Cross-Sector Flexibility, Industry Involvement Key to Cybersecurity Framework, Tech Industry Tells NIST

The U.S. critical infrastructure cybersecurity framework “must be flexible enough to balance the goals of both the government and the private sector in protecting the nation’s critical infrastructure, as well as the ability of private sector entities to meet the needs of their customers,” Microsoft told the National Institute of Standards and Technology (NIST) in comments released Tuesday (http://1.usa.gov/12EBU1F). President Barack Obama’s February cybersecurity order directed NIST and the Department of Homeland Security (DHS) to collaborate with U.S. companies to develop the framework, a voluntary set of cybersecurity standards and best practices. NIST began that process with an open request for information (RFI) seeking initial industry input; comments were due Monday. Other major tech industry players also emphasized the need for a flexible framework that could evolve with time, and that industry participants would need to drive the framework’s development for it to be successful.

Microsoft said its experience has shown there are four key global cyberthreats -- cybercrime, economic espionage, military espionage and cyberconflict. The federal government will need to “ensure that the Framework addresses the most critical threats and enables the best defenses against those threats,” Microsoft said. The framework will need to take “potential avenues for attack and exploitation” into account, as well as threat actors’ motivations and capabilities, and key assets and information that could be targeted, Microsoft said.

Cisco Systems said a cross-sector framework will need to function while also maintaining “flexibility, agility, and innovation across different types of infrastructure, architectures, and business models -- while at the same time recognizing and respecting the significant differences between and within the different sectors.” The framework will also need to be iterative and flexible enough to “allow best practices to evolve over time to meet those changing threats,” Cisco said. The framers will also need to ensure the framework focuses on “thoughtfully applied security” and to structure practices in a way that allows for sector-specific use, Cisco said. “One size does not fit all” in cybersecurity practices, but there are likely to be common themes that emerge over time, Cisco said (http://1.usa.gov/10QQKeW).

Cross-sector standards need to rely on consistent security ecosystem approaches, Level 3 Communications said. “Inconsistency in vendor security model approaches, or complete lack of [sic], requires the industry to customize and invent their own implementation solutions, if they have the capacity to even do so,” Level 3 said. “This causes a breakdown of security in the supply chain for providing and implementing security controls for deployed technology, making ’standards’ much different in implementation depending upon the maturity of the vendor platform being deployed and adopted.” Adoption of security automation protocols like CVE and OVAL, as well as other protocols like CMSS, SWSS and CVRF, is “key to building consistency in vendor solutions that allow a more refined security maturity model that can be normalized across sectors,” Level 3 said. Improving cybersecurity practices will revolve around advanced cybersecurity research that focuses on threat mitigation and vendor adoption of industry standard security models, Level 3 said (http://1.usa.gov/149mx2e).

Critical infrastructure providers need to “understand any gaps that may exist between their [Compliance Driven Security] postures and the current ’threatscape,'” VeriSign said. “A critical inspection of such gaps, perhaps, could identify would-be requirements that might be imposed on critical infrastructure and providers.” While CDS is an “important component of the overall security posture needed for cyber infrastructure ... we also feel that it should not be mistaken for a solution” to current and future cyberthreats, VeriSign said. The gap between CDS and Intelligence Driven Security (IDS) continues to grow as attackers’ tactics evolve, VeriSign said. Since the size of that gap remains unclear, “creating a framework to track and describe emerging threats would be a very useful first-step,” the company said. “It is our belief that a structured vehicle that could facilitate providers’ abilities to continually quantify the gaps between CDS and IDS, and which could inform information sharing efforts, would be invaluable in shaping future security frameworks and practices” (http://1.usa.gov/10R8YPV).

CTIA said any NIST-led framework should be “performance-based, industry-led, and internationally harmonized.” To remain flexible, the framework should remain industry-driven and avoid “technical or operational mandates,” CTIA said. Industry participants can create workable performance-based goals and scalable implementation, the group said. While agencies can help the industry formulate goals, they should not direct the discussion. While NIST has a lot to offer in the coming framework development process, its work “may be constrained because companies may be reticent to publicly share security information, and because policy-makers’ goals are not yet clear,” CTIA said (http://1.usa.gov/XBxEy4).

The Telecommunications Industry Association (TIA) said NIST and other agencies can help leverage public-private partnerships to address current and emerging threats, and should continue efforts to stimulate additional threat information sharing between the government and industry. The federal government can also aide in funding cybersecurity efforts by addressing “economic barriers” critical infrastructure operators face in addressing security issues, as well as prioritize funding for ICT and cybersecurity research and development, TIA said. While government has an important role to play, industry will need to be the ones to set and adopt the framework, TIA said.