The Cybersecurity Framework is intended to bolster resiliency for critical infrastructure assets, as directed by the President’s Executive Order issued earlier this year, and is being developed by the National Institute of Standards and Technology (NIST) with the aid of several thousand security experts who have attended workshops or otherwise contributed to the Preliminary Cybersecurity Framework draft released in October.
The initiative aims to consolidate controls like ISO27k, NERC CIP, COBIT, the Top 20 Critical Controls and others into one streamlined document to produce a security capability maturity model that will be propelled by stakeholder-driven incentives that encourage voluntary adherence.
And that’s the rub. Even if the document is finalized by February, 2014, ultimately success will require the willful participation of early adopters who already maintain a mature security and compliance posture, and the subsequent alignment of risk management strategies by those who will require time and resources to come into line with the standards, a potentially costly endeavor.
The Internet Security Alliance (ISA), a multi-sector trade association representing the interests of some of the biggest companies in the nation, has long championed the market incentive approach to adoption of better security policies as opposed to penalty-based regulatory mandates, but it is still unclear how the NIST’s CSF standards would achieve this end.
According the ISA President Larry Clinton, policy makers have slowly developed a more sophisticated understanding of the cyber threat and how they need to address it by providing proactive incentives rather than attempting coerce and control private sector partners who own and operate the vast majority of our nation’s critical infrastructure.
“It became obvious that they needed to adopt a more collaborative model when not only Republican’s but liberal Democrats in the Senate wouldn’t support the Administration’s previous position, which advocated increased government regulatory authority over the private sector,” Clinton said.
In 2008, ISA had proposed a model known as the Cyber Security Social Contract (PDF) which suggested that government’s role ought not be to regulate and mandate, but instead to designate the practices and standards that are effective and provide market incentives for voluntary industry adoption.
In 2011 the House GOP Task Force on cyber security endorsed this approach, and it also became the essential elements of the President’s Executive Order.
“ISA has been proposing that market incentives be used as opposed to government mandates to spur greater cyber security practices since the publication of our Cyber Security Social Contract in 2008. This may be the only substantive issue upon which both the House GOP and the White House agree,” Clinton said.
Clinton notes that as part of the Executive Order, the Departments of Commerce, Treasury, DHS and GSA/DOD issued reports to the President on how incentives could best be designed to promote cybersecurity, and the key finding here was that different entities are going to be attracted to different types of incentives.
For example, Clinton says that the defense sector may be more interested in a procurement incentive whereas the financial industry may be more interested in an insurance incentive, and the utility industry may be more interested in a more streamlined permitting or regulatory procedure as a tradeoff for greater investment in cybersecurity than would normally be demanded to meet their commercial needs, but which might be more appropriate to address a typical government function, such as national security.
“The other key is that we need to find incentives that will have an economic impact for industry but don’t have a significant impact on the federal deficit,” Clinton said. “That is why we are not looking very much at tax incentives, but instead at low cost items like forbearance from outdated regulations or liability incentives that don’t cost the government much money.”
Clinton says that ISA was a leader inside the beltway in identifying the misconceptions of the punitive model embraced in the last Congress – and now largely absent from the federal policy discussions. The original line of thought was that if a corporate entity was successfully breached, that was evidence of some sort of negligence, so severe penalties would motivate increased security spending.
“However we now know that the attacks have become so sophisticated that the determined attacker will successfully compromise even the best security – Google was successfully penetrated, and so was the Pentagon,” Clinton said, adding that by penalizing the entity that has been attacked you are essentially blaming the victim.
In addition to fines, leveraging public disclosures of security incidents to embarrass an organization and drive their stock down – one of the options that was being pursued by the SEC – creates all the wrong incentives for cybersecurity, Clinton argues.
“First of all discovering modern stealthy attacks requires a substantial effort, it’s as much an art as a science,” Clinton said. “No corporation is going to go to all the trouble and expense to find sophisticated attackers if the result of it will be lower stock prices – they will just take their chances – a very bad scenario, but this is what is promoted by the SEC approach. Moreover, this invites stock manipulation by various competitive or predatory parties.”
In addition to the debate over how to encourage adoption of the Cybersecurity Framework, the President’s Executive Order highlights threat information sharing between the public and private sector as a primary objective, and Clinton says that obtaining access to this sort of advanced threat intelligence could also act as an incentive in and of itself.
