The government shutdown may have delayed the long-awaited final draft of the National Institute of Standards and Technology cybersecurity framework, mandated by President Barack Obama’s February cybersecurity executive order, but it hasn’t prevented security experts from raising significant concerns about the framework’s treatment of privacy.
A preliminary framework was due to be issued Oct. 10 ahead of a mandatory public comment period and a final release in February 2014. But the delay caused by the government shutdown may have been a blessing in disguise, according to several cybersecurity experts. The framework’s privacy appendix, they say, requires a lot more study and clarification. In fact, one expert has argued the privacy appendix may actually undermine the security standards the framework is supposed to help establish.
“Not one of these quasi-requirements has anything to do with the objectives of the executive order,” writes Stewart Baker, a partner in the Washington office of Steptoe & Johnson LLP and a former general counsel at the National Security Agency. “But they have everything to do with smuggling comprehensive privacy regulation into a cybersecurity initiative.”
The framework’s privacy appendix, according to Baker, who writes a regular blog on cybersecurity policy, “actually creates a tough new privacy requirement for industry by smuggling the Fair Information Practice Principles into the law. In doing so, it clearly goes beyond the scope of the cybersecurity executive order, which is focused on protecting critical infrastructure.”
The Federal Trade Commission’s Fair Information Principles are recommendations for maintaining privacy-friendly, consumer-oriented data collection practices. And while they are not enforceable by law, FTC can use its authority under the FTC Act to enforce promises made by corporations in their privacy policies.
The danger with the NIST framework’s privacy appendix, Baker argues, is that the language shifts from recommendations to regulatory mandates governing privacy protections. And that, he says, will translate into higher costs and a temptation by those who agree to abide by the framework to focus on privacy compliance instead of security measures. And that will be a “net loss” for cybersecurity, Baker said.
“If the NIST framework keeps this appendix, the FTC and every other regulator in [Washington, D.C.] will have plenty of top cover to impose the Fair Information Practice Principles on the private sector,” Baker said. “Taken literally, the principles are either fatally ambiguous or impossible to fully comply with, leaving privacy bureaucrats with authority to impose harsh penalties on anyone they choose.”
Peter Allor, a cybersecurity strategist for IBM Federal and a board member of the Forum for Incident Response and Security Teams, known as FIRST, agreed many questions remain to be answered about the framework’s privacy appendix.
“There’s a lot of concern there. Privacy has been mentioned but not well discussed,” Allor said, speaking Oct. 16 at a panel discussion hosted by the Industrial Control System Information Sharing and Analysis Center. “What does it really mean? I don’t think we fully understand yet. Just like we don’t fully understand the definition of a critical infrastructure, because that hasn’t been defined either.”
Larry Castro, a managing director at The Chertoff Group and a 44-year veteran of NSA, characterized the framework’s privacy appendix a “wildcard” in the future development of effective cybersecurity information sharing between the government and the private sector.
The framework privacy appendix “needs to be looked at very, very carefully,” Castro said. And while the framework is voluntary “one can’t have it both ways. You can say I’ll participate and abide by the requirements of the framework but not pay heed to the privacy protections that are inherent in it,” he said.
“The biggest security cost enterprises will ever face is the cost of dealing with a breach of customer data,” said John Pescatore, director of emerging security trends at SANS Institute. “The costs of failing to be compliant or worrying about mythical lawsuits are small in comparison. The reality is there is no such thing as security without privacy. All those breaches making the news are good examples of companies that focused too much on compliance and not enough on privacy, and thus were not secure.”