Adoption, privacy biggest topics as NIST cybersecurity framework nears February deadline

The National Institute of Standards and Technology (NIST) held a fifth workshop in Raleigh, North Carolina last week on the comprehensive, preliminary cybersecurity framework mandated under President Obama's February 2012 executive order, the last such gathering before the framework becomes final in February.

[NIST cybersecurity framework proposal provides 'no measurable cybersecurity assurance']

NIST's goals for this previously unscheduled workshop were to solicit further feedback from the hundreds of cybersecurity specialists, attorneys, policymakers and government employees in attendance and offer guidance on what lies ahead in applying and updating it.

Most of the attendees were pleased with how rapidly the framework, intended to improve cybersecurity across sixteen critical infrastructure industries, moved from concept to sophisticated model in less than a year. But a number of perceived problems still surround the framework's usefulness, applicability and scope.

The current version of the framework "is the culmination of a successful effort over the course of many months to identify the key issues and where there might be industry consensus," Robert Mayer, Vice President of Industry and State Affairs at telecom trade association US Telecom said. But, he added, "it's still clear that several major issues require additional clarification, including the definition of adoption, the availability of incentives and the criteria for measuring success."

The issue of what constitutes adoption of the framework, and the related question about what incentives will be available for adopting it, have been identified throughout the development process as potential drawbacks to ensuring that the framework achieves its intended purpose. There are no bright lines that define adoption in the existing version of the framework, which some critical infrastructure owners say suits them just fine.

"From my perspective the framework should be used as a guideline," Chris Boyer, Assistant Vice President, Global Public Policy at AT&T said during a panel discussion. "Ultimately the adoption should be left up to the owners and operators of critical infrastructure."

Still, "it's just not clear what it means to adopt the framework," Larry Clinton, President of the Internet Security Alliance (ISA) said. "Uncertainty leads to underinvestment. They [critical infrastructure asset owners] will not know whenever an investment will qualify as an investment to the framework."

[NIST subjects draft cybersecurity framework to more public scrutiny]

The ISA has proposed that a beta test be developed in order to not only track the issues that come up with implementation but also to develop data that would be useful in promoting long-term adoption of the cybersecurity model. "Let's have a systematic trial with industry and government collaborating through the sector coordinating councils [established under the Department of Homeland Security (DHS)]", Clinton said.

The beta test concept was a frequent off-agenda topic of discussion among the workshop attendees but NIST officials seemed lukewarm to the idea.

"It's another proposal that's out there," Adam Sedgewick, key organizer of the framework development process said. "This whole process has been beta testing."

[Major changes ahead as NIST cybersecurity framework nears October publication]

Another sticking point is how the framework handles privacy and civil liberties issues. The most recent version of the framework has a fully developed separate appendix that lays out a methodology based on the Fair Information Practice Principles (FIPPS) established by the Federal Trade Commission, organized to correspond with the five functions and multiple categories that make up the framework's main "core."

A number of critical infrastructure providers are balking at what they contend are overly broad articulations of privacy requirements that are not relevant to the task at hand, which are perceived as detailed privacy prescriptions stricter than what many of the sectors operate under today. "Everybody feels that a lot of the data protection standards are covered in the core already," one critical infrastructure attorney said. "They are trying to shoe-horn in this stuff. It's too much for the purpose of the framework."

One privacy and cybersecurity expert, Harriet Pearson of Hogan Lovells, prepared an alternative privacy methodology based on feedback she received from a number of top critical infrastructure asset owners, which she presented during a topic specific session at the workshop. This alternative methodology strips down the privacy requirements to those strictly related to cybersecurity issues already addressed in the framework core. Most of the major critical infrastructure providers involved in the NIST effort can agree on this alternative methodology, the privacy attorney said.

Another persistent potential problem is how well small and medium-sized entities will be able to grasp the complex framework, which is modeled on advanced notions of cyber protection.

"There are twenty-two categories and ninety-seven subcategories. That's a lot for small and medium-sized businesses," Cox Communications CISO Phil Agcaoili said during a panel discussion. "For some small organizations, the person responsible for cybersecurity could be the owner's eighteen year-old son," one electric industry representative said.

[NIST's latest cybersecurity framework reveals a lot of goodwill amidst continued criticism]

NIST hosted a topic-specific working session on small and medium business considerations at the workshop and say further development of what they are now calling "framework 1.0" will continue to address this particular challenge. The framework could be modified further in this and a number of other respects as NIST gathers and reviews feedback during an open comment period, which closes December 13.

"That input will continue to shape the framework as well as a roadmap of where we need to go from here," Bob Kolasky, Senior Advisor to the Assistant Secretary for Infrastructure Protection at DHS, said during the closing panel. DHS is organizing a voluntary program to encourage adoption of the framework, a main venue for continued evolution of the framework after NIST publishes the final version. But, a number of critical infrastructure owners are skeptical of how well DHS can handle the challenge. "They haven't given us a lot of clarity of what that program involves," one communications industry representative said.

DHS, the White House and a number of government agencies are also working to further develop incentives for adopting the framework, some of which were released in high concept form last summer. Most Washington experts, however, believe that unless Congress enacts cybersecurity legislation, which has stalled many times and is currently sidelined by the controversies surrounding the National Security Agency, no true effective incentives for adopting the framework can be established.

Even with the remaining rough edges and uncertainties over adoption, most workshop attendees expressed enthusiasm over the potential for the framework to shift the cybersecurity community into a more collaborative and effective cross-industry mindset. "It's exciting to see NIST come to the beginning of finding a common language that can make a real difference," Harry Wingo, DC veteran and an advisor on cybersecurity matters, said.

Cynthia Brumfield, President of DCT Associates, is a veteran communications industry and technology analyst. She is currently leading a variety of research, analysis, consulting and publishing initiatives, with a particular focus on cybersecurity issues in the energy and telecom arenas.