Recent Posts

Four Key Take-Aways from the Sixth NIST Cybersecurity Framework Workshop


Last week, the National Institute of Standards and Technology (NIST) held in Tampa, FL its sixth workshop on the landmark critical infrastructure cybersecurity framework mandated by President Obama in February 2013 and issued by NIST in February 2014. As was true of the five previous workshops NIST held prior to the framework's release, hundreds of cybersecurity specialists gathered for two days to listen to government and industry experts and to hash out the framework's details across multiple, specialized working sessions.

While the event covered a lot of ground, tackling a range of technical and detailed topics from relatively specialized matters such as authentication issues in industrial control security to broader overviews of how various sectors are dealing with the framework, a few themes emerged from the sessions and conversations with the attendees. Here are the top four take-aways from the latest workshop:

1. Everyone Likes the Framework: Almost everyone said the framework is a good thing, although, as noted below, there are some issues that specialists still have with the framework's ongoing development. Not surprisingly, representatives from industry, UK and EU governments invited to speak on the plenary session panels offered almost uniformly positive views of the framework. "We began using the framework essentially the day it came out," Tim Casey, a senior information risk analyst at Intel said. "It gave us purpose and direction that we didn't have previously," Jefferson England, an executive at small telco Silverstar Communications, said.

Conversations with attendees yielded more of the same. "This is a good force multiplier. It's a common unified framework for managing security risks," Robert Brown, Manager of Assurance at PWC, said. "People have seemed to really embrace it," according to Phil Agcaoili, VP and Chief CISO at Evalon. "There are all sorts of ways this could have gone wrong and it didn't," Chris Blask, ‎Chair at Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), said.

Much of the good vibes flowed from the sense of collegial community that has cropped up over the course of the multiple workshops among the many hundreds of cybersecurity specialists. (Frequent jokes were made about the T-shirts given to people who had attended every workshop). The framework process has really "put trust across the sectors," Jack Whitsitt, Senior Analyst of cybersecurity consortium EnergySec, said, highlighting the fact that cyber specialists in different industries now share information outside their sectors because of the relationships forged during the NIST framework process.

2. The Framework's Primary Value To Date Seems to Be as a Communications Tool:  The jury's out in terms of whether the framework has actually achieved its intended goal of reducing cybersecurity risks, but it's clear that the subject matter experts who were at the workshop think it's a good device for trying to communicate the arcane subject of cybersecurity to managers, regulators, vendors, partners and other audiences. "One of the largest benefits of the framework is that it provided a framework of discussion, as much as anything else," Silverstar's England said.

"We're using it as an engagement tool for our regulators," Karl Schimmeck of the Securities Industry and Financial Markets Association, said. "We're hoping that it becomes the common language when you're talking to suppliers, vendors, joint ventures," a senior oil and gas industry representative said. "I'm using it to inform my board and executives," Evalon's  Agcaoili said.

3. Otherwise the Framework Is Still Kind of Difficult to Use:  Despite being built on the notion of simplicity, the NIST framework is a 41-page document that features core sets of activities, multiple tiers and intricate mapping to hundreds of detailed cybersecurity standards developed by a welter of standards-setting bodies. Most of the practitioners in attendance at the workshop said that the framework, despite its communication value, can at times be quite a challenge to use. "These frameworks are alphabet soup," PWC's Brown said.

"The mapping process is nuts," Dorian Cougia, Compliance Scientist at Unified Compliance said. Part of the problem is that the intricate standards that are mapped to the framework can run dozens and even hundreds of pages long and it's not always clear which parts of the standards apply to what. "There were times when we did not exactly understand what the framework meant," one top energy cybersecurity specialist said.

"The content of the framework really doesn't matter," EnergySec's Whitsitt said. "Organizations that don’t know how to do security already will have a hard time with it."

The difficulty in using the framework can be greater for smaller and mid-sized organizations that don't have cybersecurity experts on staff, a topic much discussed during the framework's development. "The big guys do this already," one communications industry representative said. "They wouldn't be in business if they weren't protecting their networks for financial reasons." The smaller guys, however, are struggling to come up to speed with what the framework demands, she noted, because they may have at most only one IT person on staff assigned to implement security measures.

