The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Reactions to NIST’s Final Cybersecurity Framework – The Good and the Bad (but no ugly)

Leave a comment

On February 12, 2014, the National Institute of Standards and Technology (“NIST”) issued the final Framework for Improving Critical Infrastructure Cybersecurity (“Framework”).  Issuance of the Framework was required by the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”) aimed at increasing the overall resilience of U.S. critical infrastructure which is highly dependent upon cyber systems.

Businesses and industry groups have lauded the NIST effort for providing a:

  • Highly inclusive and collaborative approach. When developing the Framework, NIST (1) engaged with over 3,000 individuals and organizations to develop the Framework, working with them to identify and discuss current cybersecurity standards, best practices and guidelines; and (2) received over 200 responses, many of which were comprehensive reports, to its Request for Information. This approach will be continued as NIST continues to solicit feedback for future updates and iterations of the Framework. Also, one would expect to see further collaboration and communication between industries and government, and among businesses via the Critical Infrastructure Cyber Community C³ (“C Cubed”) Voluntary Program established as a partnership between the Department of Homeland Security (DHS) and the critical infrastructure community to help promote implementation and awareness of the Framework.
  • Common cybersecurity language. According to Tom Gann of McAfee the Framework provides, for the first time, a common language for technologists and executives and board members to communicate and make appropriate risk-based decisions. “This is important in and of itself, because C-suite executives can’t manage risk if they don’t explicitly understand what the risks are.” [1]
  • Useful tool. The Framework has also been praised for providing organizations with a tool that allows them to get an honest picture of where they are from a security perspective as well as identify what they want their security program to look like. According to McAfee’s McGann, “The delta between the two provides a means to identify a roadmap for improvement… and communication.”
  • Flexible approach. The Framework avoids a one-size-fits-all approach, recognizing that organizations will continue to have unique risks, including different threats, vulnerabilities, and risk tolerances, and that they will vary in how they implement the Framework. By employing an approach based on principles and best practices,  the Framework is applicable to organizations regardless of size, degree of cybersecurity risk or sophistication. Additionally, it makes sense of the current panoply of approaches to cybersecurity by organizing and structuring the standards, guidelines, and practices that are working effectively in industry today.

At the same time, business and industry groups have leveled some strong criticism at NIST and the Framework for several reasons, including:

  • Threats are largely ignored. One industry pundit, Bob Gourley, has harsh words for NIST: “By ignoring the prodigious threats we face and the threat information functions organizations should put in place NIST has shown an incredibly high naivete, with the result being a framework unable to improve critical infrastructure cyber security.” [2]
  • Cloud risks are dismissed. There is no attempt to address cloud-related risks. In fact, the word “cloud” is mentioned only once in the entire Framework, and only by way of an example. Such neglect seems foolhardy in light of Forrester Research’s prediction  that cloud will take off in 2014 as it is integrated into existing IT portfolios and becomes a de-facto way of doing business.[3]
  • Economic realities are not addressed. The Framework in no way addresses how to establish a cybersecurity program that is cost effective or supported by economic incentives. Cybersecurity programs are not cheap and this oversight will have real consequences for companies struggling to get a program off the ground or strengthen a currently existing program. Internet Security Alliance President Larry Clinton cautions, “If we don’t make real progress in these areas quickly all the work that went into developing the NIST framework will go to waste.”[4]  A voluntary program that doesn’t account for economic reality will quickly find itself with no volunteers.
  • Too simplistic. The Framework is presented in such an elementary, high-level format that it is unlikely to be of any use to sophisticated companies already employing robust cybersecurity defense programs. At the same time, because it is voluntary, it is unlikely to compel less sophisticated companies without a program to adopt the Framework.

Given NIST’s collaborative and inclusive approach to developing the Framework and its continued solicitation of feedback, there seems to be reason for hope that the criticisms leveled against the current Framework will eventually be addressed.

Author: Rebecca H. Davis

Asst. General Counsel, Wal-Mart Stores, Inc., Corporate Affairs and Government Relations

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s