One year to the date since it was first assigned the challenge, the National Institute of Standards and Technology (NIST) today released its final version of a framework for improving critical infrastructure cybersecurity. President Obama, whose February 2013 executive order mandated that NIST formulate the framework, praised the collaboration that went into the effort, citing all the work by public and industry participants as "a great example of how the private sector and government can, and should, work together to meet this shared challenge."
Although the framework itself consists of multiple and complex parts, and references hundreds of existing standards and practices, Lisa Monaco, Assistant to the President for Homeland Security and Counterterrorism boiled it down to its basic elements at a White House-organized event with top government and industry executives. "It provides for lack of a better phrase a common language to discuss cybersecurity. The framework core is really a set of common cybersecurity activities that [e]very organization should carry out in order to minimize cyber risks."
Another element of the framework, its profiles feature, helps "organizations to align what they’re doing with their own business requirements." The final essential element, the tiers of implementation, "will allow companies to identify how well they’re doing to develop their own risk management practices," Monaco said.
Department of Homeland Security (DHS) Secretary Jeh Johnson officially unveiled the name for the DHS program that will continue refining the framework and promote its use among critical infrastructure asset owners. The Critical Infrastructure Cyber Community (C3 or C-Cubed) Voluntary Program will give asset owners direct access to cybersecurity experts in DHS for advice and assistance in the event of a cyber attack or simply to provide guidance to organizations as they evaluate their cybersecurity strengths and weaknesses.
Joe Rigby, CEO of electric utility Pepco, praised the framework for providing a blueprint for his industry, which still is grappling with the challenges of cybersecurity. "Our industry is actually pretty good at restoring power," he said. But "we haven’t built the muscle yet for responding to cybersecurity. We’ve been thinking about this for ten years but we’ve been acting on it for four or five years."
Telecom companies, on the other hand, have been forced by the market to stay apace with cyber developments. "We unfortunately live, eat and breathe this," AT&T CEO Randall Stephenson said. "It’s obviously just central to what we do. Nobody has got this thing licked. We think we’re pretty good at it but you’re only as strong as your weakest link."
The real benefit for AT&T will be in extending this "minimal" level of cybersecurity efforts to the company's supply chain and service providers. "When you have all this interconnectedness [t]he weakest connection to your network is obviously an exposure point to your network. We look at this as a good piece of work but we view it as a minimum level."
As DHS continues to work on developing incentives for companies to use the framework, the focus should be on small companies that don't devote the effort to cybersecurity that large, well-financed players do, Marilyn Hewson, CEO of Lockheed Martin said. "To the extent that we can look for incentives for the smaller and medium sized companies, that’s what we should do."
President Obama and virtually all of the government and industry officials stressed the need for congressional legislation to clear away the legal impediments that currently discourage cybersecurity information-sharing. "I again urge Congress to move forward on cybersecurity legislation that both protects our nation and our privacy and civil liberties," he said in his statement.
One of the key elements that makes this [framework] viable in the long run is information sharing," AT&T's Stephenson said. "There needs to be very robust protect and indemnification in place. If you don’t have those in place, it’s all for naught."
Note: I will write a more in-depth piece on the framework's release as part of my series for CSO Magazine. Stay tuned.