Adoption, privacy biggest topics as NIST cybersecurity framework nears February deadline

The National Institute of Standards and Technology (NIST) held a fifth workshop in Raleigh, North Carolina last week on the comprehensive, preliminary cybersecurity framework mandated under President Obama's February 2012 executive order, the last such gathering before the framework becomes final in February.

[NIST cybersecurity framework proposal provides 'no measurable cybersecurity assurance']

NIST's goals for this previously unscheduled workshop were to solicit further feedback from the hundreds of cybersecurity specialists, attorneys, policymakers and government employees in attendance and offer guidance on what lies ahead in applying and updating it.

Most of the attendees were pleased with how rapidly the framework, intended to improve cybersecurity across sixteen critical infrastructure industries, moved from concept to sophisticated model in less than a year. But a number of perceived problems still surround the framework's usefulness, applicability and scope.

The current version of the framework "is the culmination of a successful effort over the course of many months to identify the key issues and where there might be industry consensus," Robert Mayer, Vice President of Industry and State Affairs at telecom trade association US Telecom said. But, he added, "it's still clear that several major issues require additional clarification, including the definition of adoption, the availability of incentives and the criteria for measuring success."

The issue of what constitutes adoption of the framework, and the related question about what incentives will be available for adopting it, have been identified throughout the development process as potential drawbacks to ensuring that the framework achieves its intended purpose. There are no bright lines that define adoption in the existing version of the framework, which some critical infrastructure owners say suits them just fine.

"From my perspective the framework should be used as a guideline," Chris Boyer, Assistant Vice President, Global Public Policy at AT&T said during a panel discussion. "Ultimately the adoption should be left up to the owners and operators of critical infrastructure."

Still, "it's just not clear what it means to adopt the framework," Larry Clinton, President of the Internet Security Alliance (ISA) said. "Uncertainty leads to underinvestment. They [critical infrastructure asset owners] will not know whenever an investment will qualify as an investment to the framework."

[NIST subjects draft cybersecurity framework to more public scrutiny]

The ISA has proposed that a beta test be developed in order to not only track the issues that come up with implementation but also to develop data that would be useful in promoting long-term adoption of the cybersecurity model. "Let's have a systematic trial with industry and government collaborating through the sector coordinating councils [established under the Department of Homeland Security (DHS)]", Clinton said.

The beta test concept was a frequent off-agenda topic of discussion among the workshop attendees but NIST officials seemed lukewarm to the idea.

"It's another proposal that's out there," Adam Sedgewick, key organizer of the framework development process said. "This whole process has been beta testing."

[Major changes ahead as NIST cybersecurity framework nears October publication]

Another sticking point is how the framework handles privacy and civil liberties issues. The most recent version of the framework has a fully developed separate appendix that lays out a methodology based on the Fair Information Practice Principles (FIPPS) established by the Federal Trade Commission, organized to correspond with the five functions and multiple categories that make up the framework's main "core."

A number of critical infrastructure providers are balking at what they contend are overly broad articulations of privacy requirements that are not relevant to the task at hand, which are perceived as detailed privacy prescriptions stricter than what many of the sectors operate under today. "Everybody feels that a lot of the data protection standards are covered in the core already," one critical infrastructure attorney said. "They are trying to shoe-horn in this stuff. It's too much for the purpose of the framework."

One privacy and cybersecurity expert, Harriet Pearson of Hogan Lovells, prepared an alternative privacy methodology based on feedback she received from a number of top critical infrastructure asset owners, which she presented during a topic specific session at the workshop. This alternative methodology strips down the privacy requirements to those strictly related to cybersecurity issues already addressed in the framework core. Most of the major critical infrastructure providers involved in the NIST effort can agree on this alternative methodology, the privacy attorney said.

Another persistent potential problem is how well small and medium-sized entities will be able to grasp the complex framework, which is modeled on advanced notions of cyber protection.

"There are twenty-two categories and ninety-seven subcategories. That's a lot for small and medium-sized businesses," Cox Communications CISO Phil Agcaoili said during a panel discussion. "For some small organizations, the person responsible for cybersecurity could be the owner's eighteen year-old son," one electric industry representative said.

[NIST's latest cybersecurity framework reveals a lot of goodwill amidst continued criticism]

NIST hosted a topic-specific working session on small and medium business considerations at the workshop and say further development of what they are now calling "framework 1.0" will continue to address this particular challenge. The framework could be modified further in this and a number of other respects as NIST gathers and reviews feedback during an open comment period, which closes December 13.

"That input will continue to shape the framework as well as a roadmap of where we need to go from here," Bob Kolasky, Senior Advisor to the Assistant Secretary for Infrastructure Protection at DHS, said during the closing panel. DHS is organizing a voluntary program to encourage adoption of the framework, a main venue for continued evolution of the framework after NIST publishes the final version. But, a number of critical infrastructure owners are skeptical of how well DHS can handle the challenge. "They haven't given us a lot of clarity of what that program involves," one communications industry representative said.

DHS, the White House and a number of government agencies are also working to further develop incentives for adopting the framework, some of which were released in high concept form last summer. Most Washington experts, however, believe that unless Congress enacts cybersecurity legislation, which has stalled many times and is currently sidelined by the controversies surrounding the National Security Agency, no true effective incentives for adopting the framework can be established.

Even with the remaining rough edges and uncertainties over adoption, most workshop attendees expressed enthusiasm over the potential for the framework to shift the cybersecurity community into a more collaborative and effective cross-industry mindset. "It's exciting to see NIST come to the beginning of finding a common language that can make a real difference," Harry Wingo, DC veteran and an advisor on cybersecurity matters, said.

Cynthia Brumfield, President of DCT Associates, is a veteran communications industry and technology analyst. She is currently leading a variety of research, analysis, consulting and publishing initiatives, with a particular focus on cybersecurity issues in the energy and telecom arenas.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Cox CommunicationsDCTFederal Trade CommissionInternet Security AllianceNational Security AgencyPearsonTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Cynthia Brumfield

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts