NIST Framework Could Become a Useful Tool for Regulators (and Litigators), Cyber Lawyers Say


(Washington, DC)  The voluntary comprehensive cybersecurity framework issued by the National Institute of Standards and Technology (NIST) last February is already proving helpful to companies and could become a tool used by regulators. But it could also become a de facto requirement for organizations once it starts being cited by plaintiffs attorneys, a group of top cybersecurity law specialists said yesterday.

Speaking at a cybersecurity event hosted here by Bloomberg Government, Stewart Baker of Steptoe & Johnson said that the NIST framework could come into play with the impending wave of lawsuits surrounding cyber breaches.  "It’s a no-brainer for plaintiffs lawyers to say 'what do you mean you didn't even follow the government’s cybersecurity framework?'"

As expected (and feared by some industries) regulators could more heavily rely on the framework as a benchmark for good cybersecurity practices. "The other place we’re going to see the NIST framework used is as regulators [u]se the framework as a way of asking questions about what kind of security you have," Baker said, adding that it could become a kind of test as regulators implement various policies and rules.

"The thought of the SEC [Securities and Exchange Commission] becoming a regulator [in cybersecurity] is quite chilling," Donald Fagan of Covington & Burling said. It's probably more accurate to label it as a "precursor to a test," he said. "The framework can be used to determine whether we are acting reasonably," Ben Powell of WilmerHale said.

Right now few signals are coming out of government agencies that the NIST framework might morph from voluntary to mandatory. "The White House announced that they're happy with where the voluntary process is going…which surprised us a little bit," Jeff Greene, Senior Policy Counsel for Symantec said. "The framework at least for the foreseeable future will stay pretty much as voluntary as it can."

Symantec has already adopted the framework, albeit in a tailored fashion, Greene said. "We're actually using the NIST framework. We have found it useful internally."

Small businesses, though, have a difficult time adapting to the framework, according to Greene. "At the small business end [t]hey don’t have the in-house IT staff.  We have found that we have to talk to them in a one-pager document. We’re trying to distill it down in a way that we can talk to them about it."

Top Experts: C-Suite Execs Have 'Caught Religion' in Wake of Target Breach


(Washington, DC)  Given the high-profile ouster of Target's CEO in the wake of the retailer's massive data breach, cybersecurity has been--and should be--elevated to executive suites across corporate America, a string of top security experts said yesterday. Speaking at a day-long cybersecurity conference hosted by Bloomberg Government here, current and former top government and industry cyber specialists issued a wake-up call to business and critical infrastructure leaders that cybersecurity can no longer be relegated to the purely technical realm.

"Cybersecurity is foundational," Admiral Mike Rogers, Commander of U.S. Cyber Command and Director of the National Security Agency said. "You must own this problem. This is just not your IT and computer people. You have to own this problem as a leader."

"This is becoming a CEO issue," Lou Von Thaer, President of the National Security Sector of Leidos, said. "We are being asked by directors all the time to be briefed," Steven Chabinsky, General Counsel and Chief Risk Officer of CrowdStrike said. "I hear all the time from the board members…they actually think the IT people are purposively speaking in gibberish so they cannot be subjected to oversight."

Although litigation and liabilities are the primary outcome of Target-like breaches, the challenge of handling a huge, complex crisis might be the bigger reason that executives are suddenly paying attention. "In some respects the greatest liability risk is not a legal one but a crisis management one," Donald Fagan of Covington and Burling said. "It is the Target issue…that has caught the attention of many businesses out there. They’ve caught religion"

Target may be the poster child for the massive damage that can ensue from a cybersecurity breach, but the company did most things right when it came to cybersecurity. Target would have received a high grade in terms of how well it followed the cybersecurity framework issued by the National Institute of Standards and Technology earlier this year, Stewart Baker of Steptoe & Johnson said.  "They just didn't respond to the overwhelming number of alerts they got."

"People have to understand how good a company Target is when it comes to cybersecurity," Michael Leiter, Senior Counselor to the CEO of Palantir Technologies said. "That means there really is no company that doesn't face this as a business risk."

Twitter Delicious Facebook Digg Stumbleupon Favorites More