NIST Cybersecurity Framework Should Specify Business Objectives, Say Industry Representatives.
As the National Institute of Standards and Technology’s cybersecurity framework moves toward a final draft, the government should focus on providing incentives for, not regulating, its adoption, and translating its recommendations into business objectives, said speakers on a Center for Strategic and International Studies panel Thursday. All said the framework was a good first step and the right building block for creating cybersecurity best practices.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
"The framework should be seen as an enabler” for industry, said Paul Kurtz, chief strategy officer at CyberPoint International, which creates cybersecurity strategies for companies. The framework’s language of “identify, detect, protect, needs to be transplanted into business objectives and risks,” said former longtime Defense Department executive Robert Butler, now chief security officer for data center technology company IO. The framework is intended to be flexible and help the market adopt other industry cybersecurity standards, said NIST Senior Information Technology Policy Advisor Adam Sedgewick. NIST received 300 to 400 specific cybersecurity standards recommendations while drafting the framework, he said, and “part of the work of NIST is to really help the market with those and create something where those other standards can be fit in for organizations that choose to use them because it’s proven effective to help them manage their risk."
NIST released the preliminary version of its cybersecurity framework in October (CD Oct 23 p1). The public comment period on that version closes Dec. 13. Thus far the privacy and civil liberties section has been a main focus of the revision conversation (CD Nov 15 p7). But NIST has received only “a handful of comments,” Sedgewick said. “I expect them all to come in Thursday and Friday at 4:58 if history has anything to say about it,” he said.
Thursday’s panel took a “next steps” look at the framework. Sedgewick said NIST plans to include in February’s final draft “a road map for future action.” The framework is an effective way to “look at the existing capabilities and elevate those that are useful,” he said. But the final draft will also answer questions such as, “How do we get these capabilities into the hands of people who can work on them?” and “What are the next things we need to work on?"
The framework can be forward looking only if it’s a “threat-driven document,” Butler said. Sedgewick pointed to several initial “threat models” NIST released in August “saying if this is what you're trying to protect, here’s how you can use the framework.” Panelists cited a variety of rising threats to critical industries. Spearfishing, insider threat and a newer form of credential theft called “pass the hash,” where a login credential is used to move laterally within a network or escalate the authorities of the account, all concern Microsoft Principal Security Strategist-Global Security Strategy and Diplomacy Angela McKay. Small groups of “hackers for hire” by anyone from nation states to terrorist groups will be more prominent, Kurtz predicted. Longstanding unpatched vulnerabilities remain the biggest threat, said former Homeland Security Deputy Secretary Jane Holl Lute, who recently launched the Council on CyberSecurity, which promotes the adoption of basic “cyber hygiene,” she said.
The framework can help businesses deal with such risks through expanding its “risk management areas,” said Craig Rosen, chief information security officer at FireEye, which works on protecting companies from targeted cyberattacks and sponsored the panel. The framework could help define different levels of maturity and explain to companies, “What are the things I can do to get me to that level?” The framework references documents that lay out maturity levels, he said, but NIST should consider rolling them into the actual framework.
But the framework isn’t “necessarily dynamic enough to deal with” some advanced threats, McKay said. That’s why it’s important to delineate exactly “what the framework is and what it is not,” CyberPoint’s Kurtz said, so policymakers don’t turn it into legislation covering all cyberthreats. Sedgewick believes “there’s a lot of place for legislators to help” people understand exactly what purpose the framework serves. He pointed to the Cybersecurity Act from Sens. Jay Rockefeller, D-W.Va., and John Thune, R-S.D., which would authorize NIST to work with industry to develop cybersecurity guidelines and best practices based on the NIST framework (CD July 31 p1). The bill was voted out of the Senate Commerce Committee this summer, but has not reached the floor for a vote. (cbennett@warren-news.com)