Identifying Gaps in Cyber FrameworkExperts Gather in Dallas to Refine Best Practices Guide
More than 500 industry and government representatives are gathering in Dallas this week to help shape the cybersecurity framework President Obama wants implemented by February. They're tackling a wide range of topics, including the role of cyber-insurance and how to apply the framework to a diverse range of industries.
This is the fourth and final workshop sponsored by the National Institute of Standards and Technology to help determine what should be incorporated into the framework, a compendium of IT security best practices that operators of the nation's critical infrastructure could voluntarily adopt. A preliminary draft of the framework will be issued in October, with the final version to be published in February, a year after Obama signed an executive order calling for it (see Obama Issues Cybersecurity Executive Order).
Because the government can't force the mostly privately owned critical infrastructure operators to adopt the framework, its drafters - who include industry and government experts - seek incentives to get buy-in from infrastructure operators.
Incentives, in cybersecurity framework parlance, are a wide range of offerings or conditions that promote adoption of the framework. Obama's executive order says incentives could include technical and public policy measures that improve cybersecurity without creating barriers to innovation, economic growth and the free flow of information.
One of the incentives expected to be included in the framework is cyber-insurance; it's seen as a way for infrastructure owners to mitigate risk. This week's workshop at the University of Texas at Dallas features an insurance panel with representatives from insurance carriers and brokers.
Obama, in his executive order, called on the departments of Commerce, Homeland Security and Treasury to recommend incentives to drive infrastructure operators to adopt the framework, and all three agencies saw a role for the insurance industry (see Cyber-Insurance: Not One-Size-Fits-All).
Adam Sedgewick, the NIST senior IT policy adviser who's coordinating the effort to create the framework, says the insurance industry provides a unique perspective on cybersecurity risk and how infrastructure operators could manage it. "The information they provide [could] make sure that the framework is something that can be picked up and used," Sedgewick says.
Earlier, the Commerce Department called for involving insurance carriers in developing the framework because they would bring extensive knowledge of the effectiveness of specific cybersecurity practices and could help evaluate specific proposed elements from this perspective. "The goal of this collaboration would be to build underwriting practices that promote the adoption of cyber-risk reducing measures and risk-based pricing and foster a competitive cyber-insurance market," White House Cybersecurity Coordinator Michael Daniel says.
3 Primary Goals
Sedgewick says this week's workshop has three objectives: identify existing standards, elevate use of proven practices and determine gap areas within the framework. "What we'll be doing in Dallas is to validate that we got the list right," Sedgewick says. "If we're describing it right, we need to try to figure out the best way to address these things and determine if there are other priority gap areas that we should begin thinking more about."
According to a discussion draft prepared for the Dallas workshop, the gaps include authentication, data analytics, privacy and supply chain (see Cybersecurity Framework Discussion Draft Issued). Sedgewick says the framework will evolve even after it's formally issued in February.
Drafters of the framework are trying to avoid creating a static list of guidelines and practices that don't benefit anyone. "The approach that we have taken with the framework provides for a dynamic approach," Sedgewick says.
The framework will identify core functions and develop categories based on outcomes, giving critical infrastructure operators options on what practices to adopt. It will account for new technologies and standards to meet the needs of operators as their underlying infrastructures evolve. "In some ways," Sedgewick says, "I don't think their work will ever be done, and it will require keeping your eye on the ball and making sure we're really driving cybersecurity risk management further."
Risk vs. Security
Ralph Langner, the computer security researcher credited with cracking the Stuxnet code, contends the cybersecurity framework, as it's evolving, has two major flaws, including its reliance on the concept of risk. "Regardless of the popularity of risk parlance, risk-based approaches in ICS (industrial control systems) security lack empirical foundation, and the outcome of a risk assessment can be stretched in any direction," he writes in his blog.
Langner, a nonresident fellow with the Center for 21st Century Security and Intelligence at the Brookings Institution, also says implementation tiers in the framework would allow infrastructure operators to determine their own level of cybersecurity capability maturity. "An organization can simply decide that their target implementation tier is zero, which basically means a completely immature cybersecurity process, and still be conformant with the CSF [cybersecurity framework]. The CSF allows any organization, no matter how good or bad at cybersecurity, to be CSF-conformant. It makes everybody happy - everybody, including potential attackers."
Langner contends that risk management decision making is often hampered by insufficient understanding of cybersystems and lack of cybergovernance, resulting in ineffective mitigation strategies. He offers his own approach for infrastructure operators dependent on industrial control systems. It's known as the RIPE Framework (RIPE stands for Robust Industrial Control Systems).
Sedgewick acknowledges that Langner raises questions that should be addressed at the Dallas conference.
"The goal of the concept of tiers is that there is no one-size fits-all approach," Sedgewick says. "Bringing in that concept - the theory of the maturity levels out there - would really allow an organization to initially think about cybersecurity as a safety culture, where at the lower level you're doing things to maintain some compliance. But, as you grow more advanced, cybersecurity really becomes ingrained in the culture of your organization."