The recent release of the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology has generated some debate on the actual effect this document will have on improving cyber security. There’s no new technology or technique here -- the framework is a simple taxonomy on which are hung references to existing security frameworks for various critical infrastructure sectors.
As many have pointed out, compliance is voluntary -- there are no teeth. In fact, it’s not even clear what compliance would be, since the taxonomy points to existing standards that would already be complied with if mandatory. That makes this document a relatively small step in the direction of improved security. But it is potentially an important one. If it can provide a common way of characterizing security programs, it could be a big enabler. Let’s follow the path that led to the creation of this document.
This framework was mandated by the Obama administration’s Cybersecurity Executive Order in February 2013. That Executive Order itself was a result of the inability of Congress to pass security legislation in the critical infrastructure area, largely due to industry opposition to the increased costs such security programs would cause. That’s why both the executive order and this framework have no teeth -- only Congress can impose new laws and fund enforcement mechanisms.
There is a general feeling that our infrastructure sectors -- airports, utilities, chemical plants, etc. -- are not properly secured against cyber attack, and that the results of such an event could be catastrophic. Think of something on the order of magnitude of the Northeast United States blackout of 2003, or an attack on airports or airline infrastructure that could result in a significant, and perhaps extended, no-fly situation like Sept. 12-15, 2001. Given the general agreement that there is a problem, why would industry oppose the legislation of mandatory minimum security requirements to prevent things like this from happening and to level the compliance playing field?
I’m sure the reasons for the resistance include a lack of information on which to base legislation and a legitimate fear that operations will be burdened by new requirements. Worse is the concern that many of these new requirements won’t make any sense for particular industries.
Enter the cyber security framework. The framework provides a simple, common taxonomy to compare and contrast different levels of security programs. One part of the framework describes how to fill out a profile for an organization. For example, if we take a representative number of electric utilities or chemical plants and have them all fill out profiles using the framework taxonomy, then the postures of these companies can be directly compared, and a baseline level of common practice in each industry established.
This set of baseline profiles established for each of the 16 critical infrastructure sectors, could be used to negotiate and ultimately define, through legislation, the minimum levels of security required on an infrastructure sector-by-sector basis, expressed as a NIST framework profile. This is where the teeth would be -- which brings us all the way back to where we started: the need for Congress to pass legislation that sets minimum levels of information security for critical infrastructure sectors.
The framework throws a bone at the notion of improving security by discussing gap analysis, but how to do that is well understood and documented elsewhere. The real value here is a means to both justify and compel private sector spending in a commercially competitive environment to fill the security gaps.
For the optimists among us, this legislation might just happen this year. The National Cybersecurity and Critical Infrastructure Protection Act is currently being negotiated in the House and with the DHS. But in light of past history, I’m not holding my breath.