Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/29/2013
04:29 PM
50%
50%

Government Gets Closer To Launching CyberSecurity Framework

National Institute of Standards and Technology partners with industry on security standards that work across public and private sectors.

Military Drones Present And Future: Visual Tour
Military Drones Present And Future: Visual Tour
(click image for larger view and for slideshow)
The federal government and private industry are getting close to releasing a cybersecurity framework that will provide both private and public-sector entities with a way to assess how resilient their computer networks are to cyber attack and the steps needed to make improvements.

The joint effort, by the National Institute of Standards and Technology and a variety of industry groups, is expected to yield a preliminary version of voluntary standards in October.

Although NIST is the key federal organization responsible for hammering out the overall structure of the standards, its top official told Congress that an ongoing partnership with industry both during and after developing the framework is vital because it is industry that will have to apply the standards to protect privately owned critical infrastructure. It is a multi-stakeholder process that leverages the best of both sectors, NIST director Patrick D. Gallagher told the Senate Committee on Commerce, Science and Transportation on July 25. A key part of the effort is that the resulting standards are scalable and able to be applied globally.

[ Federal agencies are striving to meet their own cybersecurity requirements. Read Federal Agencies Graded On Cybersecurity. ]

There are three reasons for industry to lead the process, Gallagher said. The first is know-how and the ability to keep up with rapidly evolving technology. The second is that industry-led processes are more compatible with business. Third, industry-led standards can operate across global markets where government-only solutions cannot.

Speaking for private industry, Arthur W. Coviello Jr., executive chairman of RSA Security LLC, said that any successful government-private sector cybersecurity approach -- either the NIST standards or new proposed cyber legislation -- should consist of three points: It must be industry neutral and consistent, it must help increase investment in research and education, and Congress must move to lower the barriers that currently exist to sharing threat information between government and industry.

One of industry's key goals is the ability to share threat information in real time, said Dorothy Coleman, VP of tax, technology and domestic economic policy at the National Association of Manufacturers. She added that the association opposes any attempts to set up a static regulatory regime but supports the development of globally scalable, flexible standards.

From NIST's perspective, Gallagher noted that his organization works with the private sector to coordinate standard development and as a "corporate memory" for the federal government. It serves in the memory function by helping agencies coordinate their own IT efforts, he said.

Once a cybersecurity framework is in place, there might be a great incentive for firms to adopt it because it might provide a competitive advantage, Coviello told Congress. "It will be a business imperative for firms to protect themselves," he said.

The Obama administration in February issued an executive order mandating federal agencies to set up a cybersecurity framework, in response to the failure of a cybersecurity bill to pass in November. The president's order placed NIST at the center of the effort, which calls upon the private and public sectors to discuss the best ways to protect the nation's critical infrastructure from cyber attack.

Although pleased with the executive order, committee chairman Sen. John D. Rockefeller (D-WV) last week introduced a new cybersecurity bill based on input he received from industry leaders about what they wanted from cybersecurity legislation. The new effort is a follow-on to the failed bill, which stalled due to heavy resistance from the business lobby.

"NIST's job is to help American industry help itself," said Rockefeller.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
7/30/2013 | 5:00:55 PM
re: Government Gets Closer To Launching CyberSecurity Framework
Industry has more incentive than ever to work toward a common set of security standards. The reason: They are being bled of intellectual property at a rate like never before by increasingly sophisticated and determined cyber thieves. The challenge here will be getting something general enough to work across 18 major industries and specific enough to implement real controls, noted NIST's Ron Ross at a panel discussion this morning held by immixGroup.
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1001
PUBLISHED: 2019-11-21
Multiple cross-site scripting (XSS) vulnerabilities in Chyrp before 2.1.2 and before 2.5 Beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) content parameter to includes/ajax.php or (2) body parameter to includes/error.php.
CVE-2014-8356
PUBLISHED: 2019-11-21
The web administrative portal in Zhone zNID 2426A before S3.0.501 allows remote authenticated users to bypass intended access restrictions via a modified server response, related to an insecure direct object reference.
CVE-2015-3140
PUBLISHED: 2019-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies SynaMan before 3.5 Build 1451, Syncrify before 3.7 Build 856, and SynTail before 1.5 Build 567
CVE-2019-19207
PUBLISHED: 2019-11-21
rConfig 3.9.2 allows devices.php?searchColumn= SQL injection.
CVE-2019-19203
PUBLISHED: 2019-11-21
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read.