Why Businesses Can't Ignore US Cybersecurity Framework - InformationWeek
Government // Cybersecurity
09:25 AM
Wyatt Kash
Wyatt Kash
Connect Directly
Fearless & Secure Cloud Migration
Dec 14, 2017
In this webinar, learn how to make a safe, secure migration to the cloud, that both manages risks ...Read More>>

Why Businesses Canít Ignore US Cybersecurity Framework

Industry leaders and President Obama call the framework just a first step in creating a cybersecurity playbook for 16 US critical infrastructure sectors. But this is more than just a reference manual.

The Obama administration's new voluntary Cybersecurity Framework for critical infrastructure providers, announced Feb. 12, won't please everyone. But it does bring together for the first time a useful set of federally endorsed practices for private sector security. It also represents a welcome reprieve from the frosty government-industry relationship on matters of cybersecurity preparedness.

Industry leaders as well as President Obama were quick to acknowledge that the framework is just a first step in creating a cybersecurity playbook for the nation's 16 critical infrastructure sectors, including financial services, communications, and energy providers. It establishes an important precedent not only by defining common security standards, but also by offering carrots to the private sector rather than wielding a regulatory stick. The framework also serves notice to a gridlocked Congress that the White House can give traction to issues of national importance.

Critics will fault the framework as little more than a compilation of established industry security practices -- created to help companies identify security risks and protect themselves against, respond to, and recover from common attacks and breaches. It also includes standards and approaches for industrial control systems.

Four factors, however, make the framework more than just a reference manual.

First, the framework has cred, as its recommendations come not from Washington regulators, but from industry experts who've combatted cyberattacks. In pulling together the framework, the National Institute of Standards and Technology went to great lengths to collect, distill, and incorporate feedback from security professionals. More than 3,000 individuals and organizations contributed to the framework.

[Learn more about the Cybersecurity Framework. Read Feds Launch Cyber Security Guidelines For US Infrastructure Providers]

Second, while the framework avoids laying out incentives for companies to adopt the recommendations, it appeals to the best interests of companies and their shareholders.

The cybersecurity framework doesn't tell companies what to do or what tools to buy. But it does standardize the questions all CEOs should ask about their companies' security practices as well as those of their suppliers, partners, and customers. And it shows them what the answers ought to look like. The economic pain hackers caused to Target and its CEO, Gregg W. Steinhafel, may be incentive enough for other CEOs to adopt NIST's recommendations.

A third and even more powerful factor is the likelihood that even without legislation, the framework will become the de facto standard for private sector cybersecurity in the eyes of US lawyers and regulators. That's the view of Gerald Ferguson, who specializes in intellectual property and technology issues for law firm BakerHostetler, as expressed in a recent opinion column he wrote for InformationWeek.

Illustration of core functions and activities to support cybersecurity from NIST Framework for Improving Critical Infrastructure Cybersecurity 1.0
Illustration of core functions and activities to support cybersecurity from NIST Framework for Improving Critical Infrastructure Cybersecurity 1.0

Fourth, the cybersecurity framework isn't just another set of NIST guidelines, but the outcome of President Obama's Executive Order on "Improving Critical Infrastructure Cybersecurity," which he announced in his 2013 State of the Union address.

"Cyber threats pose one of the gravest national security dangers that the United States faces," the president said earlier this week, a point reinforced in a new Defense News poll that found that nearly half of national security leaders think cyber warfare is bigger threat to the US than terrorism.

But not everyone thinks the president's cybersecurity framework provides the right set of standards or adequately addresses how to make networks resilient against inevitable attacks.

Gerald Cauley, CEO of the North American Electric Reliability Corp., which develops reliability standards for power companies, argues that NIST's framework could undermine existing -- and in some cases more advanced -- cybersecurity practices already in effect.

Wyatt Kash is a former Editor of InformationWeek Government, and currently VP for Content Strategy at ScoopMedia. He has covered government IT and technology trends since 2004, as Editor-in-Chief of Government Computer News and Defense Systems (owned by The Washington Post ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/16/2014 | 6:24:44 PM
Physcal Security Systems are also following the Cyber Security Framework
Not only are logical security systems providers such as web site developers, firewall, and other IT components joining the bandwagon.  But physical security systems providers and manufacturers are following its guidance for implementation.  SecureXperts is currently working with groups from the Physical security community in Identity Management, biometrics, access control, video surveillance, and other technologies to make their products more secure and resilient against cyber attack.
User Rank: Author
2/14/2014 | 5:39:15 PM
What others are saying
The White House provided a long list of comments about the framework from top industry executives and from members of Congress.  Of course it reads like the copy on a book jacket: Lots of praise for the private-public effort that went into creating the framework and nary a word of criticism.

