Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/29/2013
04:29 PM
50%
50%

Government Gets Closer To Launching CyberSecurity Framework

National Institute of Standards and Technology partners with industry on security standards that work across public and private sectors.

Military Drones Present And Future: Visual Tour
Military Drones Present And Future: Visual Tour
(click image for larger view and for slideshow)
The federal government and private industry are getting close to releasing a cybersecurity framework that will provide both private and public-sector entities with a way to assess how resilient their computer networks are to cyber attack and the steps needed to make improvements.

The joint effort, by the National Institute of Standards and Technology and a variety of industry groups, is expected to yield a preliminary version of voluntary standards in October.

Although NIST is the key federal organization responsible for hammering out the overall structure of the standards, its top official told Congress that an ongoing partnership with industry both during and after developing the framework is vital because it is industry that will have to apply the standards to protect privately owned critical infrastructure. It is a multi-stakeholder process that leverages the best of both sectors, NIST director Patrick D. Gallagher told the Senate Committee on Commerce, Science and Transportation on July 25. A key part of the effort is that the resulting standards are scalable and able to be applied globally.

[ Federal agencies are striving to meet their own cybersecurity requirements. Read Federal Agencies Graded On Cybersecurity. ]

There are three reasons for industry to lead the process, Gallagher said. The first is know-how and the ability to keep up with rapidly evolving technology. The second is that industry-led processes are more compatible with business. Third, industry-led standards can operate across global markets where government-only solutions cannot.

Speaking for private industry, Arthur W. Coviello Jr., executive chairman of RSA Security LLC, said that any successful government-private sector cybersecurity approach -- either the NIST standards or new proposed cyber legislation -- should consist of three points: It must be industry neutral and consistent, it must help increase investment in research and education, and Congress must move to lower the barriers that currently exist to sharing threat information between government and industry.

One of industry's key goals is the ability to share threat information in real time, said Dorothy Coleman, VP of tax, technology and domestic economic policy at the National Association of Manufacturers. She added that the association opposes any attempts to set up a static regulatory regime but supports the development of globally scalable, flexible standards.

From NIST's perspective, Gallagher noted that his organization works with the private sector to coordinate standard development and as a "corporate memory" for the federal government. It serves in the memory function by helping agencies coordinate their own IT efforts, he said.

Once a cybersecurity framework is in place, there might be a great incentive for firms to adopt it because it might provide a competitive advantage, Coviello told Congress. "It will be a business imperative for firms to protect themselves," he said.

The Obama administration in February issued an executive order mandating federal agencies to set up a cybersecurity framework, in response to the failure of a cybersecurity bill to pass in November. The president's order placed NIST at the center of the effort, which calls upon the private and public sectors to discuss the best ways to protect the nation's critical infrastructure from cyber attack.

Although pleased with the executive order, committee chairman Sen. John D. Rockefeller (D-WV) last week introduced a new cybersecurity bill based on input he received from industry leaders about what they wanted from cybersecurity legislation. The new effort is a follow-on to the failed bill, which stalled due to heavy resistance from the business lobby.

"NIST's job is to help American industry help itself," said Rockefeller.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
7/30/2013 | 5:00:55 PM
re: Government Gets Closer To Launching CyberSecurity Framework
Industry has more incentive than ever to work toward a common set of security standards. The reason: They are being bled of intellectual property at a rate like never before by increasingly sophisticated and determined cyber thieves. The challenge here will be getting something general enough to work across 18 major industries and specific enough to implement real controls, noted NIST's Ron Ross at a panel discussion this morning held by immixGroup.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14300
PUBLISHED: 2020-07-13
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
CVE-2020-14298
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
CVE-2020-15050
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
CVE-2020-10987
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
CVE-2020-10988
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device.