'Cybersecurity Framework' From NIST Outlines Security Risks
During the 2013 State of the Union address, President Obama announced Executive Order 13636 titled, "Improving Critical Infrastructure Cybersecurity." After a year of preparation, the result of the executive order is coming to fruition with the release of the new "Cybersecurity Framework" from the U.S. National Institute of Standards and Technology (NIST).
In a statement from the White House, the Obama Administration commented that the framework gathers existing global standards and practices to help organizations understand, communicate and manage their cyber-risks. The "Cybersecurity Framework" is applicable both to novice organizations that are just getting started with cyber-security initiatives as well as more advanced organizations.
The framework is made up of three components: the Framework Core includes information that applies across the spectrum of critical infrastructure; the Profiles component is intended to help organizations be aware of their current security posture; and the third component, called Tiers, focuses on risk.
"The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber-risk," the White House stated. "The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk-management practices, the extent to which cyber-security risk management is informed by business needs and its integration into an organization’s overall risk-management practices."
The new "Cybersecurity Framework" is being met by cautious optimism from security experts.
The "Cybersecurity Framework" is an achievement of government-initiated, industry-led collaboration with significant promise for improving cyber-security, James Barnett, a retired U.S. Navy rear admiral and former chief of the Homeland Security Bureau for the Federal Communications Commission, told eWEEK.
It's important to remember the reason Executive Order 13636 was issued, which is the fact that comprehensive legislation to address cyber-security was not advancing or even proposed, said Barnett, who is currently a partner in communications and cyber-security law firm Venable LLP.
While the new framework is an advancement, it also has some limits. Barnett said that no mechanism exists for judging whether companies are adopting the framework or how well they are implementing the framework, other than self-assessment.
"The incentives for adoption may not be enough, and legislation would be required for really meaningful incentives," Barnett said.
Without assessment tools and incentives, Barnett said, knowing whether or not the "Cybersecurity Framework" is working will not be easily possible.
"The framework is not a standard and, in fact, references numerous other standards, allowing each critical infrastructure entity to choose those standards most appropriate to its situation," Barnett said.
That being the case, Tim (TK) Keanini, CTO of Lancope, told eWEEK that he would be hard-pressed to find anything missing in the framework at this point. "As is with cryptography, the weakness is not the mathematics but in the implementation," he said.
Keanini noted that one analogy that he likes for the "Cybersecurity Framework" is that of a fitness program for athletes to build strength and endurance for all their muscle groups. "However, when game day arrives, there will still be cheating, and even the most prepared will lose a few games," Keanini said.
Matthew Standart, threat intelligence director at HBgary, told eWEEK that he would like to see more definition and structure in regard to cyber information sharing—specifically around threat intelligence. "Right now, threat intelligence is a loose, abstract term, and organizations struggle with sharing due to fear that stems from uncertainty and lack of definition," Standart said.
With the recent spate of retail industry breaches, including Target and Neiman Marcus, the importance of the Payment Card Industry Data Security Standard (PCI DSS) has risen to the front of the cyber-security conversation. Standart noted that PCI applies to businesses that process financial transaction data; and many of the technologies and processes in PCI don’t apply to other organizations in other industries.
"PCI is not holistic in its methodologies in contrast to the NIST framework," Standard said. "PCI does not focus on risk to the organization as a whole.
Lancope's Keanini said that while there are many similarities, the obvious difference with PCI DSS is how much more prescriptive it is on the assessment, audit and consequence at this point in time.
"While this 'Cybersecurity Framework' is on its version 1, it is surprisingly complete, and we will now have to see how it is implemented and governed with assessments and consequences," Keanini said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.