But there's also a clear sense CEOs and public leaders see the seriousness of the threats -- and the importance of having the framework.  For what it's worth, here are a few excerpts of what others are saying:

Renee James, President, Intel:
"Improving cybersecurity in ways that promote innovation and protect citizens' privacy is the only way to preserve the promise of the Internet as a driver of global economic development and social interaction. Intel applauds the Administration and the National Institute of Standards and Technology for constructing the cybersecurity framework hand-in-hand with industry and other stakeholders, building a model of a voluntary, risk-based tool that can be utilized by a broad array of organizations. "

Steve Bennett, President & CEO, Symantec Corporation:
"The effort to develop the NIST Cybersecurity Framework has been a model of public-private partnership. Symantec believes the Framework will be useful to all organizations, whether they have well-developed cybersecurity programs or are looking to start one.  Symantec has already begun to incorporate the Framework into our internal security program, and I expect that many of our customers will use it as well."

Joseph Rigby, Chairman and CEO, Pepco Holdings Incorporated:
"We believe the partnership between the government and affected industries is critical to ensure preparation and readiness; this Framework is evidence of the commitment of stakeholders to work together to protect against cyber threats."

Charles W Scharf, CEO, Visa:
"Visa supports a standards-based approach, and we're encouraged by the final framework issued by the Administration which promotes the adoption of existing security best practices. We also support robust information sharing programs with appropriate liability protections to further bolster global cyber security."

Edward Amoroso, Senior Vice President and Chief Security Officer for AT&T Services:  "Effective cybersecurity presents a complex challenge requiring collaboration from across the entire Internet ecosystem. The Cybersecurity Framework builds in the necessary flexibility for effective implementation and continued innovation.... and shows international leadership by demonstrating that an effective partnership between government and industry is the most effective way to combat cyber-attacks."

Doug Wylie, Director, Product Security Risk Management, Rockwell Automation: "As the world's largest company dedicated to providing industrial automation solutions, Rockwell Automation strongly supports this voluntary Cybersecurity Framework because it helps to amplify the importance of protecting national critical infrastructures and related industrial control systems."

Terry Rice, CISO, Merck & Co, Inc: "Merck has begun adoption and implementation of the Cybersecurity Framework.... Merck commends NIST's superior leadership in advancing the foundation of cybersecurity through this new Framework."

Marilyn Hewson, Chairman, President and CEO, Lockheed Martin: "Cybersecurity is a shared responsibility between government and industry, and we applaud the Administration for making it a priority. We support the Administration's voluntary, transparent and flexible approach to developing the Cybersecurity Framework, and believe it will enable American businesses—large and small—to do their part."

Senator Jay Rockefeller (D-WV), Chair of the Committee on Commerce, Science, and Transportation:
"The recent data breaches at Target and other retailers are a stark reminder that our networks continue to be vulnerable to cyber attacks. The Cybersecurity Framework NIST released today represents a major step forward in improving our cyber defenses.  It should become an essential touchstone, not just for critical infrastructure operators, but for all companies and government agencies that need to protect their systems and their data."

Senator Tom Carper (D-DE), Chairman of the Committee on Homeland Security and Governmental Affairs: "This voluntary framework provides a much needed roadmap for improving the cybersecurity of our most critical infrastructure. Companies now have a common, but flexible path forward to better secure their systems, and also a meaningful way to measure their progress. We must now focus like a laser on ensuring widespread implementation of the framework in order to effectively protect our national and economic security."
User Rank: Author
2/14/2014 | 5:07:37 PM
Re: Better than Nothing?
NIST is skilled at collating and vetting recommendations. They've perfected crowd sourcing. But their reports  often yield what amounts to the lowest common denominator, with some useful recommendations. The value of NIST's work is the rigor with which they gather and publish best practices. If you considered the work companies would have to go through to create a comparable body of work, the framework is a pretty valuable tool.  
Lorna Garey
Lorna Garey,
User Rank: Author
2/14/2014 | 12:52:26 PM
Re: Better than Nothing?
Many of these complaints follow the tired "we have a big, intractible problem, but your solution doesn't solve it 100% with no inconvenience to anyone, so it stinks" logic that plagues the ACA and other programs. No, this isn't the end all. But its focus on not telling companies what to do or what tools to buy but instead giving a policy template seems like the exact right tack.
User Rank: Author
2/14/2014 | 11:05:07 AM
Re: Better than Nothing?
Seems like another government roadmap formulated by committee, but at least this committee consisted of private sector experts as well as government ones. The key is for those companies that haven't even taken these basic steps to get going -- before the government whips out its big stick by way of a bunch of new regulations.
User Rank: Author
2/14/2014 | 10:52:40 AM
Re: Better than Nothing?
Comparing the Cybersecurity Framework release 1.0 with the preliminary draft, one gets the sense that a lot of useful ideas and tools were cut out, presumably to satisfy many conflicting complaints and to meet the President's deadline.  There is definitely a case to be made that other guidelines, recommendations, such as SANS 20 critical security controls guidelines, are more practical, and that a guidelines for everyone are not as useful as guidelines for specific industries.  That said, business leaders would do themselves a favor to see if their operations meet these basic practices/guidelines.

User Rank: Ninja
2/14/2014 | 10:01:14 AM
Better than Nothing?
I've seen more practical guidelines for firms to follow.  Like so many government things, it's a lot of words and not so much practical advice.  Friends have joked about how it's very much a 1.0 thing, and we all know to avoid ".0" releases.  Some of it is too simplistic, but for an organization that has nothing, it's something.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll