US publishes draft cyber security framework
The US has published a draft framework of voluntary cyber security standards aimed at reducing risks to critical national infrastructure
The US has published a draft framework of voluntary cyber security standards aimed at reducing risks to companies providing critical national infrastructure.
The US National Institute of Standards and Technology (Nist) drew up the framework with input from 3,000 industry and academic experts in response to an executive order by President Barack Obama.
The executive order called for a framework that provides a “prioritised, flexible, repeatable, performance-based, and cost-effective approach” for assisting organisations responsible for critical infrastructure services to manage cyber security risk.
“We want to turn today's best practices into common and expected practices," said Nist director Patrick Gallagh.
Protecting critical national infrastructure from cyber attacks
Like the UK, a large proportion of organisations responsible for critical national infrastructure, such as electrical power and water supplies, are private sector companies.
More on critical national infrastructure
- US researchers find 25 security vulnerabilities in SCADA systems
- Critical infrastructure providers are less engaged with government cyber protection
- Government to monitor companies supporting critical national infrastructure
- Is UK critical national infrastructure properly protected?
- Cyber security study reveals mismatch between awareness and preparedness
- Critical infrastructure security in dire need for standards
The draft framework published by Nist outlines how private companies can identify and protect network assets and detect, respond to and recover from cyber attacks and data breaches.
However, many in the private sector have expressed fears that the voluntary framework will inevitably turn into a set of requirements or create new liabilities, according to Reuters.
“The framework provides a common language for expressing, understanding and managing cyber security risk, both internally and externally," the document states.
"The framework can be used to help identify and prioritise actions for reducing cyber security risk and is a tool for aligning policy, business, and technological approaches to managing that risk."
Obama's executive order was issued in February after months of debate in Congress had failed to get cyber security legislation in place.
Sharing information about cyber threats
In addition to setting basic cyber security standards for private sector organisations, the executive order was aimed at expediting information sharing about threats between government and private sector organisations that run parts of the critical national infrastructure, and expediting security clearances for private sector organisations, especially those involved with critical national infrastructure.
The draft cyber security framework outlines how private companies can identify and protect network assets and detect, respond to and recover from cyber attacks and data breaches
For 45 days after the publication of the draft framework, Nist will take public comments. It plans to issue the final cyber security framework in February 2014.
In the UK, a communications expert is calling for legislation to set rules for the cyber security of critical national infrastructure.
Chris McIntosh, chief executive at communications firm ViaSat UK and a former lieutenant-colonel in the Royal Signals, believes the situation in the UK is very similar to that in the US.
While UK military networks are held to strict standards, said McIntosh, the same standards are not being applied to providers of critical national infrastructure.