The 41-page framework is a result of a year-long project in which businesses and individuals collaborated on the best standards, practices and guidelines to improve critical infrastructure cyber security. These ideas were finalised and bound together by the US National Institute of Standards and Technology (NIST).
The Cybersecurity Framework, which formed part of the “Improvement of Critical Infrastructure Cybersecurity” announced by Obama at the 2013 State of the Union, is voluntary, but will be promoted by the US Department of Homeland Security's new Critical Infrastructure Cyber Community (c3) Voluntary Programme.
The framework has three components - Framework Core, Profiles and Tiers – and also guides companies on privacy and civil liberties. Furthermore, the framework provides a cyber security roadmap for beginners, while participants will also be able to share lessons learnt and get free tools to improve their security operations.
The Framework Core is essentially a set of cyber-security ‘best practices' and can be called upon by CNI sectors to tackle important stages of cyber defence – from Identity and Detect to Respond and Recover. Profiles are more focused on aligning cyber security measures with business requirements, while Tiers breaks down a company's cyber management practises.
President Obama said that the framework is a “turning point” in the national discussion about cyber security.
“It's clear that much more work needs to be done to enhance our cybersecurity,” he said in a statement. ”Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.”
Commentators over the pond, however, were mixed on the framework.
"It is great that there is serious work on this topic of cybersecurity for the United States in the form of a document," new RedSeal Networks CEO Ray Rothrock told SCMagazineUK.com. "In the world of actions, it is always great to have a document to react to, and I'm sure many of my cohorts will react, pro and con."
“In Olympic terms, today marks the end of the preliminary rounds, we are on the right track but we haven't won any gold medals for cybersecurity yet,” Internet Security Alliance President Larry Clinton told IDG.
“The most important element of the effort so far is that we have moved away from trying to impose a government-centric set of mandates on industry and instead are attempting to create a programme based on industry-developed standards and practices where voluntary adoption is motivated by market incentives.”
UK and Europe could get tips
Although this announcement is established primarily for US companies, the framework can be used as guidance by those outside the region.
“Organisations outside the US may also wish [to] use the Framework to support their own cybersecurity efforts,” reads the press release.
And following on from a new UK government research centre designed to tackle the threat against industrial control systems, ESET UK senior research fellow David Harley agreed that such framework could work in the UK, but only after greater structure and detail had been sought.
“This is a very high-level view, and voluntary implementation would be very reliant on existing standards such as ISO/IEC 27001, COBIT, and NIST's own standards,” Harley told SCMagazineUK.com. “There are some good intentions here, but the organisations most likely to take advantage of it are those who are already familiar with at least some of the standards it is meant to augment. Although it alludes to the importance of critical infrastructure, it doesn't go into any detail about the what and the how. For instance, there is only one mention of SCADA, and that is merely an expansion of the acronym in an appendix.
“There might be a place for such a framework in the UK under the aegis of an organisation like CPNI.”
IBM's global head of cybersecurity intelligence Nick Coleman was more upbeat on the framework, and said that organisations would be better organised as a result, especially in light of the growing number of CNI systems that connect to other services via the Internet.
"Cyber threats are not just focused on financial services and retail companies. Attacks are increasingly focused on power facilities and other infrastructure elements that directly affect the nation's economy and security,” Coleman told SCMagazineUK.com.
“While no company or sector is immune to cyber attacks, if organisations take the steps outlined in the framework, they'll be better positioned to protect themselves and their practices.”