US government releases draft cybersecurity framework

NIST comes out with its proposed cybersecurity standards, which outlines how private companies can protect themselves against hacks, cyberattacks, and security breaches.

C/NET News
by Dara Kerr
October 22, 2013

According to NIST, all levels of an organization should be involved in cybersecurity.
(Credit: The National Institute of Standards and Technology)

The National Institute of Standards and Technology released its draft cybersecurity framework for private companies and infrastructure networks on Tuesday. These standards are part of an executive order that President Obama proposed in February.

The aim of NIST’s framework (PDF) is to create guidelines that companies can use to beef up their networks and guard against hackers and cybersecurity threats. Adopting this framework would be voluntary for companies. NIST is a non-regulatory agency within the Department of Commerce.

The framework was written with the involvement of roughly 3,000 industry and academic experts, according to Reuters. It outlines ways that companies could protect their networks and act fast if and when they experience security breaches.

“The framework provides a common language for expressing, understanding, and managing cybersecurity risk, both internally and externally,” reads the draft standards. “The framework can be used to help identify and prioritize actions for reducing cybersecurity risk and is a tool for aligning policy, business, and technological approaches to managing that risk.”

Obama’s executive order in February was part of a government effort to get cybersecurity legislation in place, but the bill was put on hold after the National Security Agency’s surveillance program was revealed.

Some of the components in Obama’s order included: expanding “real time sharing of cyber threat information” to companies that operate critical infrastructure, asking NIST to devise cybersecurity standards, and proposing a “review of existing cybersecurity regulation.”

Critical infrastructure networks, banks, and private companies have increasingly been hit by cyberattacks over the past couple of years. For example, weeks after the former head of Homeland Security, Janet Napolitano, announced that she believed a “cyber 9/11″ could happen “imminently” — crippling the country’s power grid, water infrastructure, and transportation networks — hackers hit the US Department of Energy. While no data was compromised, it did show that hackers were able to breach the computer system.

In May, Congress released a survey that claimed power utilities in the U.S. are under “daily” cyberattacks. Of about 160 utilities interviewed for the survey, more than a dozen reported “daily,” “constant,” or “frequent” attempted cyberattacks on their computer systems. While the data in the survey sounded alarming, none of the utilities reported any damage to their facilities or actual breaches of their systems — but rather attempts to hack their networks.

While companies are well aware that they need to secure their networks, many are wary of signing onto this voluntary framework. According to Reuters, some companies are worried that the standards could turn into requirements.

In an effort to get companies to adopt the framework, the government has been offering a slew of incentives, including cybersecurity insurance, priority consideration for grants, and streamlined regulations. These proposed incentives are a preliminary step for the government’s cybersecurity policy and have not yet been finalized.

NIST will now take public comments for 45 days and plans to issue the final cybersecurity framework in February 2014.