The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Reactions to NIST’s Final Cybersecurity Framework – The Good and the Bad (but no ugly)

On February 12, 2014, the National Institute of Standards and Technology (“NIST”) issued the final Framework for Improving Critical Infrastructure Cybersecurity (“Framework”).  Issuance of the Framework was required by the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”) aimed at increasing the overall resilience of U.S. critical infrastructure which is highly dependent upon cyber systems.

Businesses and industry groups have lauded the NIST effort for providing a:

  • Highly inclusive and collaborative approach. When developing the Framework, NIST (1) engaged with over 3,000 individuals and organizations to develop the Framework, working with them to identify and discuss current cybersecurity standards, best practices and guidelines; and (2) received over 200 responses, many of which were comprehensive reports, to its Request for Information. This approach will be continued as NIST continues to solicit feedback for future updates and iterations of the Framework. Also, one would expect to see further collaboration and communication between industries and government, and among businesses via the Critical Infrastructure Cyber Community C³ (“C Cubed”) Voluntary Program established as a partnership between the Department of Homeland Security (DHS) and the critical infrastructure community to help promote implementation and awareness of the Framework.
  • Common cybersecurity language. According to Tom Gann of McAfee the Framework provides, for the first time, a common language for technologists and executives and board members to communicate and make appropriate risk-based decisions. “This is important in and of itself, because C-suite executives can’t manage risk if they don’t explicitly understand what the risks are.” [1]
  • Useful tool. The Framework has also been praised for providing organizations with a tool that allows them to get an honest picture of where they are from a security perspective as well as identify what they want their security program to look like. According to McAfee’s McGann, “The delta between the two provides a means to identify a roadmap for improvement… and communication.”
  • Flexible approach. The Framework avoids a one-size-fits-all approach, recognizing that organizations will continue to have unique risks, including different threats, vulnerabilities, and risk tolerances, and that they will vary in how they implement the Framework. By employing an approach based on principles and best practices,  the Framework is applicable to organizations regardless of size, degree of cybersecurity risk or sophistication. Additionally, it makes sense of the current panoply of approaches to cybersecurity by organizing and structuring the standards, guidelines, and practices that are working effectively in industry today.

At the same time, business and industry groups have leveled some strong criticism at NIST and the Framework for several reasons, including:

  • Threats are largely ignored. One industry pundit, Bob Gourley, has harsh words for NIST: “By ignoring the prodigious threats we face and the threat information functions organizations should put in place NIST has shown an incredibly high naivete, with the result being a framework unable to improve critical infrastructure cyber security.” [2]
  • Cloud risks are dismissed. There is no attempt to address cloud-related risks. In fact, the word “cloud” is mentioned only once in the entire Framework, and only by way of an example. Such neglect seems foolhardy in light of Forrester Research’s prediction  that cloud will take off in 2014 as it is integrated into existing IT portfolios and becomes a de-facto way of doing business.[3]
  • Economic realities are not addressed. The Framework in no way addresses how to establish a cybersecurity program that is cost effective or supported by economic incentives. Cybersecurity programs are not cheap and this oversight will have real consequences for companies struggling to get a program off the ground or strengthen a currently existing program. Internet Security Alliance President Larry Clinton cautions, “If we don’t make real progress in these areas quickly all the work that went into developing the NIST framework will go to waste.”[4]  A voluntary program that doesn’t account for economic reality will quickly find itself with no volunteers.
  • Too simplistic. The Framework is presented in such an elementary, high-level format that it is unlikely to be of any use to sophisticated companies already employing robust cybersecurity defense programs. At the same time, because it is voluntary, it is unlikely to compel less sophisticated companies without a program to adopt the Framework.

Given NIST’s collaborative and inclusive approach to developing the Framework and its continued solicitation of feedback, there seems to be reason for hope that the criticisms leveled against the current Framework will eventually be addressed.

Leave a comment

NIST Updates Proposed National Cybersecurity Framework

As noted earlier on this blog, President Obama issued a sweeping Cybersecurity Executive Order in February, which called for the development of a national cybersecurity framework to mitigate risks to federal agencies and critical infrastructure. On October 22, the National Institute of Standards and Technology (NIST) published a Preliminary Cybersecurity Framework, which is a revision to their Draft Cybersecurity Framework published in August. The preliminary framework is the result of a series of public workshops and input from more than 3,000 individuals and organizations on standards and best practices.

According to NIST Director Patrick Gallagher, the goal of the NIST framework is to “turn today’s best [security] practices into common practices,” and to create a set of security guidelines for businesses to protect themselves from evolving cybersecurity threats. Adoption of the NIST framework, however, would be voluntary for companies, since NIST is a non-regulatory agency within the Department of Commerce.

Despite the voluntary nature of the framework, it has received a fair measure of criticism from businesses concerned that these standards will increase negligence liability once regulatory agencies establish requirements based on these standards. It is likely that courts will rely—at least in part—on any such standards to help define what “reasonable” cybersecurity measures are.

This concern is not without merit. Courts have struggled with the definition of reasonable cyber security, and these struggles have taken on greater urgency as our questions about the vulnerability of the nation’s critical infrastructure and protections of private information arise. The principal problem with this question is the moving target that “reasonable security” presents to businesses and individuals. In order to address some of these questions, NIST has published standards such as the Security and Privacy Controls for Federal Information Systems and Organizations, the final revision of which was released in April. Other sources, such as the Uniform Commercial Code, also make attempts to address reasonable security, but their language is too often frustratingly vague.

In an effort to address some of these concerns, the preliminary framework has increased the flexibility of its standards, For example, NIST has removed use of the word “should” from the updated draft, and added a paragraph that gives organizations greater options in their security implementations:

Appendix B contains a methodology to protect privacy and civil liberties for a cybersecurity program as required under the Executive Order. Organizations may already have processes for addressing privacy risks such as a process for conducting privacy impact assessments. The privacy methodology is designed to complement such processes by highlighting privacy considerations and risks that organizations should be aware of when using cybersecurity measures or controls. As organizations review and select relevant categories from the Framework Core, they should review the corresponding category section in the privacy methodology. These considerations provide organizations with flexibility in determining how to manage privacy risk.

On the other hand, privacy groups have objected to the framework’s lack of requirements, and have called for protections for civil liberties as well as a commitment to civilian control of cybersecurity. Advocacy groups have also questioned reports that the National Security Agency (NSA) has directed NIST to reduce key security standards. NIST has not yet commented on any NSA involvement in the development of the framework, but has initiated an internal audit to review its own method for guidance development.

On October 29, NIST opened a 45-day public comment period, with plans to release the final version of the framework in February 2014. NIST will also host a workshop to discuss the state of the framework at North Carolina State University on November 14th and 15th. While it is unlikely that every stakeholder group will be completely satisfied with the final version of the framework, a strengthening of the nation’s critical infrastructure in the form of mutually agreed-upon, reasonable standards will surely be welcome.

Leave a comment

Privacy – Transparency and the Push to Convert the U.S. Government to the “Cloud”

Have you thought about how many government agencies are transitioning to cloud computing, and what that means for privacy concerns?  The White House released a “25 Point Implementation Plan to Reform Federal Information Technology Management” in December 2010 that advocates a shift to a “cloud first” policy for all agencies. This is after the GAO observed in June 2010 that although “OMB launched a cloud computing initiative in 2009” it “does not yet have an overarching strategy or implementation plan.” The OMB IT Dashboard suggests that numerous federal agencies (perhaps over 100) are pushing to build in cloud computing functions, including. the General Services Administration and the  Department of Health and Human Services.
In contrast to the hype surrounding the cloud, NIST’s recently published draft Guidelines on Security and Privacy for government use that provides detailed commentary on key cloud computing concerns, including: cloud system complexity; the shared multi-function environment; and internet-exposure that increases vulnerability to internet attacks such as botnets. Notably, the NIST reported that although the city of Los Angeles made news in 2009 (see, e.g. articles here, here, and here and mention in this report) when it announced it was shifting its email servers to Google’s cloud, the system has not lived up to the hype. As of early 2011 the city was running both its legacy and the cloud systems – hardly a model of cost-efficiency. The police functions had not been successfully outsourced because of security concerns and the report stated that Los Angeles will have to shut down the operation in June 2011 if the situation isn’t resolved. Could Los Angeles be the canary in the coal mine to show that that “cloud first” may not result in dramatic cost savings?
Perhaps most troubling is the loss of control over data: According to the draft NIST report “a characteristic of many cloud computing services is that detailed information about location of the data is unavailable or not disclosed to the service subscriber. This situation makes it difficult to ascertain whether sufficient safeguards are in place and whether legal and regulatory compliance requirements are being met.” Translation: outsourcing data to the clouds means that often organizations (including the US government) won’t know and/or have any control over where that data is stored or transferred, despite state and federal laws prohibiting transfer of data overseas. Enabling third party service providers to dictate where data flows may not be worth whatever cost-savings may be generated by the new “cloud first” policies.