Dean Garfield, Cameron Kerry, Patrick Gallagher and Ian Wallace discuss cybersecurity framework at the Brookings Institution. Photo by Jessica Floum

WASHINGTON — Successful implementation of the Obama administration’s framework to reduce cyber threats relies on companies’ willingness to adopt the guidelines and spend money beefing up cyberdefenses, a panel of industry and government experts said Wednesday.

“The most powerful force driving adoption are the companies themselves,” said Patrick Gallagher, director of the National Institute of Standards and Technology, the agency responsible for drafting the cybersecurity framework. But the costs of implementing stronger risk protections could make the framework less attractive to the private sectors, some analysts warned during the Brookings Institution event.

The framework – released last week – outlines a process to raise cybersecurity levels and to promote sharing of information about cyber threats within the private sector.

“The framework is a living document,” Gallagher said, that has the flexibility to evolve.

The evolving nature of the framework is meant to align with business practices and companies’ risk management in a fast-changing technological landscape, he said.

The framework’s standards and implementation plan show promise in the private sector, said Dean Garfield, CEO of Information Technology Industry Council. The risk management aspect has even piqued the interest of the insurance sector, Gallagher said.

However, the cost of information sharing may cause tension between the benefits of a framework and business interests, Garfield said. He referred to the high costs of implementing new security measures and installing now technology. This cost, along with information sharing between usual contenders, could undermine competition.

“There is a role Congress could play in enforcement,” he said.

“On the day the framework was released, we got calls from Congress saying, ‘This is a positive step forward. How can we help?’”

While implementation of the framework falls on companies, setting standards for information sharing practice will likely come down to legislation.

“[Congress] is going to be one of the most active players in working with companies to try to put this into practice, and in making sure we don’t have some unnatural, avoidable barriers,” Gallagher said.