utilities and other essential services to do anything
and lacks a way to measure whether the nations defenses
The document also doesnt include financial incentives
like tax breaks and legal protections that trade groups
representing Bank of America, Alliant Energy, General
Electric and other companies say are necessary to help offset
the cost of computer and network security upgrades.
No one should imagine that this is a cure all,
said Stewart Baker, a former assistant secretary for policy
at the Department of
Homeland Security. I dont see a commitment across
the board from industry to do the things that are necessary
to keep hackers out of their systems.
Obama issued an executive order last year to create the
framework after failing to get Congress to require companies
to better defend their networks. While the order called for
incentives, the administration couldnt work them out in
time and some will require legislation or regulatory
Americas economic prosperity, national security,
and our individual liberties depend on our commitment to
securing cyberspace and maintaining an open, interoperable,
secure, and reliable Internet, Obama said. While saying
the framework is a turning point, he adds
its clear that much more work needs to be done to
enhance our cybersecurity.
The framework is just a first step and there is more
that government and industry must do together to address
basic cyber hygiene as well as the most sophisticated and
persistent threats to critical infrastructure, said
Robert Dix, vice president of government affairs for
Sunnyvale, California-based Juniper Networks.
Companies and government agencies spent more than $88 billion
in 2013 on cyber security, more than double the $40 billion
spent in 2006, according to research conducted by the Ponemon
Institute based in Traverse City, Michigan.
The framework identifies five broad categories -- identify,
protect, detect, respond and recover -- that companies should
consider in cyber security planning, a senior administration
official told reporters.
Each category includes subcategories outlining actions to
take and the corresponding technical standards to be used to
improve security, said the official.
The Department of Homeland Security will manage a program to
encourage companies to use the framework. It may never be
possible to know how many companies use the framework, said
another senior administration official who was not authorized
to speak on the record.
The two officials said they believe companies will use the
framework based on the participation and interest they saw as
it was developed during the last year.
The administration also will work on incentives that could
include legal protections for companies that adopt the
guidelines and still get attacked, tax breaks, insurance
discounts and preferences for being awarded federal contracts
and grants. No timeline has been established for coming up
The framework establishes a baseline for cyber security, said
Baker, a partner at the Washington law firm Steptoe &
If you suffer an intrusion and your customers are
harmed, youre going to be sued, Baker said.
If you havent followed a standard that the
government recommends you follow, theres likely to be a
presumption of negligence.
To make the framework more effective, DHS should be given
authority to monitor how companies are complying with the
guidelines and challenge businesses that fall short, he said.
Agencies responsible for regulating the security of critical
infrastructure are due to report to the White House today
whether they have sufficient authorities to address cyber
risks, according to Obamas executive order. Agencies
that determine their authorities are insufficient then will
have 90 days to propose remedies.
The US Chamber of Commerce wants legal protections to ensure
that threat and vulnerability information companies share
with the government or each other will not lead to frivolous
lawsuits, be publicly disclosed or used in regulatory
actions, said Ann Beauchesne, the groups vice president
of national security and emergency preparedness.
Congress would need to pass legislation giving companies
liability protection for information sharing, and thats
unlikely anytime soon. Many lawmakers are outraged at the
reach of National Security Agency spy programs exposed in
documents leaked by former government contractor Edward
Snowden and may be reluctant to approve bills that would give
the government more visibility into whats happening on
The Chamber is the nations largest business lobby and
led opposition to legislation that would have created cyber