The Obama Administration recently unveiled the Cybersecurity Framework, a guide for protecting critical national infrastructure such as electrical grids and water and fossil fuel supplies from cyberattacks. The White House’s new guidance comes at a time when the international security community is increasingly concerned about these types of campaigns that could blend aspects of cybercrime and terrorism, with the intent of causing financial and reputational damage and making political statements.
Compiled by NIST, Cybersecurity Framework is voluntary for now
For now, compliance with the Framework’s suggestions is optional, although executive branch officials have previously considered incentives such as tax credits to encourage organizations to get on board. It isn’t clear how many of them will take the Cybersecurity Framework to heart – after all, bolstering infrastructure defenses can be a costly, time-consuming process for budget-constrained government agencies and risk-averse private enterprises alike.
A year ago, U.S. President Barack Obama ordered the National Institute of Standards and Technology to compile the guidance that would form the backbone of the Cybersecurity Framework. He may have taken this route due to legislative gridlock in Congress that was making it hard for the U.S. government to keep up with an evolving threat environment that was spilling over into the national security sphere.
“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said in a statement. “I again urge Congress to move forward on cybersecurity legislation that both protects our nation and our privacy and civil liberties. Meanwhile, my Administration will continue to take action, under existing authorities, to protect our nation from this threat.”
Since it’s voluntary and perhaps vague in spots, how effective will the Framework be in spurring a wide range of stakeholders into action on protecting national infrastructure? The Obama Administration’s heart is in the right place – beating back the threat of attacks on critical assets will require input from many different contributors – but the guidance from the NIST could benefit from greater clarity, as well as a more particular consideration of how past infrastructure attacks have played out and been addressed.
Critical infrastructure vulnerable to attack from nation-states and individuals
Security experts have been ringing the bell about infrastructure attacks for some time. Some observers, such as Waterfall Security vice president Andrew Ginter, have likened the threat to a fifth domain of warfare (after land, air, sea and space), and some nation states may have similar stances. The watershed Stuxnet attack on Iranian nuclear facilities likely involved input from several countries, while last year the United Kingdom made waves by announcing a claim to offensive cyberattack capabilities.
Bringing down a key power plant or compromising a water supply could be a significant geopolitical move, but on a technical level they’re not that much different from typical hacking or malware distribution. In many instances, an attack would require entry to a secure corporate network, which it could most easily obtain via a spear-phishing campaign. From there, malware could be used to comb through password hashes and give attackers enough information to create highly privileged accounts that would have the permissions needed to sabotage operations.
There’s precedent for such attacks. In 2008, cybercriminals hacked into several power plants in Brazil to extort money from officials. But it’s important to take a level-headed view toward such incidents – although commentators may equate them with terrorism, at the most basic level they’re mostly run-of-the-mill cybercrime that’s simply going after higher profile targets. With that in mind, it makes sense to recommend better fundamental security practices to prevent phishing and similar threats – how does the Cybersecurity Framework stack up?
Cybersecurity Framework criticized for being “obvious,” but it still may be a good start
The Cybersecurity Framework takes a top-level approach that is light on specifics but hits on key categories such as continuous security monitoring and asset management. Although it steers clear of forthright advice, it shows companies what types of issues they should be keeping tabs on.
Critics have harped on the Framework’s vagueness. For example, it doesn’t use the word “firewall” even once, and its lack of specificity together with its non-controversial guidance has elicited a muted response from some in the security community.
“When I look at this framework with its beautifully colored boxes, my first thought is ‘Isn’t this obvious?,’” stated FlowTraq chief executive Vincent Berk, according to The New York Times.
However, others have applauded the efforts of the White House and the NIST, and these proponents expect the Cybersecurity Framework to become a de facto standard in the private sector. Writing for InformationWeek, Gerald Ferguson stated that the Framework’s tiered system and the particular way in which it distributed more responsibility to senior managers could motivate organizations to think more carefully about how they construct and monitor their security apparatuses.
“The framework places senior management at the top of the decision-making process and holds senior managers responsible for compliance with the framework,” wrote Ferguson. “Although senior managers without a technical background might be tempted to defer responsibility to their IT departments, complying with the framework requires them to be educated about the choices their company faces and to take responsibility for allocating appropriate resources to address risks.”
There are other factors in the Framework’s favor that could facilitate adoption despite its voluntary nature. For starters, it hasn’t been formulated in isolation by government officials, but with plenty of input from more than 3,000 security experts, many of whom have responded to cyberattacks. Plus, it’s not just any old set of guidelines – it emerged from President Obama’s executive order on “Improving Critical Infrastructure Cybersecurity.”
The best impetus for heeding the Cybersecurity Framework’s guidelines, however, is the recent spate of high-profile private sector breaches, most notably the theft of tens of millions of payment card numbers from North American retailer Target. Eager to avoid falling victim to a similar attack, organizations may be motivated to follow the Framework as they improve their defenses.