Hydrocarbon Processing Copying and distributing are prohibited without permission of the publisher
Email a friend
  • Please enter a maximum of 5 recipients. Use ; to separate more than one email address.



US unveils cyber security guidelines for industry

02.14.2014  | 

The White House released a plan for actions power plants, financial networks and other critical services can take to protect their computer networks from hacker attacks with potentially serious consequences.

Keywords:

By CHRIS STROHM
Bloomberg

The White House released a plan this week for actions power plants, financial networks and other critical services can take to protect their computer networks from hacker attacks with potentially devastating consequences.

After a year of work involving President Barack Obama’s administration and businesses, the “cyber security framework” identifies actions and technical standards companies can voluntarily follow. It doesn’t require banks, utilities and other essential services to do anything and lacks a way to measure whether the nation’s defenses improve.

The document also doesn’t include financial incentives like tax breaks and legal protections that trade groups representing Bank of America, Alliant Energy, General Electric and other companies say are necessary to help offset the cost of computer and network security upgrades.

“No one should imagine that this is a cure all,” said Stewart Baker, a former assistant secretary for policy at the Department of Homeland Security. “I don’t see a commitment across the board from industry to do the things that are necessary to keep hackers out of their systems.”

Obama issued an executive order last year to create the framework after failing to get Congress to require companies to better defend their networks. While the order called for incentives, the administration couldn’t work them out in time and some will require legislation or regulatory approval.

“America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet,” Obama said. While saying the framework is a “turning point,” he adds “it’s clear that much more work needs to be done to enhance our cybersecurity.”

‘First Step’

The framework is “just a first step and there is more that government and industry must do together to address basic cyber hygiene as well as the most sophisticated and persistent threats to critical infrastructure,” said Robert Dix, vice president of government affairs for Sunnyvale, California-based Juniper Networks.

Companies and government agencies spent more than $88 billion in 2013 on cyber security, more than double the $40 billion spent in 2006, according to research conducted by the Ponemon Institute based in Traverse City, Michigan.

Detect, Protect

The framework identifies five broad categories -- identify, protect, detect, respond and recover -- that companies should consider in cyber security planning, a senior administration official told reporters. 

Each category includes subcategories outlining actions to take and the corresponding technical standards to be used to improve security, said the official.

The Department of Homeland Security will manage a program to encourage companies to use the framework. It may never be possible to know how many companies use the framework, said another senior administration official who was not authorized to speak on the record.

The two officials said they believe companies will use the framework based on the participation and interest they saw as it was developed during the last year.

The administration also will work on incentives that could include legal protections for companies that adopt the guidelines and still get attacked, tax breaks, insurance discounts and preferences for being awarded federal contracts and grants. No timeline has been established for coming up with incentives.

Stronger Standards

The framework establishes a baseline for cyber security, said Baker, a partner at the Washington law firm Steptoe & Johnson.

“If you suffer an intrusion and your customers are harmed, you’re going to be sued,” Baker said. “If you haven’t followed a standard that the government recommends you follow, there’s likely to be a presumption of negligence.”

To make the framework more effective, DHS should be given authority to monitor how companies are complying with the guidelines and challenge businesses that fall short, he said.

Agencies responsible for regulating the security of critical infrastructure are due to report to the White House today whether they have sufficient authorities to address cyber risks, according to Obama’s executive order. Agencies that determine their authorities are insufficient then will have 90 days to propose remedies.

Information Sharing

The US Chamber of Commerce wants legal protections to ensure that threat and vulnerability information companies share with the government or each other will not lead to frivolous lawsuits, be publicly disclosed or used in regulatory actions, said Ann Beauchesne, the group’s vice president of national security and emergency preparedness.

Congress would need to pass legislation giving companies liability protection for information sharing, and that’s unlikely anytime soon. Many lawmakers are outraged at the reach of National Security Agency spy programs exposed in documents leaked by former government contractor Edward Snowden and may be reluctant to approve bills that would give the government more visibility into what’s happening on private networks.

The Chamber is the nation’s largest business lobby and led opposition to legislation that would have created cyber security mandates.



Have your say
  • All comments are subject to editorial review.
    All fields are compulsory.

Related articles

FEATURED EVENT

Boxscore Database

A searchable database of project activity in the global hydrocarbon processing industry

Poll

Should the US allow exports of crude oil? (At present, US companies can export refined products derived from crude but not the raw crude itself.)


83%

17%




View previous results

Popular Searches

Please read our Term and Conditions and Privacy Policy before using the site. All material subject to strictly enforced copyright laws.
© 2013 Hydrocarbon Processing. © 2013 Gulf Publishing Company.