The right way to view the challenge of using the framework isn't big versus small, according to Adam Sedgewick, who spearheads the project for NIST, clarifying that it's more about how serious the company is about cybersecurity, regardless of size. "I think it's a mistake to think that small and medium companies do not have good cybersecurity practice as a rule.  I think it's more appropriate to say companies that do not have robust cybersecurity programs" face greater challenges.

4. There Won't Be a Framework 2.0 Any Time Soon:  Two mantras emerged from the government and NIST speakers at the workshop.  The first is that "it's still early days" for the framework and too soon to gauge its effectiveness.  The second, related concept is that no basic changes to the framework are in the offing anytime soon.

"We want to make sure that people understand we don't expect changes to the framework in the future," Ari Schwartz of the National Security Council said. "We are in no rush to make changes without knowing or understanding what effect those changes might have," Matt Scholl, Deputy Division Chief at NIST said.

Cybersecurity is already shaped by endless organizations, government agencies, schemas, frameworks and evolving standards, NIST's Sedgewick said. "We have to be careful when we think about the next phase of this effort to reduce that complexity and not increase it."

That view was embraced by most of the workshop attendees. However, some of the industry specialists who are implementing the framework think changes are needed sooner rather than later. "It is useful but it still needs more work," one big electric utility representative said. "If something is missing, they don't know something is missing.  They should not wait too long to update the core."

Cybersecurity Should Scale Faster than the Information Revolution, DARPA Head Says

Mary Jordan, Arati Prabhakar

(Washington, DC) In the face of cybersecurity threats that seem to breed like bacteria, a conceptual fix is to speed up cybersecurity development to outpace the rapid-fire evolution in technology, the head of the Defense Advanced Research Projects Agency (DARPA) said today. Speaking at a cybersecurity summit hosted by the Washington Post, Arati Prabhakar, Director of DARPA, said "we are trying to wrangle this problem while the information revolution is exploding. The moonshot for cybersecurity in my view is to find techniques that scale faster than this revolution."

One key problem is that the Internet was developed--under DARPA's auspices-- at a time when the current kinds of security threats were unimaginable. If DARPA had a clean slate to rebuild the Internet to make it more secure, one concept would be to apply a biological model to network security, she said. "Under the hood there is a lot of diversity among individuals [s]o one attack cannot wipe out the human race," drawing parallels between the efforts DARPA spearheads to help the public health community outpace infectious diseases and its simultaneous efforts to develop automated cyberdefense systems.

The scariest cybersecurity threat is a potential take-down of the power grid. But that's an unlikely prospect for the typical IT hacker, Andy Bochman, Senior Cyber and Energy Security Strategist at Idaho National Laboratory, said. "The communication protocols and the types of processors and the amount of memory is often wholly different" for the energy sector's industrial control systems. "For the standard hacker, it would be a strange place."

Still, to the extent that power companies are putting into place new technology, there is a "tremendous opportunity" to minimize risk. "The more that electric utilities and stakeholders include security requirements into their RFPs, [t]hat gives signals to the manufacturers that what wasn't important before is suddenly something they should pay attention to," Bochman said.

It's unlikely that Congress will step in with its own solution during the upcoming lame duck session, Rep. Mike Rogers (R-MI), retiring Chairman of the House Intelligence Committee, indicated. "We have a very small window to get this done [pass a cybersecurity bill]," he said. "The political challenges in the Senate make the odds pretty high," with Rogers blaming the failure to pass a bill on "political tantrums."

Only 15% of networks are owned by the U.S. government and thus benefit from the cybersecurity protection of the military and various federal agencies. "By doing nothing in Congress, we are telling these 85% of private networks 'you are on your own,'" mainly due to the difficulties in sharing information between public and private groups, a knowledge gap that most cybersecurity bills aimed to minimize.

