-
The White House issued an executive order on Tuesday that aims to strengthen protection of the nation's critical infrastructure against cyberattack.
February 12 -
A swiftly evolving threat from cyberattacks has business leaders feeling rattled.
February 7 -
Digital security firm Radware found that distributed denial of service attacks against banks rose 170% in 2012.
January 23
The White House has issued an executive order on cybersecurity. Now the hard work begins.
The National Institute of Standards and Technology is finalizing a series of questions for the public about how owners of financial firms, utility operators and others who own facilities deemed vital to national security, the economy or public health assess risk, incorporate standards and protect their facilities from digital assaults.
The government action follows a series of cyberattacks since September that slowed service and inconvenienced customers at some of the nation's biggest banks.
The directive that President Obama
According to NIST, the goals of the framework-forming process will be to identify current standards and practices that can bolster cybersecurity, to identify gaps for which new or revamped standards are needed and develop plans for addressing them.
A
"NIST believes the diversity of business and mission needs notwithstanding, there are core cybersecurity practices that can be identified and that will be applicable to a diversity of sectors and a spectrum of quickly evolving threats," the institute wrote. "Identifying such practices will be a focus of the framework development process."
The public will have 45 days to address the questions, which NIST expects to publish imminently in final form, according to spokeswoman Jennifer Huergo.
NIST asks companies to address the applicability of existing approaches to addressing cybersecurity needs, including how such approaches could be more useful. Companies also can comment on how they use encryption, how they identify and authorize users of secure systems, the tools they use to monitor and detect cyber threats, and what risks to privacy or civil liberties they see from efforts to shore up defenses.
"We have to stitch together an inventory," Amy Mushahwar, an attorney who specializes in data security at the law firm of Ballard Spahr, told American Banker. "We don't know what we have - that's the first very important piece of this."
Mushahwar praises NIST for going beyond a prescribed set of items to delve deeply into approaches to cybersecurity. "What I really like from the request is that it goes beyond the standard inventory and compliance piece and asks about encryption and asset identification and allows companies to have a bit more of a free narrative."
According to NIST, the draft framework builds on the institute's work on cybersecurity standards for the federal government and the energy industry, where current frameworks govern both nuclear power and the smart grid. "It's clear to me that NIST will not be engaging in this exercise in a vacuum," Mushahwar added. "The president selected the entity that would mandate the standards development process in a very astute way."
The administration's attempt to look across industries and sectors of the economy to stitch together a cybersecurity edifice represents a focus the nation needs urgently, says Avivah Litan, an analyst with Gartner Research, told American Banker. "There's the organization piece, the process piece and the technology piece and none of those pieces are working properly today to fight new threats," Litan said.
Litan says companies tend to operate in silos, measure themselves by different standards, lack proactive processes and use technology that cannot keep up with the evolving approaches of cyber attackers, who continually adapt tactics to boost the frequency and firepower of their incursions. A
Like Mushahwar, Litan praises the Obama administration for taking cybersecurity seriously and for boosting awareness about the threat, although she says she would like to see penalties imposed on firms that fail to act. "People don't do things voluntarily. Even in the banking world, they say they're worried about security, but they're really worried about the regulators," Litan added. "That's why there needs to be some penalty. Otherwise people won't do it. Otherwise it's all just talk."