NIST's Gallagher: Framework Implementation Falls to Companies, Not DHS

The implementation responsibilities for the cybersecurity framework developed and released last week by the National Institute of Standards and Technology (NIST) now fall into the hands of the critical infrastructure companies and operators, Patrick Gallagher, the head of NIST said today at a Brookings Institution event.  Despite the fact that many activities surrounding the framework now shift from NIST to the Department of Homeland Security (DHS) under the cybersecurity executive order issued by President Obama last year, "I actually don’t view the implementation responsiblities passing to DHS," Gallagher said.

"I think it’s important to keep in mind that there are three things happening here.  One is that the framework process continues and NIST continues to act as a convener so nothing has changed on that front at all."

"What DHS is doing is establishing a voluntary program that is there to support and promote adoption," he said.  "The most powerful force driving adoption are the companies themselves. This is not just about what you do internally. [I]t’s about your relationship with your vendors, your suppliers, your supply chain, the other companies you work with in your sector.  Those are actually more powerful than anything we've been discussing" [on the government side].

But the federal government, and NIST itself, will continue to play a key role in shaping further changes to the framework, although NIST has not yet announced a revision schedule for the framework.  "What we've done is deliberately create a bit of a pause…for the very reason that we don’t want to get in the way of the adoption piece. We really want companies to use this and we want the [revision] process to be informed by companies that are using the framework," Gallagher said.

And Gallagher hinted that NIST might continue to play a major role in the framework's application and development by pointing to the Smart Grid Interoperability Panel (SGIP), a non-profit organization which facilitates the use of  NIST-developed smart grid standards, as a potential model for the cybersecurity framework's governance.   "How do we set up a governance scheme where all these different companies can get work together and turn this into a ongoing routine process?," he asked.

"In smart grid, the SGIP was put together because the stakeholders felt there wasn't an existing organization that could facilitate the process," Gallagher said, inferring that perhaps such an organization could be developed for the cybersecurity framework.  NIST is extensively involved in the management and activities of the SGIP.

Read More

NIST Cybersecurity Framework Webinar Speakers Announced - Register Now for Thursday's Event

As I mentioned late last month, DCT Associates has teamed with the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), the private/public center for knowledge sharing regarding industrial control system (ICS) cybersecurity, to host a webinar on what cybersecurity practitioners need to know now about the cybersecurity framework developed by the National Institute of Standards and Technology.

The webinar is slated to begin at 1 pm EST on Thursday, February 20th and so far well over 100 people have signed up to find out what they need to know now about this unprecedented cybersecurity blueprint.

We've got a great line-up of speakers for this event, including:

• Adam Sedgewick, Senior Information Technology Policy Advisor, NIST
• Matthew Light, Cybersecurity Specialist, ES-ISAC at North American Electric Reliability Corporation
• Kevin M. Morley, Ph.D., Security & Preparedness Program Manager, American Water Works Association
• Kent Landfield, Director, Content Strategy, Architecture and Standards, McAfee Labs

Find out more about the event or just register today.  It's free and it's a chance to get a leg up on what promises to become the foundation for cyber protection initiatives across all industries and throughout the government.

Read More

Comcast-TWC Broadband Reach Could Be Twice That of Nearest Rival AT&T

For many years I spent my days endlessly examining the broadband marketplace, so when Comcast announced its deal to buy Time Warner Cable (TWC), I instinctively knew that the numbers would put Comcast very far above its nearest terrestrial rival once (and many say if) the merger is completed.  Om Malik thinks the deal was entirely driven by Comcast's desire to scoop greater market share in the high-speed Internet arena and he's right to the extent that broadband is the future of pretty much all of communications - Internet, television, mobile.

But as Comcast executives said during their analyst call to announce the deal, the merger comes down to money - a combined Comcast-TWC will yield lower costs, higher margins and greater efficiencies across the board, including in the purely high-speed arena.  Still, looking at the numbers from the end of Q3 2013 (see chart), Comcast and Time Warner combined had nearly twice the high-speed Internet customers of the second largest terrestrial broadband company in the U.S., AT&T, 31.33 mil. compared to 16.43 mil.

Even if Comcast sheds millions of those high-speed customers when it divests itself of some TWC systems serving approximately three million video customers, as the company says it would do to stay under regulatory concern caps, it would still be about 75% larger than AT&T.

