One year ago today, the National Institute of Standards and Technology released the Framework for Improving Critical Infrastructure Cybersecurity — a set of voluntary guidelines designed to help raise the level of cybersecurity preparedness across the widest possible cross-section of industry and government.
The framework, as it is called, will be the main topic of discussion Friday as President Barack Obama meets with industry executives at the White House Summit on Cybersecurity and Consumer Protection in Palo Alto, California. But as the nation grapples with a growing number of massive data breaches and fears that vulnerabilities in cyberspace could pose a significant threat to national security, questions remain about the framework’s effectiveness to date and its ability to have a positive impact in the future.
Those who consider the first year of the framework to be a success point to its ability to raise the cybersecurity conversation to the boardroom level at major corporations and critical infrastructure providers. The real strength of the framework, they argue, is in its ability to raise awareness of cybersecurity threats and to provide a common set of guidelines to help companies improve their basic cybersecurity hygiene and more effectively manage risk.
“NIST’s cybersecurity framework has very much succeeded,” said Gregory Nowak, principal research analyst at the Information Security Forum. “Most importantly, it has documented a set of control objectives, which can be read as a definition of cybersecurity — a term which has always been somewhat vague. It has created a common language for cybersecurity, where there previously was none. Secondly, it has started a national conversation about cybersecurity and the control measures necessary to improve it.”
Just the publication of such a framework should be considered “a partial success,” said Rich Thompson, deputy chief information security officer and director of the cybersecurity practice at Carpathia Hosting. “But we will need to see measured results sooner [rather] than later in order to declare its degree of overall success,” Thompson said. “With the framework only voluntary, as we have seen in the past, it is likely to be in the aftermath of the next big attack where a proper amount of focus will be given.”
And that’s exactly what skeptics of the framework say will be the real catalyst of change in national cybersecurity — more massive data breaches followed by costly class-action lawsuits. For these experts, the framework is a watered-down checklist that lacks substance and relies upon an inherently weak voluntary compliance structure that is nearly impossible to measure and verify.
During a Feb. 4 hearing of the Senate Commerce Committee, Ann Beauchesne, vice president of the U.S. Chamber of Commerce’s National Security and Emergency Preparedness Department, told lawmakers that efforts are still underway to raise awareness of the framework. “We’re still socializing it,” Beauchesne said. But when asked what percentage of the Chamber’s membership had actively adopted the framework, Beauchesne could not answer.
FedScoop reached out to Beauchesne for clarification, but a spokesperson said she was unavailable.
Reaction and challenges
Tom Kellermann, the chief cybersecurity officer at TrendMicro, took aim at what he characterized as the negative influence of the U.S. Chamber of Commerce on the broad adoption of cybersecurity standards and regulations. “They have been the number one obstacle for improvement of cybersecurity standards and regulations,” Kellermann said, referring to the Chamber’s lobbying effort to prevent the introduction of new regulations.
Bob Dix, vice president of global government affairs and public policy at Juniper Networks, praised the framework effort for what it did in terms of raising awareness, but said industry would benefit from more concrete guidance.
“Over the past year, the actual audience targeted for utilization of the framework seems to be undefined,” Dix said. “Notwithstanding the series of road shows that have been conducted by various government and industry groups over the past year, knowledge and awareness of the framework remains spotty, and understanding of what it is and how it should be utilized remains elusive.”
Morey Haber, senior director of program management at BeyondTrust Inc., agreed that there’s been a lack of traction in terms of the framework moving beyond a conversation starter. “As a vendor, with steady communications to the federal sales team, I have not had one client request how our solutions can help with compliance to the framework,” Haber said. And while that doesn’t mean it’s been a failure, it does point to the framework’s inability to translate to practical measures.
That lukewarm reception stems from the desire of the framework’s architects to craft a consensus document at almost any cost, Kellermann said. “This is merely a voluntary standard that was watered down by public comment. Voluntary fire codes don’t work, especially fire codes that are based on consensus instead of best-of-breed risk management. The big companies have been towing the Chamber of Commerce’s line that we don’t need any kind of regulation, we don’t need modernization of authorities and we sure as hell don’t need any increased expenses or costs associated with providing robust security around our services.”
Still, Kellermann gives the framework high marks for shifting the cybersecurity conversation away from technology solutions and toward risk management. And one of the major impacts of this is likely to be seen first in the insurance industry.
“The way the framework will be used is less about the checklist and more about underwriting the risk the company faces,” Paul N. Smocer, president of the technology policy division of the Financial Services Roundtable, said during the Feb. 4 Senate hearing. “What the framework does is it provides a really good risk framework that is understandable from the boardroom to the operations floor and, therefore, the insurance companies may see this potentially as an opportunity to say ‘this is the tool that we’ve been looking for to give us some standard underwriting guidance and be able to figure out our premiums and risk scenarios.'”
Kellermann agreed. “I’m a huge believer in cyber insurance being a driver [of risk management], but it needs to either be mandated by law, by contract or it will be the result of successful class-action lawsuits that will come after organizations who didn’t even implement the basic best practice which is the framework as it exists today,” he said.