A White House plan to shield U.S. infrastructure from hackers will face a change agent in the form of President-elect Donald Trump, who is expected to signal a new U.S. approach to cybersecurity during his first 100 days in office.
Trump has indicated he will convene a separate "cyber review team" to assess the state of U.S. critical infrastructure. In a video last week explaining his policy plan during those first 100 days, Trump said he would "ask the Department of Defense and the chairman of the Joint Chiefs of Staff to develop a comprehensive plan to protect America’s vital infrastructure from cyberattacks and all other forms of attacks."
As President Obama’s panel of cybersecurity experts prepares to release a list of U.S. strategies for beating back hackers, the cyberdefense program created by the Obama White House for critical infrastructure and its philosophy of voluntary compliance hang in the balance once Trump takes office.
The Framework for Improving Critical Infrastructure Cybersecurity, created by an Obama executive order in 2013 and run out of the Commerce Department, was designed to help companies get their digital houses in order. The focus is on companies tied to the U.S. power grid, transportation systems and other networks many Americans couldn’t live without.
The struggle in the Obama era, however, has always been getting companies to sign onto a government program that aligns industry standards with federal guidelines for tackling cyber intrusions.
The White House has looked for ways to sweeten the deal. It wanted to ensure that one of Obama’s signature cyber efforts didn’t fall flat with executives in the private sector who control the bulk of U.S. critical infrastructure.
Three separate agencies submitted a laundry list of strategies to reward users of the framework. But while the framework itself moved ahead — version 1.1 is due out this winter from the National Institute of Standards and Technology (NIST) — the incentives largely failed to launch.
The administration thought it could attract enough voluntary participants to make a difference and rooted the framework in existing industry best practices, according to a senior U.S. cybersecurity official.
Whether Trump will stay the course with the "market-based" approach or try something new remains to be seen.
Few carrots, no sticks
Today, roughly one-third of critical infrastructure operators use the framework, according to third-party surveys from Tenable Network Security and the research firm Gartner Inc.
It’s still difficult to gauge how the state of U.S. critical infrastructure security has changed under the framework, given its voluntary nature, or whether the Obama administration could have blown more wind into NIST’s sails at an early stage.
"Once the document itself is produced, it just goes out into the world, and who knows what happens next?" said Ryan Ellis, an assistant professor at Northeastern University and an expert in cybersecurity and infrastructure politics. "What can NIST do on its own, absent any incentives, absent any compelling authority coming from other agencies to push adoption?"
In a February 2013 executive order, President Obama directed the Department of Homeland Security, the Treasury Department and NIST’s parent agency, the Commerce Department, to review potential incentives for the framework and report back in 120 days.
The goal, unlikely as it seemed to skeptics at the time, was to build a cooperative system, rather than a punitive one. Where regulations could be the stick, incentives could be the carrot.
The three agencies’ findings ranged from straightforward steps that could be taken under existing authority to incentives that would require legislation or action from the private sector. Each organization relied on its own research, as well as public comments from a range of groups including the National Rural Electric Cooperative Association (NRECA), the Edison Electric Institute and the Internet Infrastructure Coalition.
The Treasury Department raised the possibility for framework adopters to earn "safe harbor" from liability following cyberattacks or data breaches. The agency also proposed giving framework users a faster, clearer shot at earning a security clearance to receive sensitive cybersecurity intelligence.
DHS suggested that critical infrastructure owners could get expedited assistance from the government if they were on board with the framework — while quickly adding the caveat that "operators in need of incident response support will never be denied assistance based on whether they have adopted it." Homeland security officials also floated the potential to ease rate recovery for cybersecurity investments among regulated industries like interstate natural gas pipeline companies.
The Cybersecurity Information Sharing Act of 2015, signed into law last year as part of a broader spending bill, offered a breakthrough for supporters of the NIST framework by making it easier for companies to share cyberthreat indicators and use government resources without fear of reprisal.
Other would-be bonuses fared less well. The federal government briefly tossed around giving tax breaks to critical infrastructure companies that invested in cybersecurity defenses or cyber research and development. The Commerce Department quickly closed the door on that issue, however, pointing out that "it would be difficult to ensure that tax incentives are sufficient to encourage participation in the program and do not impose undue costs on the federal government."
More incentives were singled out for further study before slipping away into the dustbin. Their fate was at least partly tied to logistics: How could agencies track adoption for deciding how to dole out rewards?
The Treasury Department once flatly acknowledged that "determining implementation of the framework will be challenging."
Ellis at Northeastern shared in those doubts about the framework’s effectiveness, while noting that he still considers the document to be a "fine effort" with useful cybersecurity guidance for the 16 different sectors considered to be critical infrastructure in the United States, including the nuclear, water, energy and financial services industries.
"The framework is appropriately generic: It’s designed to cover a variety of sectors and a variety of different organizations," said Ellis. "But it’s very hard to call [the framework] a success or a failure without some metric or deeper study to see how it’s been taken up."
‘Natural market forces’
From the outset, federal officials working on the NIST framework made it clear they had no desire to make the guidelines a requirement. They wouldn’t be the same as enforceable cybersecurity standards in the bulk electric power, nuclear and chemical industries.
The framework’s program manager at NIST, Matt Barrett, has long defended the voluntary approach, noting that "we’re big believers in natural market forces."
He said the framework is designed to help organizations find the most cost-effective cybersecurity solutions. "That, in and of itself, is super powerful without any incentive," Barrett said, while noting that it would have fallen on outside parties to pursue incentives anyway.
The voluntary approach also found favor among the private companies that contributed to the framework’s development. Representatives from the bulk electric power sector pointed out that they already face binding cyber standards set through the North American Electric Reliability Corp. and the Federal Energy Regulatory Commission.
The framework’s voluntary nature doesn’t preclude it from being used by regulators or even taken into account by insurance underwriters. (Cyber insurance emerged as another potential incentive area in 2013.)
Suzanne Lightman, senior adviser for information security in NIST’s Computer Security Division, said a December 2015 cyberattack on electric power utilities in western Ukraine, which knocked the lights out to at least a quarter-million people for several hours, has further heightened cybersecurity awareness in the industry.
"The energy sector has certainly changed its priorities in the wake of the Ukraine attack," she said. "It was a comprehensive, multiple-entry attack that did a very effective job of at least temporarily taking down a grid, and they’re still having trouble recovering from it."
NIST’s ‘Art of the Deal’
Version 1.1 of NIST’s framework, its first significant update since 2014, will seek to help organizations address supply-chain vulnerabilities made glaringly apparent in the attack on Ukraine.
The new document may not be published until after Trump takes the oath of office in January.
Barrett said he hopes the incoming administration will consider staying the course with the framework program.
"We consider this framework to be, in many ways, successful — and building on this success is a tried and true kind of management practice," he said. "So we’re hopeful that would be the mentality."
Whether Trump will revive the incentives for pushing adoption of the framework is an open question. But another Obama administration cyber effort could offer a glimpse at Trump’s appetite for incentives.
The president’s Commission on Enhancing National Cybersecurity, a panel of experts convened by Commerce under a 2016 executive action, is preparing to publish a list of concrete steps and strategies for securing cyberspace in the United States, including critical infrastructure.
The commission’s executive director, Kiersten Todt, has indicated that her group will likely pass on recommending a regulatory approach in favor of voluntary actions and encouragement.
"One of the key issues is looking at incentives. That’s something that the commission has been examining from the beginning," she said.
"So we are addressing it in the report," she added. "The ways in which we’ll do that are obviously still being determined and reconciled, but you will see some language looking at that and the importance of human behavior and incentives when it comes to cybersecurity."