Obama Administration Announces New Cybersecurity Framework

Legal Compliance Resource
February 24, 2014 — 1,252 views  

A recent Ernst&Young report pointed to the growing threat and incidences of cyber attacks on businesses. Over the years, cybersecurity has moved from an operational concern to a board-level problem. Now, the Obama administration has released a voluntary cybersecurity framework in an effort  to advise companies on the best practices of effectively safeguarding their networks. The President called cybersecurity a 'systemic challenge' that threatens the nation's critical infrastructure and harms the economy. The latest security initiative comes on the back of a massive credit and debit card hack at Target, which is estimated to have compromised 40 million customers.

Who has developed the framework?

The voluntary framework has been compiled by a number of federal agencies, hundreds of companies and many international contributors. The administration came up with the new guidance after a failed effort to pass a legislation designed to protect networks of critical infrastructure companies more effectively. The Congress was not convinced that government requirements would be the best motivator for companies to take the necessary precautions to secure their networks. Such infrastructural assets include facilities that produce and transmit electricity, generate and distribute oil and gas, and manage food production, drinking water, telecommunications, health and transportation, to name some.

What are the components of the framework?

The framework's three components – framework core, profiles and tiers – have different purposes. The 'core' is comprised of cybersecurity activities that are common to all infrastructural sectors. They help companies detect, safeguard, respond and recover from cyber attacks, and also provide them with a top-level view of cybersecurity management.

'Profiles' addresses the business side of cybersecurity. The guidance intends to help companies align their cybersecurity activities with business needs, resources and risk tolerances. Tiers provides companies a view into their approach to and processes concerning cybersecurity management. The framework also advises organizations on civil liberties and privacy issues stemming from cybersecurity activities.

More cybersecurity challenges lie ahead

Organizations can choose to follow the recommendations of the voluntary framework stringently or disregard them. The Obama administration will not track whether or not companies are implementing the guidance, and hope that their self-interest will motivate them to integrate the framework seriously into their operations. There is also the issue that companies that only rely on mandatory cybersecurity guidelines may limit their level of compliance, and not take emerging threats into account. This could be quite risky given that hackers' exploits have become more customized, sophisticated and dangerous. Obama has admitted that while the new initiative is a step in the right direction, more needs to be done to manage cybersecurity risks and avert attacks successfully. 

Legal Compliance Resource