By Dan Reing
On April 3, 2013, the National Institute for Standards and Technology (“NIST”) hosted its first of four planned Cybersecurity Framework Workshops on April 3, 2013 at the Department of Commerce consisting of five panel discussions among a variety of private and public stakeholders affected by the Executive Order on “Improving Critical Infrastructure Cybersecurity” (“EO”) issued February 13, 2013. As we previously discussed
, the EO set in motion a process to develop and implement a national, voluntary Cybersecurity Standards Framework aimed at protecting the nation’s critical infrastructure and the provision of essential services to the American people. The EO tasked NIST with drafting the Cybersecurity Framework, and on February 24, 2013, it issued a Request For Information (“RFI”) seeking public comment on issues the Cybersecurity Framework should address. The RFI comment period closes on April 8, 2013.
The objective of NIST’s first cybersecurity session under the EO was to convey its planned approach to developing the Framework, and eliciting ideas and participation from private industry in the RFI process and upcoming workshops. Toward that end, NIST indicated that the next three workshops are intended to be “hands-on,” “roll-up-your-sleeves” standards-development processes. The next workshop is scheduled for May 29th -31st at Carnegie Mellon University in Pittsburgh, with another workshop approximately six weeks later (mid-July), and the final workshop approximately six weeks later (around Labor Day).
NIST staff reiterated – several times – that it will rely heavily on input from private industry to guide the process, and that every comment will be read. Prior to the May workshop, NIST stated, it will review and consider all RFI comments, and undertake initial analysis to identify key commonalities and themes raised to identify key areas of concern. NIST intends to make this initial analysis publicly available before the May workshop, at which it plans to consider Framework development on three tracks: (1) Risk Management; (2) Cyber Hygiene; and (3) Tools and Metrics.
The overarching theme repeated throughout the day by industry and government panelists alike was the need for a Framework driven by industry in a collaborative process with the government. To that end, Patrick D. Gallagher, the Director of NIST, stressed that NIST’s goal is to gather current best practices, standards, processes, and ideas from industry stakeholders as a starting point, and that those responses must guide the Framework development at the subsequent workshops. Likewise, representatives from the Department of Homeland Security (“DHS”), which, among other things, is tasked with articulating performance goals for NIST, focused on presenting this process as a partnership between industry and the government. A common refrain from panelists across all sectors of industry was to ensure that the process does not attempt to “re-invent the wheel,” but instead to adopt, adapt and rely on practices and standards already in use. NIST staff made clear that the agency’s goal is to do just that, consistent with its prior practice.
Other common themes included industry representatives stressing that one size cannot fit all in any Cybersecurity Framework, and that whatever NIST ultimately adopts must be scalable, so that it is implementable and accessible for companies of all sizes. Another repeated refrain was that the Framework must be practical from a business perspective. It was widely accepted that adoption must be incentivized and presented as a matter of general risk management for which a business case can be made. To do that, several panelists stressed, the Framework must be in terms non-IT management and employees will understand, because those responsible for implementation will not always be IT professionals.
Many panelists also advocated the goal of adopting a flexible, evolving Framework so that it is adaptable to constantly changing threats, and that it should incorporate evolving best practices to prevent and respond to new cyber-attacks. Panelists also noted the Framework should consider international standards and how it will fit into the global cybersecurity world. Panelists also highlighted performance metrics as key factors to a workable Framework. Key questions for consideration included clearly identifying goals and establishing in advance what successful implementation will entail.
Bruce McConnell, Senior Counsel (Cyber) for the NPPD Department of Homeland Security, shared DHS’s current formulation of the goal for the Cybersecurity Framework: “Adoption of the framework will [ensure] … a high level of confidence that the essential services [an entity] provides will continue to be delivered to its critical customers in the face of most cyber incidents directly affecting the entity.” DHS acknowledged that to accomplish this, the Framework must include ties to incentives for adoption, and must have measurable compliance and performance standards. At the same time, the Framework cannot impinge privacy and civil liberty concerns – accordingly, DHS has established a task force to measure the impact on concerns according to the Fair Information Privacy Practices.
Finally, another common topic was information-sharing related to Cybersecurity breaches, threats, experiences, and practices – both from the government to the private sector, and vice versa. Workshop participants widely acknowledged that increasing and promoting information sharing will require legislative action in at least the liability, antitrust, and privacy arenas. Even beyond that, there must be considered a safe, anonymized way to share experiences about vulnerabilities and detection practices and operations that will not present further competitive or reputational risk. Toward that end, representatives of various industry Information Sharing and Analysis Centers (“ISACS”) on one panel offered ISACS as a good model for information-sharing, so long as legal impediments are surpassed.