Risk
7/29/2013
04:29 PM
Connect Directly
RSS
E-Mail
50%
50%

Government Gets Closer To Launching CyberSecurity Framework

National Institute of Standards and Technology partners with industry on security standards that work across public and private sectors.

Military Drones Present And Future: Visual Tour
Military Drones Present And Future: Visual Tour
(click image for larger view and for slideshow)
The federal government and private industry are getting close to releasing a cybersecurity framework that will provide both private and public-sector entities with a way to assess how resilient their computer networks are to cyber attack and the steps needed to make improvements.

The joint effort, by the National Institute of Standards and Technology and a variety of industry groups, is expected to yield a preliminary version of voluntary standards in October.

Although NIST is the key federal organization responsible for hammering out the overall structure of the standards, its top official told Congress that an ongoing partnership with industry both during and after developing the framework is vital because it is industry that will have to apply the standards to protect privately owned critical infrastructure. It is a multi-stakeholder process that leverages the best of both sectors, NIST director Patrick D. Gallagher told the Senate Committee on Commerce, Science and Transportation on July 25. A key part of the effort is that the resulting standards are scalable and able to be applied globally.

[ Federal agencies are striving to meet their own cybersecurity requirements. Read Federal Agencies Graded On Cybersecurity. ]

There are three reasons for industry to lead the process, Gallagher said. The first is know-how and the ability to keep up with rapidly evolving technology. The second is that industry-led processes are more compatible with business. Third, industry-led standards can operate across global markets where government-only solutions cannot.

Speaking for private industry, Arthur W. Coviello Jr., executive chairman of RSA Security LLC, said that any successful government-private sector cybersecurity approach -- either the NIST standards or new proposed cyber legislation -- should consist of three points: It must be industry neutral and consistent, it must help increase investment in research and education, and Congress must move to lower the barriers that currently exist to sharing threat information between government and industry.

One of industry's key goals is the ability to share threat information in real time, said Dorothy Coleman, VP of tax, technology and domestic economic policy at the National Association of Manufacturers. She added that the association opposes any attempts to set up a static regulatory regime but supports the development of globally scalable, flexible standards.

From NIST's perspective, Gallagher noted that his organization works with the private sector to coordinate standard development and as a "corporate memory" for the federal government. It serves in the memory function by helping agencies coordinate their own IT efforts, he said.

Once a cybersecurity framework is in place, there might be a great incentive for firms to adopt it because it might provide a competitive advantage, Coviello told Congress. "It will be a business imperative for firms to protect themselves," he said.

The Obama administration in February issued an executive order mandating federal agencies to set up a cybersecurity framework, in response to the failure of a cybersecurity bill to pass in November. The president's order placed NIST at the center of the effort, which calls upon the private and public sectors to discuss the best ways to protect the nation's critical infrastructure from cyber attack.

Although pleased with the executive order, committee chairman Sen. John D. Rockefeller (D-WV) last week introduced a new cybersecurity bill based on input he received from industry leaders about what they wanted from cybersecurity legislation. The new effort is a follow-on to the failed bill, which stalled due to heavy resistance from the business lobby.

"NIST's job is to help American industry help itself," said Rockefeller.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
7/30/2013 | 5:00:55 PM
re: Government Gets Closer To Launching CyberSecurity Framework
Industry has more incentive than ever to work toward a common set of security standards. The reason: They are being bled of intellectual property at a rate like never before by increasingly sophisticated and determined cyber thieves. The challenge here will be getting something general enough to work across 18 major industries and specific enough to implement real controls, noted NIST's Ron Ross at a panel discussion this morning held by immixGroup.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio