The Obama administration issued the final version of its "cybersecurity framework" Wednesday, a series of security guidelines and best practices aimed at protecting finance, critical infrastructure, defense and other industries from a major cyber attack that could disrupt business and wreak havoc on their systems.
The finalized guidelines have been in the works since last year, when President Obama signed an executive order calling upon the Commerce Department to establish basic - but voluntary -- security parameters for critical industries to follow.
"While I believe today's Framework marks a turning point, it's clear that much more work needs to be done to enhance our cybersecurity," Obama said in a statement. "America's economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property.
The newly released framework comes after a steep uphill climb for the Obama administration and security proponents. The executive order prompting the framework's creation represented a final effort to bolster security after the proposed Cybersecurity Act was defeated in the Senate in August 2012. Among other things, the Cybersecurity Act, proposed by Sens. Joe Lieberman and Susan Collins, aimed to harden cyber defenses for critical infrastructure, such as water supply, electrical grid and power facilities. Its failure to pass in the Senate was seen as a disappointment to the White House, which had spend months urging Congress to ensure the bill's passing.
In his 2013 State of the Union address, Obama pledged to create a security standard, calling upon private sector security firms and researchers to assist in that effort. The result constituted a new security framework built around five pillars - identify, protect, detect, respond and recover - all integral to an organization's comprehensive security strategy. The Department of Homeland Security also said that it would initiate a program that would assist companies with implementation.
That said, there are numerous reasons that the framework might fail to fulfill its objectives. Perhaps the most significant is that adoption will be strictly voluntary. And because the framework isn't mandatory, it's also not enforceable. The framework also fails to provide any kind of incentives - such as funding, tax breaks, or special protections -- to organizations that try to implement security upgrades. In fact, the new framework fails to offset any acquired costs, or provide any legal protection for those that implement the guidelines and get hacked anyway.
Even if organizations want to improve their security posture, upgrading or revamping security infrastructure will inevitably be a time-consuming and costly undertaking. And while the Obama administration is hopeful that companies will voluntarily take on its new set of standards out of good will, there is little motivation for them to go out of their way to make any of the suggested changes.
Was this a wasted effort? Maybe not. If anything, the framework could be approached as a document that lays the foundation for other, more meaningful programs and initiatives down the road. While numerous governmental and commercial organizations are tapped to adhere to industry specific regulatory compliance mandates, there has yet to be one set of unifying directives that govern the security stance of all U.S. businesses. And this document could potentially pave the way for future legislation.
However, the path from best practice to federal regulation is at best a years-long journey. It will probably require many more compromises and exhausting debates with Congress. It will also have to gain favor with critical infrastructure companies and other major industries, many of which continue to view IT as a cost center, and security upgrades as an unprofitable and unnecessary expense.
In short, we still have a long ways to go.