Meanwhile, the federal government is doing what it can to help raise the level of cybersecurity practices around the globe. Federal agencies are increasingly coming together to work with other nations in securing the necessary infrastructure against the "less deterrable" threat actors, such as Iran and Korea as well as terrorist organizations. "The good thing is that more and more countries are taking this seriously," Christopher Painter, Coordinator, Cyber Issues at the State Department, said.

Around 60 countries are looking to build cyber command operations, Eric Rosenbach, Assistant Secretary of Defense for Homeland Defense and Global Security for the Defense Department, said. The U.S. government is helping some of those countries, particularly in Europe and Asia, build that capacity. "There are a small group of countries that we are advising. [W]e only do it with our very closest partners, mostly because we want to make sure it's being done right."

NIST Cybersecurity Framework is Good and Bad, Experts Say

Source:  AWWA.
Six months after its release, the cybersecurity framework issued by the National Institute of Standards and Technology (NIST) received mixed reviews from a group of cybersecurity specialists who've now had time to give the landmark system a closer look. Speaking at a webinar hosted yesterday by both the Industrial Control System Information Sharing and Analysis Center (ISC ISAC) and my own firm DCT Associates, the early assessment of the framework ranged from "pleased" to "failed," with a general sense that the framework doesn't replace the hard work of implementing adequate cybersecurity controls.

"I'm relatively pleased," Chris Blask, Chair of the ICS ISAC said. "What we want to achieve from all these sorts of things, rather than force people to comply with specific activities, is encourage all the relevant players to take steps that result in a more secure infrastructure."

"From an operator perspective, a document like this [the framework itself] is quite intimidating," Kevin Morley, Security and Preparedness Program Manager, American Water Works Association (AWWA), said. "This is a little bit abstract and we felt we needed a different approach," which is why the AWWA developed it's own security guidance for the water sector. Nevertheless, AWWA mapped its separate guidance to the NIST framework and found that the two are 100% aligned, Morley said.

"You can look at the NIST CSF as a success and you could say it’s not a bad outcome.  I believe you could only say that if you have very low expectations," Perry Pederson, Co-Founder and Managing Principal at The Langner Group said. "Compliance with the NIST CSF only requires adopting the terminology.  If you speak in those terms and talk in those terms you can be compliant with the framework without changing anything you have to do. It’s really a business-friendly framework because it allows the business to decide based on its needs and resources to simply cherry pick what it wants."

Japp Schekkerman, Director of Global Cyber Security at CGI Group, agreed with Pederson. The framework is "addressing all kinds of questions [b]ut it doesn’t tell you how to do it," he said. "If you’re not familiar with the standards [referenced in the framework], you don’t know what to do."

The framework wasn't intended to provide a technical blueprint telling cybersecurity specialists what to do, Greg Witte, Program Manager, Security Standards Team, G2, countered. "It really is about communication and awareness," he said. "We should not be directing people and making it mandatory."

"The framework is a way to have a discussion about managing risk," Adam Sedgewick, who spearheads the framework initiative for NIST, said during an interview earlier in the week. Still, NIST welcomes criticism and hopes to solicit a wide range of opinions on the framework's effectiveness through a request for information issued today in preparation for a framework workshop NIST will host in October. "We really do want a healthy debate, we welcome criticism."

NIST's Cybersecurity Framework at the Six-Month Mark: Are We More Secure?


On February 12th the National Institute of Standards and Technology (NIST) released its comprehensive cybersecurity framework, the culmination of an intense 12-month drafting process ordered by President Obama in an effort to ward off what former Defense Secretary Leon Panetta feared would be an imminent "cyber Pearl Harbor." This framework of frameworks was intended to lay down some ground rules to improve the security and resilience of all industries, but particularly the critical ones upon which stable society depends, such as energy, communications, transportation and food and agriculture.

So, what's happened since the framework's release? Find out tomorrow when I will be moderating a webinar for the Industrial Control Information System Sharing and Analysis Center (ICS ISAC), one of the key groups assigned the all-important information-sharing task among industrial system control operators to ensure that cyber threats are identified and managed in a timely fashion.

Join ICS ISAC Chair Chris Blask and me to find out what top security specialists think about the framework six-months in and the benefits and challenges they've experienced in putting the framework into place. Among the experts we've lined up are:
  • Kevin Morley, Security and Preparedness Program Manager, American Water Works Association
  • Perry Pederson, Co-Founder and Managing Principal at The Langner Group, LLC
  • Greg Witte, Program Manager, Security Standards Team, G2, Inc.
Based on my conversations with some of the speakers, this webinar promises to be a lively one, complete with frank assessments of both the good and not-so-good aspects of the framework. I'll check back in here later with a write-up of the key points, but register for the webinar today so you can hear first-hand what they have to say and ask your own questions.

Cybersecurity Information Overload: Is There a Solution?

Sign Up for the Cybersecurity Magazine 
For at least the past two years, I've been fascinated by the highly fractured nature of information in the cybersecurity world, which is in a state of overwhelming onslaught of constant developments, studies, reports, meetings, breaking news, standards developments and government activity.  I've spent my entire career creating information products, conferences and advisory services focused on technology-related industries and corresponding complex policy topics (albeit in the comparatively easy-to-grasp media, communications, consumer electronics and, more recently, energy sectors).

But nothing beats cybersecurity as a tough topic, an issue that few people feel, deep down inside, they adequately grasp.  This vague sense of not-knowing is true for both the technology professionals responsible for implementing cybersecurity within their organizations and, most emphatically, the non-technologists who run organizations, government agencies and corporations and who are increasingly held responsible for the cyber breaches that occur on their watches.  Part of the problem is that there is just too much stuff  bombarding all of us and the information overload is accelerating.

Hundreds of good (and not so good) journalists crank out important cybersecurity news pieces every day across at least several dozen, if not hundreds, of bona fide publications (My slightly outdated must-read list is here).  Hundreds of consulting, engineering and law firms release reports, updates, advisories and white papers.  Endless meetings with thousands of participants are held across government and affiliated working groups, centers and labs of all stripes and sizes and all industry sectors. A day doesn't go by without at least a dozen important webinars, conferences or hearings on some important cybersecurity topic.

Trying to keep track of the day's developments is alone a herculean challenge.  A while back, I launched a Twitter feed and a corresponding nifty online Flipboard magazine (best seen on tablets and smartphones) that seeks to sift through the day's endless streams of information for only the most important, most interesting and most useful information.  Unlike some people who have brilliantly developed scripts to sift useful information from the repetitive, derivative and not-so-valuable gunk, I manually go through news feeds, emails, LinkedIn group reports and other sources and pick what to put in these curated resources. This process can consume many hours of my day if I don't watch it.

A few years back I interviewed over a dozen utility cybersecurity executives about the problems they faced. Information overload was consistently ranked among the top impediments to getting their jobs done. Typical of the responses I received was one top cybersecurity technologist. “A lot of stuff comes into our email inbox," he said. "There is a huge quantity of information out there saying 'we know what’s best.' Quite honestly, for me it’s fairly overwhelming to see that much information come in,”

And the situation has only deteriorated in the three years since I conducted that project. So, what's the solution? Is there a solution or is cybersecurity just too vast, just too endemic to everything in the world now that it's impossible to develop a comprehensive resource that hits the high-points and pulls it all together as best as possible in a reasonable time-frame?

These are the questions in the back of my mind as I work on a plan that proposes to do precisely that. Pull it all together and produce ongoing reports, data and analysis in a way that makes sense and reflects expertise and high-caliber thinking.

But if any of you have any answers to the question about information overload - is there a solution and what is it? -- or if there is a key piece of data or aggregated information that you wish you could see, drop me a line and share your thoughts.

Tanium Pushes 2014 Cybersecurity Venture Funding to $329M, Five Times 2013 Level


San Francisco-based cybersecurity-focused start-up Tanium announced yesterday a $90 mil. venture cash infusion from Andreessen Horowitz, a Silicon Valley powerhouse known for backing a long list of Internet and technology winners. The $90 mil. investment is the venture funding titan's second largest investment ever and continues a string of the firm's investments in cybersecurity companies, including Bluebox Security, Ciphercloud and Bromium.

