Efforts to bolster the nation's cybersecurity will hinge on the willingness of financial firms, utility operators and other owners of critical infrastructure to share information about threats.
That is the message an Obama administration official delivered Wednesday amid a series of steps by the government to adopt a framework to reduce cyber risks.
An executive order the President issued in February gives the government eight months to map out a preliminary standard and guidelines for protecting critical infrastructure that cuts across industries.
As part of the push, the National Institute of Standards and Technology in February gave the public until April 8 to answer a series of questions about digital security risks and practices for addressing them.
"I can't emphasize this enough — the success of this effort is largely dependent on industry involvement," Deputy Secretary of Commerce Rebecca Blank told attendees Wednesday at a workshop convened by her department to review expectations for the framework among representatives of varied industries. "You are the ones who can help empower owners and operators of critical infrastructure — and others — to make the best possible decisions in cybersecurity.
"The long-term goal is to develop a living framework that adapts as the risks 'out there' change, and that relies on industry-developed standards to help businesses and organizations know when and where they might be behind the curve," added Blank, who said that "constant awareness" of changing threats and advances in defending against them "must become the norm."
In March, the Commerce Department asked the public to comment by April 29 on what incentives might spur companies to support the framework, including whether particular industry sectors or companies lack sufficient incentives to invest in cybersecurity and the best ways to encourage businesses to make those investments.
"I'm sure that we will get comments in areas ranging from tax incentives to liability protections, and much more," Blank said.
In its call for comments, NIST asked organizations to detail current cybersecurity practices and what they view as roadblocks to improving them. The agency also asked commenters to define cybersecurity risk, to explain the extent to which firms incorporate such risks into company-wide management, and to share what parts of companies' security depend on other efforts by firms in other sectors.
Commenters who have weighed in have surfaced a series of points. Cybersecurity measures must be easy to obtain, understand and share, according to Steven Dougherty, a global cybersecurity leader at IBM and Andy Bochman, who advises utilities about security for the computing company, in comments filed March 19.
Digital security firm RedSeal Networks stresses what it sees as the need for companies to be on the lookout for cyber threats. "Transactions and controls must be monitored constantly if the best possible risk-based assessments of the effectiveness of compliance methods are to be made," Parveen Jain, RedSeal's chief executive, wrote in comments filed Monday.
Companies should be required to encrypt their networks, according to Certes Networks, a digital security firm. "Given the known vulnerabilities, the ease with which they can be exploited, and the consequences of a breach, mandatory adoption of network encryption (even over so-called private networks) is warranted," the company wrote in comments filed March 28.
Doug Stoneman of Velocity Partners Security & Compliance says that many companies rely solely on technology to safeguard their networks instead of enshrining the technology as part of a process. Barriers within firms can undermine security as well, according to Stoneman. "For whatever reason one chooses, there is a divide between the information technology departments and the security departments and it makes using a framework to enhance cybersecurity impossible," he wrote in comments filed March. 28.