Risk
7/29/2013
04:29 PM
50%
50%

Government Gets Closer To Launching CyberSecurity Framework

National Institute of Standards and Technology partners with industry on security standards that work across public and private sectors.

Military Drones Present And Future: Visual Tour
Military Drones Present And Future: Visual Tour
(click image for larger view and for slideshow)
The federal government and private industry are getting close to releasing a cybersecurity framework that will provide both private and public-sector entities with a way to assess how resilient their computer networks are to cyber attack and the steps needed to make improvements.

The joint effort, by the National Institute of Standards and Technology and a variety of industry groups, is expected to yield a preliminary version of voluntary standards in October.

Although NIST is the key federal organization responsible for hammering out the overall structure of the standards, its top official told Congress that an ongoing partnership with industry both during and after developing the framework is vital because it is industry that will have to apply the standards to protect privately owned critical infrastructure. It is a multi-stakeholder process that leverages the best of both sectors, NIST director Patrick D. Gallagher told the Senate Committee on Commerce, Science and Transportation on July 25. A key part of the effort is that the resulting standards are scalable and able to be applied globally.

[ Federal agencies are striving to meet their own cybersecurity requirements. Read Federal Agencies Graded On Cybersecurity. ]

There are three reasons for industry to lead the process, Gallagher said. The first is know-how and the ability to keep up with rapidly evolving technology. The second is that industry-led processes are more compatible with business. Third, industry-led standards can operate across global markets where government-only solutions cannot.

Speaking for private industry, Arthur W. Coviello Jr., executive chairman of RSA Security LLC, said that any successful government-private sector cybersecurity approach -- either the NIST standards or new proposed cyber legislation -- should consist of three points: It must be industry neutral and consistent, it must help increase investment in research and education, and Congress must move to lower the barriers that currently exist to sharing threat information between government and industry.

One of industry's key goals is the ability to share threat information in real time, said Dorothy Coleman, VP of tax, technology and domestic economic policy at the National Association of Manufacturers. She added that the association opposes any attempts to set up a static regulatory regime but supports the development of globally scalable, flexible standards.

From NIST's perspective, Gallagher noted that his organization works with the private sector to coordinate standard development and as a "corporate memory" for the federal government. It serves in the memory function by helping agencies coordinate their own IT efforts, he said.

Once a cybersecurity framework is in place, there might be a great incentive for firms to adopt it because it might provide a competitive advantage, Coviello told Congress. "It will be a business imperative for firms to protect themselves," he said.

The Obama administration in February issued an executive order mandating federal agencies to set up a cybersecurity framework, in response to the failure of a cybersecurity bill to pass in November. The president's order placed NIST at the center of the effort, which calls upon the private and public sectors to discuss the best ways to protect the nation's critical infrastructure from cyber attack.

Although pleased with the executive order, committee chairman Sen. John D. Rockefeller (D-WV) last week introduced a new cybersecurity bill based on input he received from industry leaders about what they wanted from cybersecurity legislation. The new effort is a follow-on to the failed bill, which stalled due to heavy resistance from the business lobby.

"NIST's job is to help American industry help itself," said Rockefeller.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
7/30/2013 | 5:00:55 PM
re: Government Gets Closer To Launching CyberSecurity Framework
Industry has more incentive than ever to work toward a common set of security standards. The reason: They are being bled of intellectual property at a rate like never before by increasingly sophisticated and determined cyber thieves. The challenge here will be getting something general enough to work across 18 major industries and specific enough to implement real controls, noted NIST's Ron Ross at a panel discussion this morning held by immixGroup.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.