“In the Executive Order, the Administration is primarily attempting to get organizations to sign up for an enhanced information sharing program, which will allow entities who qualify on a security basis to receive high value information that they can share with their partners,” Clinton said.
“Moreover if an entity finds an effective mechanism to address the threat information it receives from the program, it provides a market incentive because they could potentially sell their mitigating utility or service to other organizations.”
That’s the upside, but the downside is that will be numerous obstacles to participation in a voluntary program, including defining what successful “adoption” of the program will really entail.
“We really won’t know the answer to this until the framework and the incentives have been finalized and that won’t be for many months,” Clinton said. “As it is the framework is currently unclear as to what constitutes adoption, so there is great uncertainty as to who will qualify for any incentive.”
Moreover, the controls in the framework have not been prioritized as the Executive Order requested, so attempts to adopt and implement the CSF could result in a hodgepodge of half measures which do not have the intended effect of increasing an organizations security posture.
“If I have one extra dollar to spend on cyber security where do I spend it? Without this kind of prioritization, I’m afraid there won’t be much adoption. In addition, the framework according to the Executive Order must be cost effective, yet I see virtually no analysis of costs in the framework,” Clinton said.
Clinton says it is also unclear whether the framework will make sense to the broad array of individuals who may likely pass on the decision to spend the money and implement it.
“A good deal more work needs to be done for senior managers to understand what the government wants and why they ought to be adopting it, since there is no measure that adopting the framework actually increases security, let alone in a cost effective way,” Clinton said.
And while NIST has done an excellent job of reaching out to the IT community and getting them involved in the process, with more than one thousand companies having representatives who attended the CSF workshops, Clinton says there are at least two areas where NIST’s outreach so far has not succeeded.
“The first is with senior executives who are going to be the individuals who will make the decision as to whether their organization will actually adopt the framework, and the second is the international business community, although there has been government to government communication,” Clinton said. “NIST is making efforts to fill these gaps, and ISA is attempting to assist them.”
Clinton, while speaking on a panel with Chair of the president’s Integrated Task Force recently, recently proposed a “beta test” period for the NIST framework rather than moving immediately to encourage full implementation in February.
“We have already seen the results of not doing enough testing before launching a major program with Healthcare.com,” Clinton said. “Similarly the cyber security framework needs to be tested just as the private sector would do with any major product or service before it was rolled out.”
Clinton also indicated that the ISA had received support from both industry and government officials with respect to a beta test phase for the framework, further proposing that DHS should work with the sector Coordinating Councils and government GCCS to develop sector-specific tests of the framework’s costs and overall effectiveness.
“The tests should be independent from NIST and focus on a stratified sample of critical infrastructure companies who are most closely representative of the organizations NIST is targeting with their framework,” Clinton said. “DHS should assist with the implementation of the framework and track the issues that come up including cost, time, effort and the effectiveness of available incentives and improvements in actual security.”
ISA Contrasted their proposal with that currently being promoted by NIST to find early adopters of the framework, and recommends the use voluntary self-reports to form future policy.
“Obviously the firms who are going to volunteer as early adopters are those for whom adoption is easy, probably they are already doing what is required in the NIST framework,” Clinton said. “In all likelihood such firms have economies of scope and scale that are not typical of the companies who are not currently practicing adequate cyber security, it’s these later companies that we need to work with and analyze.”
Clinton argued that a beta test phase would provide data that would be of substantial use in promoting the long-term adoption of the framework.
“If we can actually analyze target firms implementation of the framework, we can comply with the president’s order to determine what aspects of the framework are in fact cost effective,” Clinton said.
“That means we will also learn how useful the incentives DHS can offer will be in overcoming cost inefficiencies in the framework and point the Congress to exactly what they need to do to encourage greater adoption in the interests of security.”
Regardless of the numerous challenges and obstacles that have yet to be overcome in the process of developing the framework, Clinton says in the end it will all work to bolster the nation’s cybersecurity posture.
“We are far better off trying to work together to fight the cyberwar rather than pointing fingers and making political points that will make the situation worse from a security perspective.”
- The Cyber Security Framework and the Case for Platform IT
- Implementing the Cyber Security Framework
- Don’t Reinvent the Wheel: Phil Agcaoili on the Cyber Security Framework
- NERC CIP Version 5: One Giant Leap
Tripwire has also compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.
The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.
Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
* Show how security activities are enabling the business
* Balance security risk with business needs
* Continuously improve your extended enterprise security posture
Title image courtesy of ShutterStock