None of us in the United States – no family or individual, no industry or business, and no government agency – is immune from the potential devastation that cyber-attacks can wreak. No particular reminder is needed. Each day, our nation’s economic and national security must guard against attack or threat of cowardly villainy at home and increasingly abroad. It is all too common that we receive reports of cyber criminals operating their virulent schemes, often securely outside the reach of U.S. authorities, either privately or with the veiled support of nation states seeking to do us and our assets and resources grave harm. The nation’s critical infrastructure remains an especially vulnerable target. Individually or collectively, our power, water, transportation, and communication systems have been characterized (by the Department of Homeland Security) as “the backbone of our nation’s economy, security and health.”
Recognizing their vital role and vulnerability, Congress has added support for the National Institute of Standards and Technology (“NIST”) to continue to lead the effort to help owners and operators effectively manage cybersecurity risks for their critical infrastructure. Congress acted by codifying NIST initiatives as part of a series of cyber security-related bills it passed last year. Under the Cybersecurity Enhancement Act of 2014 (the “Act”), NIST is required to further facilitate and support the Cybersecurity Framework, which seeks to implement efficient standards and procedures to reduce cyber risks to critical infrastructure. NIST already began the efforts in response to President Obama’s Executive Order 13636, and released the first version of the framework on February 12, 2014. The Act also supports cybersecurity research and improves public awareness of cybersecurity issues. As a result, cybersecurity vendors will benefit and be well-positioned to help critical infrastructure owners. For example, cybersecurity vendors will use their expertise to assess the maturity level of an organization’s current cybersecurity, such as employee training and incident response plans, and enact a plan of action. Under the Framework, manufacturers are expected to bolster their defenses against cyber threats in all industries.
The Act directs NIST to continue to collaborate with industry and government to develop the Framework. It requires the Director of NIST to use a wide range of industry expertise and work with U.S. and international agencies to come up with the optimal approach. The Act’s Framework is intended to encourage owners and operators of critical infrastructure to capitalize on information security features to identify, assess, and manage cyber risks. Participation in the Framework continues to be voluntary, and there is no added regulation. To encourage private sector participation, the Act prohibits federal, state, tribal, and local agencies from regulating the activity of any entity or diverting information outside the program.
To further prepare for future cybersecurity challenges, the Act also directs federal agencies to develop and, every four years, update a cybersecurity plan. Another key feature is to guide the overall direction of cybersecurity research, and the Act adds to the National Science Foundation’s research and development grant areas, including network communications protocols, software engineering, secure wireless networks, mobile devices, and cloud infrastructure.
Finally, the Act enlists people in the private sector to carry out IT security duties and encourages cybersecurity innovations. National cybersecurity awareness and education programs are mandated to continue under NIST. The target audience for these new cybersecurity best practices is intentionally broad: individuals, small to medium-sized businesses, educational institutions, and state, local, and tribal governments. In light of the magnitude and commitment of the program, public awareness and understanding should improve, and, it is hoped, the harrowing threats and damage to our nation’s critical infrastructure will be significantly reduced.