Kevin Coleman is a senior fellow at SilverRhino and former chief strategist at Netscape. / File
The long awaited voluntary Cyber Security Framework for critical infrastructure providers was announced by the Obama administration on Feb. 12th. President Obama acknowledge that this framework is just a first step in creating what he referred to as a cybersecurity playbook that would be specifically designed for the16 critical infrastructure sectors.
This is not the normal document out of Washington. Most of what it contains came from subject matter experts within industry. Many of these individuals are on the frontline of cyber defense everyday defending the nationís critical infrastructure.
I asked around and it was no surprise that a few concerns popped to the top of the comments.
First of all, the government has to be able to keep pace with the rapid rate of change in the cyber threat environment. Given the time it takes for anything to work through the layers of bureaucracy in our federal government, the framework will not be able to keep pace with this ever changing threat.
This voluntary framework, if implemented, must be funded by critical infrastructure providers. Many of the CI providers are regulated and would have to develop a Ďrate caseí in order to increase their billing rate so they can cover any added expenses; or the provider would have to absorb the costs associated with this. If they are publically traded, that means lower revenues. So why would they do it?
Interesting Observation: One individual was quick to point out that the if the SMEs from the utilities knew what needed to be done and that is what they contributed to the framework, why didnít they just do it in the first place? Since they did not, why would they now? Or is this just documenting what they already have in place so we put all the time, effort and money into this to maintain the status-quo?
It is clear this is the baseline and a first step. What is to follow, when will it be coming, will there be a carrot for those who comply and a stick for those who do not adopt or follow the voluntary framework? So many questions remain unanswered.
Well, it is a small first step and a step in the right direction that is long over do. This issue is so critical to our economic and national security we canít take the same-old, same-old approach or use our typical government process to address these issues. There is too much at stake here!
Related: Cyber framework hits the streets