Obama, CEOs Meet on Cybersecurity FrameworkMeeting Coincides with Call for Public Comments
As the National Institute of Standards and Technology began accepting public comments on the preliminary version of a cybersecurity framework on Oct. 29, President Obama met with a group of chief executives from information technology, financial services and energy companies to discuss efforts to improve the cybersecurity of the nation's critical infrastructure.
See Also: A CISO's Guide to Communicating Risk
The conversation between the president and business leaders, held in the White House Situation Room, focused on how to encourage adoption of the cybersecurity framework, slated to be finalized in February. Participants discussed the need for framework adoption by companies that support the nation's critical infrastructure and by their suppliers. They also discussed the difficulties involved in helping small and medium-sized business to adopt framework's recommended IT security best practices, according to a White House statement.
"The companies that met with the president were among those that worked most closely on the framework," says White House Press Secretary Jay Carney. "And this meeting is part of the administration's ongoing dialogue with the private sector on cybersecurity, which is an issue, as you know, that has received a great deal of attention from the president and the rest of the administration because it is of such great importance to our national security and to our broader interests."
Sharing Information, Protecting Privacy
Companies and government officials also expressed the strong desire to have Congress pass information sharing legislation that protects privacy and civil liberties, the statement says.
Information-sharing legislation has stalled in Congress because of disagreement over whether the Cyber Intelligence Sharing and Protection Act, passed earlier this year by the House, goes too far in providing liability protection to businesses that share cyberthreat information (see House Handily Passes CISPA). Also, some senators, backed by a White House that has threatened a presidential veto, believe the House-passed CISPA bill fails to provide sufficient transparency to protect privacy and civil liberties when information is shared among government agencies, a contention the House sponsors dispute (see Cybersecurity Legislation: What's Next?).
One of the attendees at the Oct. 29 White House session, Joseph Rigby, chief executive of Pepco Holding, an energy distribution company, says his firm will voluntarily adopt the framework. But he says the company will seek approval from state regulators to incorporate the costs of adopting the framework's recommended best practices in the rates it charges customers.
Speaking with One Voice
"It is important that the federal government and the states speak with one voice on cybersecurity and support the recovery of the costs of protecting critical infrastructure and information against the perpetrators of cyber-attacks," Rigby says in a statement issued after the meeting with Obama. "We expect these expenses to continue to rise as standards evolve and new threats arise."
Besides Rigby, Obama met with Ajay Banga, CEO of MasterCard; Steve Bennett, CEO of Symantec; Wes Bush, CEO of Northrup Grumman; Marilyn Hewson, CEO of Lockheed Martin; RenÃ©e James, president of Intel; Brian Moynihan CEO of Bank of America; and Charles W. Scharf, CEO of Visa. Carney says senior administration officials and National Security Council staff attended the meeting.
NIST announced the 45-day public comment period for the preliminary cybersecurity framework began Oct. 29. NIST Director Patrick Gallagher says that more than 3,000 individuals and organizations have submitted suggestions on the content of the framework through comment periods on earlier drafts and at NIST-sponsored workshops. NIST will hold its final workshop, which will focus on framework's implementation and future governance, on Nov. 14 and 15 at North Carolina State University in Raleigh (see NIST Issues Preliminary Cyber Framework).
Obama last February signed an executive order calling for the federal government, working with the private sector, to develop the cybersecurity framework of best IT security practices that industry could voluntarily adopt. The framework is scheduled to be published this coming February (see Obama Issues Cybersecurity Executive Order and Cybersecurity Framework: Making It Work).