Critics say the White House's voluntary plan for a “cybersecurity framework” released Wednesday is toothless without incentives for firms to comply with the blueprint for dealing with potential attacks.
The new framework is part of an executive order that President Obama issued exactly one year ago, after cybersecurity legislation failed in Congress. Members of both the government and the private sector spent that time drafting several versions of the plan.
Codifying guidelines for "cybersecurity" as a whole is a broadly defined task, however. The final 41-page document is essentially a set of best practices for companies, banks and infrastructure to mitigate cyber risk: identify, protect, detect, respond and recover.
The plan presents considerations in each category, and suggestions for improvement. The framework's creators say that flexibility is the only way such a document can work.
"It's sort of a 'Choose Your Own Adventure,'" said Jeff Greene, senior policy counsel at security software maker Symantec, who was one of eight CEOs involved in the plans to draft the framework. "It's a flexible way to help companies assess their own cybersecurity situation. It says, here are some possible options ... or go ahead and find the best path for you."
But companies aren't forced or compelled to follow any kind of path, critics pointed out. Obama's February 2013 order called for the framework to include some sort of incentive as part of the program, but the plan doesn't provide for that -- and it would likely need to come from formal legislation.
"When you're asking companies to spend money to keep their lights on, or spend it on cybersecurity, you can guess what wins every time," said Nathan Sportsman, CEO of security firm Praetorian. "Without offering a tax break for compliance, or [levying] a fine to those who don't follow it, you're not going to change behavior."
And the cost of inertia can be great. In the year since Obama issued his executive order, several retailers including Target suffered high-profile data breaches. A major attack on services related to the nation's critical infrastructure would be even more devastating.
Greene, the Symantec counsel, insisted that the framework wasn't intended to fix those kinds of issues; instead, he said, it's meant to "break down the risks and the processes, in plain English," for companies of all sizes.
"People laugh when I say this, but the framework is just that: a framework," Greene said. "These criticisms about incentives and force would be valid if it were intended to be law. But it's not legislation, or a set of controls, or a checklist."
There is value in that setup, said John Michener, chief scientist at Casaba Security.
"I find it valuable, and people who read it can certainly use it to build their knowledge and their processes," Michener said. "Of course, it can only affect the people who are paying attention. So I think it could make a minor difference around the edges."
Sporstman -- who has helped write other security-related government frameworks in the past -- understands the intent of the framework. What he doesn't understand is the point of it.
"We don't need yet another framework; this framework references other frameworks," Sportsman said. "We know how to think about cybersecurity issues already. What we need is carrots and sticks."
It's unclear whether Capitol Hill will create those provisions that Sportsman and his fellow critics want.
Obama said in a statement on Wednesday: "While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity."
Overall, said Casaba's Michener, the White House's framework "adds to the body of documents of guidance, and that is always helpful."
All parties seem to agree that a single framework is far from a one-stop solution, but cybersecurity threat increases as they tussle over the best fix.