Why The President's New Cybersecurity Rules Won't Make Us Safer
REUTERS/Brendan McDermid
The President's long-awaited cybersecurity framework for critical infrastructure companies (energy, water, transportation, finance, telecom, etc.) just became official this week - but will it really make us any safer?The short answer: no.
Critical infrastructure is a mixed bag when it comes to security. On the one hand, there are the big banks and Wall Street financial firms that are using state of the art technology and tactics to protect themselves - then there are the manufacturers, transportation networks, oil and gas facilities which run on outdated, hard-to-patch industrial control networks that have been proven to be vulnerable to attack. In fact, a member of our team recently found a system on the Internet that allowed access to a regional electric grid. If exploited, accessing one unfiltered port could have caused serious problems for a large swath of one US state. This took less than an hour to identify and access.
The whole point of establishing a cybersecurity framework should be to prevent this gross disparity in cyber-readiness - but the way it's written, it's simply too watered-down to have that effect.
The President's original goal was to get legislation passed that would force companies to comply with heightened cybersecurity standards. The private sector fought back, due to concerns over the enormous costs and red tape this would create, and as a result the President resorted to an executive order which in turn led to a generic and optional cybersecurity framework.
What's really needed to make US companies safer from cyber attacks are two things: (1) the ability for companies to share intel on active threats and (2) a strong set of incentives that will motivate businesses to spend the money and resources required to harden their networks and upgrade their defenses. Neither of these are achieved in the current framework.
Here are six things you should know about the new cybersecurity framework for America's most critical companies:
-
A Roadmap, Not a Standard - It's important that people realize the government hasn't created a new cybersecurity standard that companies will follow. Instead it's given them a set of road maps that each company can choose from on its own.
-
It's Completely Voluntary - That was critical in order to get industry support, but it also means that the guidelines lack 'teeth' to force compliance. However, much of the guidelines have been standard industry practices for years, so any company that is at least making a moderate effort on cybersecurity should already be doing most of them. That's good in the sense that the framework isn't onerous on most companies, but bad in that it doesn't provide anything new or advanced.
-
There's No Incentive to Improve - For those companies that aren't already doing a modicum of cybersecurity, there's nothing in the new framework that will incentivize them to pick up the slack. Some ideas that are being discussed by the Obama administration are public recognition, cyber insurance and cost recovery programs, limitations on liability, process preference and grants for adopters. Most of these would be very effective enticements if put into practice - particularly liability limitations for a company that meets a real set of standards, yet still gets breached. That will require an act of Congress, however, so it's unlikely to happen any time soon. But the President does have the authority to push through the cyber insurance and cost recovery programs - these could help companies bring down the cost associated with increasing their security posture. Other incentives like procurement preferences for government contracts would also be a boon.
-
Swapping Threat Information - For companies, the ability to share threat information is critical - yet it's hampered by concerns over privacy regulations. As of right now, it's not clear how much or what types of information companies can share between themselves and the government without running afoul of privacy concerns. The administration claims to have made progress on the privacy issue, but the new cybersecurity framework doesn't really accomplish any meaningful changes - the language is too broad to be impactful. Until that changes, companies will continue to sit on critical information about active and emerging cyber threats, instead of letting others know so they can protect themselves. The ability to exchange active threat information is one of the most critical aspects needed for true cybersecurity reform.
-
Is This the First Step Toward Regulation? - While the framework is voluntary, some have mentioned the possibility that we could see a type of "shadow liability" emerge as a result of it. As the argument goes, the next time a critical infrastructure company is hacked, civil or shareholder lawsuits could potentially cite negligence if it turns out the company wasn't keeping up with the framework. This could very well be the case - even more so with regulatory agencies and government procurement offices. But, again, the framework is too general and a la carte to make this meaningful. It may force more companies to do a better job of documenting their cybersecurity programs, but won't necessarily lead to better programs.
-
The SMB Problem - Another potential snag with the current framework is that it doesn't really solve the small business problem. SMBs lack the money and resources to implement meaningful cybersecurity. Since they comprise the supply chain of larger companies, that means they also undermine their security. As we saw in the recent Target breach, an HVAC contractor may have been the root cause of a massive corporate hack that ultimately effected 110 million consumers. The current framework doesn't provide a solution to this; it's designed primarily for enterprise-class companies.
About the author: Rick Hayes is the 'force' practice lead at TrustedSec, a cybersecurity/ethical hacking firm that consults for Fortune 10s/100s/500s, as well as major financial institutions, energy, telecom, local governments and international governments. Hayes oversees the company's penetration testing program, which involves testing corporate and industry defenses for weaknesses state-sponsored hackers could use to break in. He is a former US Navy intelligence specialist, past information security officer for a major apparel retail company and previously led the operational security teams at several major corporations. www.trustedsec.com