(Pittsburgh, PA) Hundreds of top cybersecurity professionals gathered here at Carnegie Mellon University on May 29 for the second Cybersecurity Framework Workshop hosted by the National Institute of Standards and Technology (NIST) to help develop a comprehensive framework for critical infrastructure industries, as mandated under President Obama's February 2013 Executive Order. With the goal of producing a framework that can adequately stretch across 16 critical infrastructure sectors by October of this year, NIST hired facilitators to lead three days of discussions across eight break-out groups along four tracks, which NIST says are the areas where "gaps" were identified based on a review of the comments filed by numerous parties in response to an RFI issued by NIST.
The four tracks are the "Business of Cyber Risk," "Threat Management," "Cybersecurity Dependencies and Resiliency" and "Progressive Cybersecurity: From Basics to Advanced Cybersecurity." I participated in the first three of the tracks and spent some time talking to my fellow break-out group members, other break-out group attendees as well as some of the NIST organizers and track facilitators. Based on all this, here are the top takeaways so far:
1. The process is well-organized although the substance seems to be lacking: although the NIST organizers get high marks for a well-coordinated workshop, a recurring comment is whether the open-ended nature of the break-out sessions has achieved anything so far. One of the facilitators told me that the soft nature of this first roll-up-your-sleeves workshop is intentional in order to give all parties an opportunity to provide input - the next workshop in California will present an actual straw-man framework for the attendees to address.
2. Asset owners need to have a stronger representation: although a good chunk of the 300 to 400 attendees are asset owners (mostly utilities and telcos with a sprinkling of cable companies and financial institutions), the majority appear to be either consultants or vendors. Several of the asset owner attendees have remarked that the break-out sessions are heavily tilted toward vendors and that in the smaller groups within those sessions, the ratio of vendors/consultants to asset owners can be five to one. This criticism harkens back to the process that NIST undertook when it developed interoperability standards for the smart grid, which is an oft-cited model for the current cybersecurity framework process. During the development of the smart grid standards, several utility representatives remarked that the process was vendor-driven and therefore of lower value to them as a consequence.
3. Some of the topics veer outside the scope of cybersecurity: during my break-out session on dependencies and reliabilities, for example, the facilitators widened the scope of the discussion to include all possible dependencies (including human capital, legal and contract-related requirements and other issues). Some of the asset owners in the room balked at this wide scope, arguing that the process should stay narrowly focused on pure cybersecurity matters. As one of these participants said during my session, business practices should be outside the scope of NIST's investigations. A fear among some critical infrastructure owners is that the NIST process might lay the foundation for regulatory action someday despite its current voluntary and public-private partnership approach. Thus the further the process strays from the topic of cybersecurity, the wider the potential regulatory field, or so some fear.
Whether NIST can develop a comprehensive framework that addresses cybersecurity in a meaningful way while setting aside too many business practices is an open question at this point. During the plenary session on the second day of the workshop, Bruce McConnell, Acting Deputy Under Secretary of DHS said one of the goals of the framework is to "raise the level of conversation about cybersecurity...The conversation we've been having over the past 25 years has been a technical conversation. There is a gap between information technology risk and enterprise risk management."