Government Agency Seeks Comment on Cybersecurity Framework

The White House has issued an executive order on cybersecurity. Now the hard work begins.

The National Institute of Standards and Technology is finalizing a series of questions for the public about how owners of financial firms, utility operators and others who own facilities deemed vital to national security, the economy or public health assess risk, incorporate standards and protect their facilities from digital assaults.

The government action follows a series of cyberattacks since September that slowed service and inconvenienced customers at some of the nation's biggest banks.

The directive that President Obama signed Tuesday authorizes NIST, the standards-setting arm of the Commerce Department, to lead development of a framework that provides "a prioritized, flexible, repeatable, performance-based, and cost-effective approach" to reduce cyber risks. The order gives NIST eight months to identify standards and guidelines for protecting critical infrastructure that cut across industries and to publish a preliminary version of a cybersecurity framework.

According to NIST, the goals of the framework-forming process will be to identify current standards and practices that can bolster cybersecurity, to identify gaps for which new or revamped standards are needed and develop plans for addressing them.

A request for information the institute published in draft form on Wednesday asks a series of roughly 33 questions that cover current risk management practices, standards and guidelines, and specific industry practices. NIST seeks comment on what organizations see as the challenges in improving digital security practices, how commenters define cybersecurity risk, and the extent to which firms incorporate such risks into company-wide management. The institute also wants to hear from companies what "critical assets" of their organizations depend on other sectors, including the financial, telecommunications, energy, water and transportation industries.

"NIST believes the diversity of business and mission needs notwithstanding, there are core cybersecurity practices that can be identified and that will be applicable to a diversity of sectors and a spectrum of quickly evolving threats," the institute wrote. "Identifying such practices will be a focus of the framework development process."

The public will have 45 days to address the questions, which NIST expects to publish imminently in final form, according to spokeswoman Jennifer Huergo.

NIST asks companies to address the applicability of existing approaches to addressing cybersecurity needs, including how such approaches could be more useful. Companies also can comment on how they use encryption, how they identify and authorize users of secure systems, the tools they use to monitor and detect cyber threats, and what risks to privacy or civil liberties they see from efforts to shore up defenses.

"We have to stitch together an inventory," Amy Mushahwar, an attorney who specializes in data security at the law firm of Ballard Spahr, told American Banker.  "We don't know what we have - that's the first very important piece of this."

Mushahwar praises NIST for going beyond a prescribed set of items to delve deeply into approaches to cybersecurity. "What I really like from the request is that it goes beyond the standard inventory and compliance piece and asks about encryption and asset identification and allows companies to have a bit more of a free narrative."

According to NIST, the draft framework builds on the institute's work on cybersecurity standards for the federal government and the energy industry, where current frameworks govern both nuclear power and the smart grid. "It's clear to me that NIST will not be engaging in this exercise in a vacuum," Mushahwar added. "The president selected the entity that would mandate the standards development process in a very astute way."

The administration's attempt to look across industries and sectors of the economy to stitch together a cybersecurity edifice represents a focus the nation needs urgently, says Avivah Litan, an analyst with Gartner Research, told American Banker. "There's the organization piece, the process piece and the technology piece and none of those pieces are working properly today to fight new threats," Litan said.

Litan says companies tend to operate in silos, measure themselves by different standards, lack proactive processes and use technology that cannot keep up with the evolving approaches of cyber attackers, who continually adapt tactics to boost the frequency and firepower of their incursions. A report published recently by Radware, a digital security firm, found that roughly one-third of cyberattacks last year showed the highest level of threat, as measured by duration, number of vectors and complexity, compared with 7% of attacks that displayed such characteristics in 2011. "It's becoming an untenable situation where we really have to have a new paradigm," Litan said.

Like Mushahwar, Litan praises the Obama administration for taking cybersecurity seriously and for boosting awareness about the threat, although she says she would like to see penalties imposed on firms that fail to act. "People don't do things voluntarily. Even in the banking world, they say they're worried about security, but they're really worried about the regulators," Litan added. "That's why there needs to be some penalty. Otherwise people won't do it. Otherwise it's all just talk."