Starting tomorrow, July 10th, in San Diego, the National Institute of Standards and Technology (NIST) will host the third, and perhaps most important, in a series of workshops aimed at developing a voluntary comprehensive cybersecurity framework that will apply across sixteen critical infrastructure sectors.
Mandated by an Executive Order (EO) issued by President Obama on February 12, 2013, the NIST-developed framework represents the first time the federal government has sought to prescribe a wide-ranging approach to protecting critical cyber assets, a tough task that has been characterized by Department of Homeland Security Secretary (DHS) Janet Napolitano as an "experiment." The framework must be accomplished in preliminary form by October and finalized by February 2014.
During the San Diego workshop, NIST will for the first time delve into details of the emerging framework, which is based on two earlier workshops as well as formal comments NIST received in response to a public notice. To speed things along ahead of the workshop, NIST has issued three reference materials -- a draft outline of what the framework might look like, a draft framework "core" that focuses on key organizational functions and a draft compendium that features existing references, guidelines, standards and practices.
Based on the recommendations of industry commenters, NIST has placed a large emphasis in the draft framework on reaching the very senior levels of management, including CEOs and boards of director. Top "officials are best positioned to define and express accountability and responsibility, and to combine threat and vulnerability information with the potential impact to business needs and operational capabilities" NIST states in the draft outline.
This focus on top executives has not surprisingly been praised by industry participants.
"Cybersecurity is just not a technological problem," Jack Whitsitt, Principal Analyst of energy industry cybersecurity consortium EnergySec said. "This is a business management, business maturity problem. People build what you tell them to build, people build what you fund them to build. Unless we do a better job at the business side of cybersecurity, the problems won't go away."
Many cybersecurity experts say that reaching that top level of management is one of the biggest challenges to ensuring adequate cybersecurity protection of critical assets. CEOs, they say, typically engage in "cybersecurity theater," implementing hollow programs that only pay lip service to the issues.
"The reality is that most of the CEO's are relying on their trade organizations to 'fix the problem' for them," one top cybersecurity consultant said. "And the trade organizations are one of the loudest voices in the echo chamber convincing themselves that this is all just a bunch of low-probability hype and a stepping stone to more regulation."
Another challenge, at least so far as a federal framework is concerned, is the division of responsibilities among government agencies as spelled out in the EO and accompanying Presidential Policy Directive (PPD). For example, DHS has been assigned a number of tasks under the EO that seem to relate to the framework, such as defining what constitutes critical infrastructure.
Some asset owners have suggested that there are too many moving parts in the overall cybersecurity landscape and have noted rising tensions between NIST, an arm of the Commerce Department, and DHS.
"NIST and DHS aren't doing a good job in deciding how this is going to work," one expert noted.
But one senior government official overseeing the process said that many cybersecurity efforts in the EO and PPD just aren't relevant to how the framework gets developed.
"The framework is supposed to work for the widest range of industries" and therefore it doesn't matter how critical infrastructure gets defined, for example.
"DHS is making the decision that has no bearing on this framework," he said, adding that it is likely that the list of critical infrastructure assets won't be made public anyway.
Yet another challenge is the degree to which the framework process is being shaped by technology vendors and consultants, who far outnumber asset owners in the workshop meetings held to date. Although NIST wants to bake-in cybersecurity through vendor-supplied technology, thereby ensuring that even small organizations which lack resources to pay cybersecurity specialists are guaranteed basic protection, some asset owners balk at being force-fed technology that may better fit vendor agendas than their own safety. One telecom cybersecurity specialist said he wished that NIST would separate asset owners from vendors and consultants in the workshop sessions.
Despite these challenges, most of the participants in the process believe that NIST is on track and that the draft framework materials released for the July workshop meet expectations. However, the real action will take place at the workshop as NIST go into greater detail on where they're headed with the framework.
With only about three months left to meet the October deadline, most of the key players are taking a wait-and-see attitude, hoping to gain a better sense of the situation until after the workshop in San Diego. As one telecom industry representative said "we have to see whether this whole process has the result we're looking for, which is to improve our cybersecurity posture, and not some feel-good government exercise."
Cynthia Brumfield, President of DCT Associates, is a veteran communications industry and technology analyst. She is currently leading a variety of research, analysis, consulting and publishing initiatives, with a particular focus on cybersecurity issues in the energy and telecom arenas.