Experts: What to expect after cybersecurity executive order

The Obama administration's cybersecurity framework could see current banking and utility regulations as a model, some say

U.S. government agencies will need the help of companies while developing a set of cybersecurity standards that President Barack Obama has called for in an executive order signed last month, administration officials said.

The Obama administration will look to private industry for cybersecurity standards and best practices on which to base the voluntary framework focused on reducing risks to companies providing critical infrastructure, representatives of the U.S. Department of Commerce and sub-agency the U.S. National Institute of Standards and Technology said Monday during a briefing on the executive order.

The government will not push through its own idea of what the standards should look like, said Ari Schwartz, senior policy adviser in the Department of Commerce.

"This is not one of those examples of, 'we're from the government, and we're here to help,'" Schwartz added. "It's, 'we're from the government, and we need your help.'"

Even with industry participation, the framework could contain some rigorous standards aimed at improving cybersecurity for businesses identified as critical infrastructure, said some lawyers at Venable, the law firm hosting Monday's briefing. Existing security regulations for the electric utility and financial services industries may serve as models for the executive order's framework, Venable lawyers said.

The new standards will likely question how a company's network is designed and configured and who has access to the network, said Brian Zimmet, a partner in Venable's energy practice group. "Which ports are open and which ports are closed?" he said. "You're looking at being able to justify every single open port on your network and being able to articulate a valid business reason for having that port open."

The framework's standards prompt some changes at participating companies, he added.

"When your network was originally set up by your IT people, they set it up with an eye, generally, toward making the system work and making it as easy as possible for the company to do its business," Zimmet said. "When you start applying cybersecurity standards to this question, you're really looking at the opposite of what the IT guys were looking at when they designed the network."

The framework may also ask businesses to report cybersecurity breaches, as financial institutions now do, added Venable partner John Bowman, who works with the banking industry. Bowman's clients see current cybersecurity regulations on banks as a model for the framework, but some industries may not need as many regulations, he said.

The cybersecurity rules for the banking industry impose a "considerable" burden on those businesses, he said.

Obama's order tasks NIST with leading the effort to develop the cybersecurity framework, and the agency will host several workshops for interested people to comment, said Adam Sedgewick, senior Internet policy advisor at NIST. The first workshop is April 3 at NIST's headquarters in Gaithersburg, Maryland, near Washington, D.C.

Sedgewick and Schwartz urged businesses to participate.

"This process cannot be successful without leadership from industry that is identifying best practices and standards that they use," Schwartz said. "We know there are leaders out there that do good work in this space, and we need them to come forward and help us put together the framework."

The framework will not be a one-size-fits-all set of rules, but is intended to be collaborative in nature, Schwartz said. The goal is for private industry to take the lead on the standards, Sedgewick added.

One audience member at the briefing asked Schwartz what the ultimate goal of Obama's executive order is. "When you have state-sponsored cyberterrorism that can spend $1 billion to take down the stock exchange, is the goal just to make it very expensive?" the audience member asked. "Do you really think you can stop it?"

The goal is to make providers of critical infrastructure less vulnerable, Schwartz said. He pointed to several recent cyberattacks in which the victim organizations failed to use "basic hygiene," such as changing default network passwords or backing up financial data.

"If we can get critical infrastructure to raise their game ... then the bad guys won't get in or they will have to raise their game as well," he said.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the PC World newsletter!

Error: Please check your email address.

Tags John BowmanVenableregulationsecurityU.S. Department of CommerceBrian ZimmetAdam SedgewickgovernmentAri SchwartzU.S. National Institute of Standards and Technology

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?