Sometimes it is difficult to
determine if the federal government is genuinely interested in assisting the
private sector in solving problems or is simply interested in assuming
additional authority over the private sector. In the case of cybersecurity, it
appears that the government is united in its support of strengthening security
against criminal hackers and especially state-sponsored hackers. The point does
not belong to either party but is the domain of both major parties. According
to one article, a poll among defense leaders across the military, national
security policy, defense industry and congressional staffs found that the top
security threat to the United States was cybersecurity, including among both
Democrats and Republicans (Herb, 2014) . Americans understand
that cybersecurity is now a critical aspect of national security. The problem
is that much of our national critical infrastructure is tied to the Internet
and exists outside of direct government oversight, though the government does maintain
some oversight of certain industries via regulations.
On
February 12, 2014, the federal government under the National Institute of
Standards and Technology released the Framework for Improving Critical
Cybersecurity Infrastructure. The development of this framework was driven by
Presidential Executive Order 13636 “Improving Critical Infrastructure
Cybersecurity”, directing an enhanced security and resilience of the Nation’s critical
infrastructure and to maintain an improved cybersecurity environment (National
Institute of Standards and Technology, 2014) . The development was
based on collaboration between the federal government and private industry in
the hope that it would encompass private sector concerns and be more easily adoptable
by organizations in industry. The framework can mostly be displayed in a spreadsheet.
The spreadsheet would consist of a column of five core functions which are then
subdivided into categories (similar to NIST 800-53 security controls) and sub
categories, which are similar to NIST 800-53 sub controls. The spreadsheet also
contains a limited mapping to other security models and is intended to be a
best practices model that can be easily adopted by industry. There are a few
other components of the framework including the Framework Implementation Tiers
that primarily are concerned with allowing for an organization to be rated (or
to rate itself) against four categories from Partial (Tier 1) to the most
advanced Adaptive (Tier 4) tier. The final component is the Framework Profile
where organizations develop a profile based on their industry, business and
information security needs in light of what the Framework provides.
Adoption
of the new framework has been ongoing since its creation, though it has yet to
be widely adopted. One article noted that some critical infrastructure companies
in banking have begun proactively adopting the framework (Raysman & Morris, 2014) . Of note is that the
banking industry is already highly regulated when it comes to cybersecurity in
regards to the Graham Leach Bliley Act (GLBA) among others, meaning that such
an organization is likely voluntarily incurring additional costs for
implementing and tracking compliance with this voluntary framework on top of
other regulations that are currently mandatory. Another article noted that security mainstay
Symantec Corporation has already proactively adopted the framework into its security
practices (Jackson, 2014) . The article goes on
to note that some see it as a semi-coercive attempt to begin regulating cybersecurity
in industry and that it is not widely adopted at this point. One could hardly
be critical of industry concerns, though it was developed with industry
participation, with governmental reach into industry with the widely panned overreach
of the NSA based on a flawed interpretation of the Patriot Act among other
revelations of NSA and governmental activities. Still, some companies have
proactively begun adopting the framework, whether for liability purposes as
noted in (Jackson, 2014) or genuine concern
over cybersecurity is not known. It is expected that adoption will be uneven in
industry as the bottom line along with estimates of any resultant liability for
non-compliance with a voluntary framework, will drive most industry decisions
on adoption or non-adoption of the framework.
The
Framework for improving Critical Cybersecurity Infrastructure is currently on
version 1.0 and it is understood that updates will be coming (Jackson, 2014) . How long will it be
until some critical infrastructure is hacked and the resultant uproar points to
the inevitable new laws to bring order to the chaos? In our highly connected
country with the 24 hour news cycle, outrage is spread quickly across the
country at various events, most recently the murders in Atlanta and following
actions brought on by the resultant pressure. This is not to say that this model
of interaction is either good or bad, but to acknowledge that it is simply the
way our society works in the present. What it portends is a reaction across the
US among citizens, government officials and elected officials that would be
predisposed towards a national response, which would then necessitate a governmental
takeover of responsibility or strict oversight of cybersecurity for all
critical infrastructures. With the existing Framework for Improving Critical Cybersecurity
Infrastructure already in place and partially adopted by industry, the only
logical step would be a new law mandating its implementation across all
associated industry.
Works Cited
Herb, J. (2014, January 6). Poll: Cybersecurity
Top National Security Threat. Retrieved July 10, 2015, from thehill.com:
http://thehill.com/policy/defense/194475-poll-cybersecurity-top-national-security-threat
Jackson, W. (2014, April 21). Protecting Critical
Infrastructure: A New Approach. Retrieved July 10, 2015, from informationweek.com:
http://www.informationweek.com/government/cybersecurity/protecting-critical-infrastructure-a-new-approach/d/d-id/1204577
National Institute of Standards and Technology.
(2014, February 12). Framework for Improving Critical Infrastructure
Cybersecurity. Retrieved July 10, 2015, from nist.gov:
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
Raysman, R., & Morris, F. (2014, December 18). CIOs
Ignore the NIST Cybersecurity Framework at Their Own Peril. Retrieved July
10, 2015, from blogs.wsj.com:
http://blogs.wsj.com/cio/2014/12/18/cios-ignore-the-nist-cybersecurity-framework-at-their-own-peril/
No comments:
Post a Comment