Experts: What to expect after cybersecurity executive order
The Obama administration's cybersecurity framework could see current banking and utility regulations as a model, some say
IDG News Service - U.S. government agencies will need the help of companies while developing a set of cybersecurity standards that President Obama has called for in an executive order signed last month, administration officials said.
The Obama administration will look to private industry for cybersecurity standards and best practices on which to base the voluntary framework focused on reducing risks to companies providing critical infrastructure, representatives of the U.S. Department of Commerce and sub-agency the U.S. National Institute of Standards and Technology said Monday during a briefing on the executive order.
The government will not push through its own idea of what the standards should look like, said Ari Schwartz, senior policy adviser in the Department of Commerce.
"This is not one of those examples of, 'we're from the government, and we're here to help,'" Schwartz added. "It's, 'we're from the government, and we need your help.'"
Even with industry participation, the framework could contain some rigorous standards aimed at improving cybersecurity for businesses identified as critical infrastructure, said some lawyers at Venable, the law firm hosting Monday's briefing. Existing security regulations for the electric utility and financial services industries may serve as models for the executive order's framework, Venable lawyers said.
The new standards will likely question how a company's network is designed and configured and who has access to the network, said Brian Zimmet, a partner in Venable's energy practice group. "Which ports are open and which ports are closed?" he said. "You're looking at being able to justify every single open port on your network and being able to articulate a valid business reason for having that port open."
The framework's standards prompt some changes at participating companies, he added.
"When your network was originally set up by your IT people, they set it up with an eye, generally, toward making the system work and making it as easy as possible for the company to do its business," Zimmet said. "When you start applying cybersecurity standards to this question, you're really looking at the opposite of what the IT guys were looking at when they designed the network."
The framework may also ask businesses to report cybersecurity breaches, as financial institutions now do, added Venable partner John Bowman, who works with the banking industry. Bowman's clients see current cybersecurity regulations on banks as a model for the framework, but some industries may not need as many regulations, he said.
The cybersecurity rules for the banking industry impose a "considerable" burden on those businesses, he said.
Obama's order tasks NIST with leading the effort to develop the cybersecurity framework, and the agency will host several workshops for interested people to comment, said Adam Sedgewick, senior Internet policy advisor at NIST. The first workshop is April 3 at NIST's headquarters in Gaithersburg, Maryland, near Washington, D.C.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts