(Washington, DC) The National Institute of Standards and Technology (NIST) kicked off yesterday the first of series of workshops aimed at creating an overarching cybersecurity framework for all critical infrastructure industries as directed under President Obama's cybersecurity executive order issued in February. Although the impressive line-up of speakers generated little in the way of new information or insight into what the ultimate framework might look like, the gathering of a wide range of cybersecurity technology, policy and legal experts across a number of industries did serve to reiterate important messages about how to think about cybersecurity.
First, it's obvious that cybersecurity is crucial to virtually every activity underpinning society. "We ought to take security in cyberspace as much for granted as we do in using cyberspace in our everyday lives," Jane Holl Lute, Deputy Secretary at DHS said.
Secondly, we will never find a single solution that solves all cybersecurity problems. The best approach is an ongoing strategy to prevent, protect and respond when threats arise. "There is no silver bullet," Russell Schrader, Chief Privacy Officer, Visa said.
Third, because no single solution exists, any framework must be flexible and adaptable. "There is no way you can prepare in advance a template that can protect against the unknowns," Robert Mayer, VP of Industry and State Affairs at US Telecom said. "Whatever framework we ultimately settle on, it's going to have to be a living framework," Paul Nicholas, Senior Director, Global Security Strategy and Diplomacy at Microsoft said.
Finally, information-sharing is crucial. "The vast majority of what you need to know about threat is already out there. It's just badly distributed," Tony Sager, Director of the SANS Institute said.
The elephant in the room was whether NIST can achieve anything approaching a useful framework that covers 16 diverse critical infrastructure industries within 240 days as stipulated under the EO. The consensus among the attendees I spoke with is that given the timeframe, the complexity of the issues and the diversity of the industries covered, the best that NIST can hope for is a generic outline of principles or concepts, which may or may not push the cybersecurity ball forward very much.
One participant in the NIST working group that produced cybersecurity guidelines for cloud computing said that NIST is aiming for the impossible with this effort. That may not matter another cybersecurity specialist said because the administration is really banking on Congress to step in soon enough with comprehensive cybersecurity legislation that produces more effective requirements and information-sharing capabilities.
Whether the ultimate framework proves useful, the workshop seemed to serve as an effective gathering for cross-pollinating ideas and for networking among cybersecurity professionals who otherwise might never meet. In that sense, the information sharing has already begun.
Other reports from the workshop are worth a read. Check out Andy Bochman's write-up here. Grant Gross takes a policy perspective in this piece. And Brian Fung has this post from the event about how Northrup Grumman spearfishes its own employees to teach them important lessons.