From a market share perspective, a combined Comcast-TWC would reach 38% of U.S. terrestrial high-speed customers, almost double that of AT&T and well over three times that of Verizon, the third largest provider of terrestrial high-speed service in the U.S.

Despite this prospect, Comcast will still be pretty small in comparison to the world's two top wireline broadand providers.  China Telecom currently serves 90 million wireless high-speed customers while China Unicom has 63 million broadband customers.  But it looks like Comcast could top NTT, which only has around 20 million wireline broadband customers.

Read More

The NIST Framework is Out the Door. So What's Next?

Industry and government alike have praised the cybersecurity framework developed by the National Institute of Standards and Technology (NIST). So, what happens next?

As I describe in my latest piece for CSO Magazine, the ball is now in the court of the Department of Homeland Security (DHS), which promises it will carry on in the spirit of openness which served NIST so well. NIST, however, won't ride off into the sunset anytime soon - it will act as a "convener" until DHS and the sector specific agencies take over the framework's implementation.

For more, check out the article.

And mark your calendars for a webinar on the cybersecurity framework that DCT Associates is hosting with the ICS-ISAC on February 20 at 1pm EST.  It's free and will hit the high points of what you need to know about the framework.

Read More

Government, Industry Embrace NIST Cybersecurity Framework

One year to the date since it was first assigned the challenge, the National Institute of Standards and Technology (NIST) today released its final version of a framework for improving critical infrastructure cybersecurity.  President Obama, whose February 2013 executive order mandated that NIST formulate the framework, praised the collaboration that went into the effort, citing all the work by public and industry participants as "a great example of how the private sector and government can, and should, work together to meet this shared challenge."

Although the framework itself consists of multiple and complex parts, and references hundreds of existing standards and practices, Lisa Monaco, Assistant to the President for Homeland Security and Counterterrorism boiled it down to its basic elements at a White House-organized event with top government and industry executives. "It provides for lack of a better phrase a common language to discuss cybersecurity. The framework core is really a set of common cybersecurity activities that [e]very organization should carry out in order to minimize cyber risks."

Another element of the framework, its profiles feature, helps "organizations to align what they’re doing with their own business requirements."  The final essential element, the tiers of implementation, "will allow companies to identify how well they’re doing to develop their own risk management practices," Monaco said.

Department of Homeland Security (DHS) Secretary Jeh Johnson officially unveiled the name for the DHS program that will continue refining the framework and promote its use among critical infrastructure asset owners.  The Critical Infrastructure Cyber Community (C3 or C-Cubed) Voluntary Program will give asset owners direct access to cybersecurity experts in DHS for advice and assistance in the event of a cyber attack or simply to provide guidance to organizations as they evaluate their cybersecurity strengths and weaknesses.

Joe Rigby, CEO of electric utility Pepco, praised the framework for providing a blueprint for his industry, which still is grappling with the challenges of cybersecurity.  "Our industry is actually pretty good at restoring power," he said.  But "we haven’t built the muscle yet for responding to cybersecurity.  We’ve been thinking about this for ten years but we’ve been acting on it for four or five years."

Telecom companies, on the other hand, have been forced by the market to stay apace with cyber developments.  "We unfortunately live, eat and breathe this," AT&T CEO Randall Stephenson said.  "It’s obviously just central to what we do.  Nobody has got this thing licked.  We think we’re pretty good at it but you’re only as strong as your weakest link."

The real benefit for AT&T will be in extending this "minimal" level of cybersecurity efforts to the company's supply chain and service providers.  "When you have all this interconnectedness [t]he weakest connection to your network is obviously an exposure point to your network. We look at this as a good piece of work but we view it as a minimum level."

As DHS continues to work on developing incentives for companies to use the framework, the focus should be on small companies that don't devote the effort to cybersecurity that large, well-financed players do, Marilyn Hewson, CEO of Lockheed Martin said.  "To the extent that we can look for incentives for the smaller and medium sized companies, that’s what we should do."

President Obama and virtually all of the government and industry officials stressed the need for congressional legislation to clear away the legal impediments that currently discourage cybersecurity information-sharing.  "I again urge Congress to move forward on cybersecurity legislation that both protects our nation and our privacy and civil liberties," he said in his statement.

One of the key elements that makes this [framework] viable in the long run is information sharing," AT&T's Stephenson said.  "There needs to be very robust protect and indemnification in place.  If you don’t have those in place, it’s all for naught."

