Lessons learned from Obama's cybersecurity defeat


President Obama's executive order on cybersecurity (see related article) is a large step back for the president from his 2011 comprehensive cybersecurity legislative proposal, which was taken up by Senate Democrats in the previous session of Congress.

That proposal would have given the Department of Homeland Security authority to conduct risk assessments of private sector networks and modify industry-developed security standards for critical infrastructure firms.

In addition, the 2011 proposal would have established a national requirement for companies to report data breaches involving personal information. Currently, there are more than 40 state laws with various data breach thresholds and report requirements.

Obama's legislative proposal became, after much amendment, the Senate's Cybersecurity Act of 2012. The legislation faced stiff opposition from Senate Republicans as well as U.S. private sector groups, most notably the U.S. Chamber of Commerce. Senate Democratic leaders tried to bring the bill up for a vote on the Senate floor on a number of occasions last year, but failed to secure enough support to hold a vote.

The president appears to have learned the lessons of that legislative defeat as shown in his most recent cybersecurity executive order, which focuses on voluntary security standards to be developed by the Commerce Department's National Institute of Standards and Technology (NIST) and the industry.

To its credit, NIST almost immediately asked for private sector input for the standards, which it terms a cybersecurity framework. It is asking for feedback on a range of network security issues, including enterprises' risks management practices, encryption, asset management and security engineering.  In addition, the agency is holding workshops over the next few months to meet face-to-face with industry representatives, with the goal of having a final document ready within a year.

According to NIST, the cybersecurity framework will consist of a roadmap and structure for future efforts, including a recommended process for how the standards within each sector will be reviewed by stakeholders.

The framework will include metrics, methods and procedures that can be used to continuously assess and monitor the effectiveness of network security controls, standards, guidelines and best practices.

I would encourage companies to participate fully in the process of developing NIST's cybersecurity framework. It will serve not only as a security guideline for critical infrastructure firms but as a model for all industries. - Fred