Wednesday marked the halfway point in the development of the nation’s first-ever cybersecurity framework for critical infrastructure.
The National Institute of Standards and Technology is leading that effort called for in President Barack Obama’s February Executive Order by bringing together industry and other private sector experts.
Obama’s order gave NIST 240 days to release the first version of the framework, which is intended to be a continuously evolving, voluntary, baseline set of standards and practices to help safeguard the nation’s critical infrastructure from attack.
So far in the first 120 days, NIST has held two public workshops and gathered more than 200 responses to its request for information on the framework process.
Patrick Gallagher, NIST’s director, said industry input will determine what the preliminary version of the product looks like when it’s released this fall.
“We use the word ‘framework’ as a term of art, but the idea is very simply to get industry to develop whatever it would take that, if implemented, would result in enhanced cybersecurity performance,” he said during a Senate Appropriations Committee hearing on cybersecurity Wednesday. “That would include a large measure of standards.”
The power to shape technologies
But Gallagher said industry needs to lead the standard-setting process. He said collectively, private sector companies have the capacity to understand what needs to be done on an ongoing basis. NIST, on the other hand, as a relatively small agency, does not. “Industry’s the one developing IT technology, and they know where it’s going. The Internet is a global infrastructure and these companies operate at a global scale. By embedding security performance into the products and services themselves, we can embed these improvements in the market and that gives our companies the power to shape those technologies around the world,” he said. “This is going to be an ongoing challenge, but the bottleneck can’t be NIST. We are simply not large enough to support this on our own. Our role really has to be helping industry come up with a vehicle where they can organize and be responsive to this. That’s the only way sufficient technical capacity can be brought to bear.”
In its initial analysis of the industry input it’s gathered so far, NIST says it’s identified several common themes.
Among them, respondents overwhelmingly said the framework should encourage critical infrastructure providers to take a cybersecurity approach that’s organized around risk management rather than rigid compliance. Also, respondents said the framework needs to take into account that many of the companies involved are multinational firms subject to international standards, and that the framework needs to be flexible enough to work across multiple sectors of the economy.
Gallagher said making the framework flexible will be a key determinant of whether it’s actually adopted and used by industry.
“How generic or how sector-specific this framework looks is actually the exact question the participants in the framework are tackling,” he said. “The good news is that in spite of the strong differences across sectors, they’re all dependent on a core set of communication and IT technologies. One of the big advantages they have in all working together is that they can drive that performance into the market. They can then buy these IT services and IT equipment at a lower cost because they’re helping to define the market. I think the bottom line is that doing good cybersecurity has to become good business. These framework processes have to be compatible with profitable and well-run companies, and it may very well turn out that the framework’s more about management and business practices than it is about technical controls, and that’s OK if it helps us achieve the level of performance we’re looking for.”
Lawmakers turn away from cyber
Gallagher’s testimony highlighted one of the many tasks the White House directed agencies to take under the executive order, but it mostly was an aside during the hearing. Given current headlines, the bulk of the senators’ attention went to the classified NSA surveillance programs that were revealed by the now-former NSA contractor Edward Snowden.
In the wake of those revelations, Gen. Keith Alexander, NSA’s director and commander of the U.S. Cyber Command, told senators it’s time for his agency to reassess the way it uses contractors in its intelligence operations.
“I have grave concerns over the access that he had, the process we did, and those are things I have to look into and fix from my end,” he said. “I would point out that in the IT arena, some of these folks have tremendous skills to operate networks. That was his job for the most part. He had great skills in that area, but we have to go back and look at these processes, the oversight, where they went wrong and how we fix those.”
In an interview with The Guardian, Snowden claimed that as a system administrator, he had data access that most intelligence analysts did not, including the ability to wiretap virtually any American’s phone conversation.
JIE could solve some problems
Alexander said that’s not true, and he knows of no way for any NSA worker to do what Snowden claimed. But he said it is true that he would have had greater access to data than most NSA employees.
“The administration of that IT infrastructure was outsourced about 14 years ago. Not just us, but many others in government. As a consequence, we have system administrators who are contractors working and running our networks,” he said. “They don’t have total visibility to the network, but in this case, this individual had access to key parts of it. That’s of serious concern to us and something we have to fix.”
Alexander said the Defense Department’s envisioned transition to a future network infrastructure it terms the Joint Information Environment could solve some of the challenges.
“That is a huge step in the right direction,” he said. “Cloud security and encrypting data are things that we can and should do. But that’s going to take time and a significant effort, I don’t want to mislead you. I wish we had it, and I wish we could go back in time.”