Tanium, which describes itself as an "enterprise-scale real-time security and systems management company," has developed an approach to security management that it says collects and processes billions of metrics -- hardware configuration, software inventory, network usage, patch and update status and more -- across an organization's endpoints in real-time, providing instant visibility into operational issues to ward off security attacks.

Andreessen's big investment is the latest in a string of high-profile investment rounds across the growing ranks of cybersecurity technology start-ups.  According to our tally, thus far in 2014, cybersecurity firms have snagged $392 mil. in venture capital, over five times the level of the estimated $70 mil. in cybersecurity related venture deals in 2013.  (See table below).

At this point, total recent venture funding for cybersecurity tech providers is coming close to the $1 bil. mark. As the table below shows, since April 2012, venture funding for cybersecurity start-ups has totaled at least $818 mil.  At this rate, and with five months left in the year, that $1 bil. mark seems to be easily within reach.

Rep. Mike Rogers Raps FCC's Stance on Cybersecurity, Challenges Funding Request


Rep. Mike Rogers (R-MI), Chairman of the House Intelligence Committee, yesterday issued a red flag against last week's move by Federal Communications Commission Chairman (FCC) Tom Wheeler to broaden the agency's involvement in communications companies' cybersecurity practices.  In a letter signed by fellow Republican panel member Mike Pompeo (R-KS), Rogers expressed concern that Wheeler's approach, while relying primarily on the market to manage cybersecurity issues, verges too close to increased regulation.

The letter states that a speech Wheeler gave last week, in which he outlined a "new paradigm" for cybersecurity, as well as statements by Commission staff, "lead us to be concerned that the Commission may be preparing to implement a new regulatory scheme that would significantly impact Internet service providers and other web service providers."  In his speech, Wheeler said that if the new paradigm doesn't work, "we must be ready" with "alternatives if it doesn't."

The letter also raised objections to little-noticed cybersecurity-related budget additions in the FCC's FY 2015 budget.  "We also question why the FCC's Fiscal 2015 budget requested a substantial funding increase for cybersecurity activities, including funding for 'Big Data Cybersecurity Analytics and a Cybersecurity Metrics' program. While we support efforts to ensure that the Commission's internal systems are secure from cyber-attack, these initiatives appear to be outward, or industry, facing."

The FCC's FY 2015 budget asks for $700,000 for a big data cybersecurity analytics program.  In the budget the Commission states that "Big Data Cybersecurity Analytics will be a disruptive technology in the 
Cybersecurity arena, as traditional analysis and forensics techniques will be superseded by 
automation conveniences that reduce the burden of work on the analyst." The $700,000 is aimed at helping the FCC conduct root cause analysis, such as reverse engineering of malware on computer networks.

The FY 2015 budget also asks for $575,000 for the metrics program referenced in the letter.  The budget states that "FCC has initiated planning efforts to collect and analyze monthly metrics related to the cybersecurity threats addressed using data obtained from commercial sources," with the metrics to be provided to the Commission's newly formed Cybersecurity and Communications Reliability Division for analysis and baseline tracking.

Once that's done, the metrics program will be used to create a "Cybersecurity Dashboard" to "help the FCC track the ongoing progress of cybersecurity initiatives."

The appearance of the letter from Rogers and Pompeo indicates some level of concern among certain affected communications providers over Wheeler's new paradigm.  Following last week's speech by Wheeler, some telco industry representatives expressed unhappiness over some statements in the speech, presumably those that indicated the FCC would need to see "demonstrably effective" results and metrics under the new paradigm, perceived to be code for quasi-official monitoring and a possible precursor to regulatory action.

However, cable companies seemed warmer to the idea of the new cybersecurity paradigm.  Comcast issued a statement supporting Wheeler's new approach.  "Comcast will continue working with the Chairman, his fellow Commissioners, and the dedicated staff at the FCC to help achieve these important goals," Myrna Soto, senior VP and chief information and infrastructure security officer, for Comcast Cable, said.

Twitter Delicious Facebook Digg Stumbleupon Favorites More