The US administration on Wednesday launched a cybersecurity plan which aims to use voluntary collaboration from the private sector to protect critical infrastructure from computer hackers.
The initiative stems from an executive order issued last year by President Barack Obama after repeated failures in Congress of a cybersecurity law.
The so-called cybersecurity framework allows the government to lead an information-sharing network but stops short of making mandatory the reporting of cyber threats.
The goal is to protect so-called critical infrastructure, which can include power grids, water systems and financial networks against which a cyberattack could have crippling consequences.
Obama said the voluntary framework “is a great example of how the private sector and government can, and should, work together to meet this shared challenge.”
“While I believe today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said in a statement.
“America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property.”
Voluntary tradition
A senior administration official said the framework is the result of one year of consultations with industry experts and others.
“We wanted this framework to be voluntary because it encourages the widest set of stakeholders to come forward and work with us,” the official said.
“Voluntary standards are a tradition in this country because they work.”
Obama and other officials have continued to press lawmakers for cybersecurity legislation, which could give the government broader ability to prevent and respond to computer attacks.
Lawmakers have been deadlocked on cybersecurity legislation, amid opposition from an unusual coalition of civil libertarians — who fear government snooping — and conservatives who said it would create a new bureaucracy.
US military officials have argued that legislation is needed to protect infrastructure critical to safeguarding national defense, including power grids, water systems and industries ranging from transportation to communication.
Senator Jay Rockefeller, who has spearheaded cybersecurity efforts in Congress, praised the new plan.
“The recent data breaches at Target and other retailers are a stark reminder that our networks continue to be vulnerable to cyber attacks,” Rockefeller said in a statement.
The senator added that the plan “represents the careful thinking of our country’s top security experts. It should become an essential touchstone, not just for critical infrastructure operators, but for all companies and government agencies that need to protect their systems and their data.”
But Greg Nojeim at the digital rights activist Center for Democracy & Technology said the plan is weak on privacy protection after the latest update removed specific privacy language.
“We would have preferred a framework that requires more measurable privacy protections,” Nojeim said.
Suzanne Spaulding, acting under secretary of Homeland Security, encouraged the private sector to adopt the voluntary standards.
“Both the private sector and government have a role to play in strengthening our nation’s critical infrastructure security and resilience, including cybersecurity, and it is imperative that we as a country take coordinated actions to achieve this goal,” she said in a blog post.
But the technology policy think tank Tech Freedom expressed doubt.
“The govt is producing only basic #cybersecurity standards, with little incentive for private sector to participate,” the group tweeted.