The U.S. Department of Homeland Security has announced the start of a public-private program designed to help protect the nation’s water supply, power grids, banking system, transportation networks and other critical infrastructure from cyber attacks.
The Cybersecurity Framework is the result of a yearlong effort to develop a how-to guide that organizations can use to improve the security of their networks, according to a news release from The White House. The Department of Commerce’s National Institute of Standards and Technology collected ideas from individuals and organizations, and formulated them into the framework.
According to The White House, the voluntary framework “provides a roadmap” for organizations with undeveloped cybersecurity plans. For groups with more advanced cybersecurity plans in place, the framework offers an improved method of discussing the “management of cyber risks” with executives and suppliers.
To increase awareness of and participation in the framework, Homeland Security has created the Critical Infrastructure Cyber Community Voluntary Program (Cᶟ). The public-private partnership – which is referred to as C-cubed – seeks to help companies and agencies in their cybersecurity efforts by connecting them to government programs and other resources.
According to a February 2014 report by Politico, the program’s voluntary nature is a shift from the mandatory cybersecurity policies previously advocated by President Barack Obama’s administration. Those tougher requirements would have necessitated Congressional action.
The Senate twice has declined to advance legislation backed by the White House that would have given the government a larger role in protecting the networks of private-sector firms, according to Politico. The news organization also reported that The White House has no plans to track which businesses implement the voluntary framework.
In a statement, Obama said development of the framework “marks a turning point,” but he also noted that additional work is required to boost the nation’s cybersecurity defenses.
“Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property,” the president said.
According to the Department of Homeland Security, the agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 256 cybersecurity incidents in 2013. More than half of the incidents reported involved the energy sector, while 20% involved critical manufacturing.
Seventy-nine organizations were confirmed as or suspected of having being compromised as a result of cyber attacks, according to ICS-CERT, while 57 were found not to have been compromised. The remaining 120 incidents ended with no clear determination. Many of the incidents involved unauthorized access to networks, the use of malware or exploitation of hardware or software vulnerabilities.
The Cyber Emergency Response Team called on organizations to boost their monitoring, detection and response plans to ensure that such attacks are “properly thwarted or mitigated quickly.”
