NIST seeks input on cybersecurity framework

Starting tomorrow, July 10th, in San Diego, the National Institute of Standards and Technology (NIST) will host the third, and perhaps most important, in a series of workshops aimed at developing a voluntary comprehensive cybersecurity framework that will apply across sixteen critical infrastructure sectors.

Mandated by an Executive Order (EO) issued by President Obama on February 12, 2013, the NIST-developed framework represents the first time the federal government has sought to prescribe a wide-ranging approach to protecting critical cyber assets, a tough task that has been characterized by Department of Homeland Security Secretary (DHS) Janet Napolitano as an "experiment." The framework must be accomplished in preliminary form by October and finalized by February 2014.

[Related: Don't underestimate presidential executive order]

During the San Diego workshop, NIST will for the first time delve into details of the emerging framework, which is based on two earlier workshops as well as formal comments NIST received in response to a public notice. To speed things along ahead of the workshop, NIST has issued three reference materials -- a draft outline of what the framework might look like, a draft framework "core" that focuses on key organizational functions and a draft compendium that features existing references, guidelines, standards and practices.

Based on the recommendations of industry commenters, NIST has placed a large emphasis in the draft framework on reaching the very senior levels of management, including CEOs and boards of director. Top "officials are best positioned to define and express accountability and responsibility, and to combine threat and vulnerability information with the potential impact to business needs and operational capabilities" NIST states in the draft outline.

This focus on top executives has not surprisingly been praised by industry participants.

"Cybersecurity is just not a technological problem," Jack Whitsitt, Principal Analyst of energy industry cybersecurity consortium EnergySec said. "This is a business management, business maturity problem. People build what you tell them to build, people build what you fund them to build. Unless we do a better job at the business side of cybersecurity, the problems won't go away."

Many cybersecurity experts say that reaching that top level of management is one of the biggest challenges to ensuring adequate cybersecurity protection of critical assets. CEOs, they say, typically engage in "cybersecurity theater," implementing hollow programs that only pay lip service to the issues.

"The reality is that most of the CEO's are relying on their trade organizations to 'fix the problem' for them," one top cybersecurity consultant said. "And the trade organizations are one of the loudest voices in the echo chamber convincing themselves that this is all just a bunch of low-probability hype and a stepping stone to more regulation."

Another challenge, at least so far as a federal framework is concerned, is the division of responsibilities among government agencies as spelled out in the EO and accompanying Presidential Policy Directive (PPD). For example, DHS has been assigned a number of tasks under the EO that seem to relate to the framework, such as defining what constitutes critical infrastructure.

Some asset owners have suggested that there are too many moving parts in the overall cybersecurity landscape and have noted rising tensions between NIST, an arm of the Commerce Department, and DHS.

"NIST and DHS aren't doing a good job in deciding how this is going to work," one expert noted.

But one senior government official overseeing the process said that many cybersecurity efforts in the EO and PPD just aren't relevant to how the framework gets developed.

"The framework is supposed to work for the widest range of industries" and therefore it doesn't matter how critical infrastructure gets defined, for example.

"DHS is making the decision that has no bearing on this framework," he said, adding that it is likely that the list of critical infrastructure assets won't be made public anyway.

Yet another challenge is the degree to which the framework process is being shaped by technology vendors and consultants, who far outnumber asset owners in the workshop meetings held to date. Although NIST wants to bake-in cybersecurity through vendor-supplied technology, thereby ensuring that even small organizations which lack resources to pay cybersecurity specialists are guaranteed basic protection, some asset owners balk at being force-fed technology that may better fit vendor agendas than their own safety. One telecom cybersecurity specialist said he wished that NIST would separate asset owners from vendors and consultants in the workshop sessions.

Despite these challenges, most of the participants in the process believe that NIST is on track and that the draft framework materials released for the July workshop meet expectations. However, the real action will take place at the workshop as NIST go into greater detail on where they're headed with the framework.

With only about three months left to meet the October deadline, most of the key players are taking a wait-and-see attitude, hoping to gain a better sense of the situation until after the workshop in San Diego. As one telecom industry representative said "we have to see whether this whole process has the result we're looking for, which is to improve our cybersecurity posture, and not some feel-good government exercise."

Cynthia Brumfield, President of DCT Associates, is a veteran communications industry and technology analyst. She is currently leading a variety of research, analysis, consulting and publishing initiatives, with a particular focus on cybersecurity issues in the energy and telecom arenas.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Cynthia Brumfield

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place