Note: I will write a more in-depth piece on the framework's release as part of my series for CSO Magazine. Stay tuned.

Read More

NIST Official: Won’t Be Many Surprises in Cybersecurity Framework Release on Wednesday

(Washington, DC)  The National Institute of Standards and Technology (NIST) will release on Wednesday its final version of a comprehensive cybersecurity framework mandated by President Obama’s February 2013 cybersecurity executive order, with the final version containing few surprises, a NIST official said yesterday.  “Hopefully there won’t be many surprises,” Adam Sedgewick, NIST’s chief organizer of the framework process told attendees at the winter meeting of the National Association of Regulatory Utility Commissioners (NARUC) held here.

Since its fifth workshop on the framework in early November, NIST has fielded 2,500 separate comments on a preliminary version of the framework and posted a mid-January update on the changes the agency will incorporate as a consequence of the feedback.  The release of the framework at a White House event on Wednesday (with publication in the Federal Register on the 13th) comes exactly a year to the date following the executive order, an intensely compressed time frame given the magnitude of the topic.

“We went in without a net without thinking about what the framework would look like at the end of the day,” Sedgewick said.  Although the framework is “final,” NIST and government officials refer to it as the 'framework 1.0,' signifying the need for continued evolution as the framework is used by critical infrastructure owners. "From my perspective, there will always be more work to do on this issue.”

Once NIST puts the framework out, the Department of Homeland Security (DHS) will be primarily responsible for promoting its use, mostly through a public-private working group known as the voluntary program.  “The voluntary program will be our primary vehicle for promoting the framework,” Bob Kolasky, Director of Strategy and Policy, Office of Infrastructure Protection at DHS said.  “It is our key next step for how we're going to work with folks like you on how to use the framework.”

One critical infrastructure player, electric utility Pepco, already plans to change its procedures as a result of the framework, Susan Mora, Director of Federal Regulatory affairs at the utility said.  Specifically Pepco will reorganize its core cybersecurity functions to match those contained in the framework (which are Identify, Protect, Detect, Respond, and Recover).  Pepco has also volunteered to become one of the first utilities to which the framework will be applied.

Although the framework and the rest of the executive order are positive steps, a major stumbling block to better cyber protection is Congressional inability to pass a cybersecurity bill which would enhance information sharing among government entities and critical infrastructure owners, Mora said.  “I think the executive order is a great piece.  It checks box one which is standards and practices.  [But] there are other boxes that need work.  I can't tell you how disappointed I am on the information sharing front.”

State regulators play a key role in how the framework is used by utilities, primarily through the approval of cybersecurity expenses in public utility rate-making proceedings.  But “rate cases appear to be a dysfunctional pathway for appropriate cybersecurity,” industry consultant Andy Bochman told the utility commissioners in a presentation.  The adversarial culture surrounding the approval of rate increases can derail the reality of better cybersecurity, which both utilities and regulators seek as a shared goal.

Read More

Verizon PCI Report: Only 24% of Breached Organizations Compliant With Authentication Requirements

Verizon pre-released today its 2014 PCI (payment card industry) compliance report, which highlights the trends of compliance with the Payment Card Industry Data Security Standard (PCI DSS), which merchants, banks, credit card processing and other institutions follow to ensure the security of their cardholders' data. The release of this report follows yesterday's revelation by Brian Krebs that Target's massive security breach likely stemmed from network credentials that were stolen from a third-party HVAC vendor, which had been given external network access.

As it turns out, the PCI DSS has an entire requirement (section 8) devoted to authenticating users and a particular sub-requirement (8.3) devoted to authorizing access to users, such as vendors, outside the network.  According to the Verizon report, only 24.2% of organizations that suffered a security breach in 2013 were compliant with Requirement 8 at the time of the breach.

The report states that over 80% of these breaches used single-factor username and password credentials and could have been avoided had two-factor authentication been used (two-factor authentication requires two methods to gain access to prove a user's identification - one is usually a physical token such as a card and the other is usually a password).  Section 8.3 of the PCI DSS does indeed require two-factor authentication for users outside the network.

Still, the picture for the payment card industry overall is improving - 62.2% of companies covered in the report met all the demands of Requirement 8 in 2013, an increase of 39.6 percentage points on 2012.

Read More