Delivering an accessible roadmap to guide the array of the nation's most vital organizations through cyber crisis does sound like a pretty tall order. That may be the reason why the very tool that sets out to do that is meeting with such a mixed bag of praise and criticism.
The so-called “Framework for Improving Critical Infrastructure Cybersecurity,” released in draft late last year and in finalized form in February by the National Institute of Standards and Technology (NIST), sets out to create a voluntary and over-arching structure based on existing standards, guidelines and practices to help key organizations reduce their internet-based risk.
John Pirc, chief technology officer with NSS Labs, attended one of the NIST-hosted cyber security framework workshops, at the University of Texas at Dallas in the fall of last year, and also personally met with the NIST team at their headquarters this spring. For his part, Pirc says he is extremely impressed with NIST's ability to respond quickly to the executive order. “I think the first draft is good and addresses the issues we're facing today,” he says. “As with any security framework, it will receive a lot of feedback – both positive and negative. After meeting with the NIST team, I'm sure that feedback will likely be adopted into the next iteration.”
OUR EXPERTS: Infrastructure defense
Brian Contos, VP and CIO for advanced threat, Blue Coat
Jason Fredrickson, senior director of enterprise application development, Guidance Software
Ed Hammersla, managing director, Raytheon Cyber Products
Torsten George, VP of worldwide marketing and products, Agiliance
Charles Hessifer, sales engineer for federal sales, Tenable
Kent Landfield, director of standards and technology policy, Intel Security
John Pirc, CTO, NSS Labs
Scott Tousley, deputy director for the cyber security division in the Science & Technology Directorate, Department of Homeland Security
Indeed, many industry insiders – some of whom, like Pirc, attended report-developing workshops – say that the current version of the guidance does deliver on a number of fronts. “The framework is a really good start to defining how companies should analyze their cyber security risk, where to put their efforts… and things like that,” says Scott Tousley, deputy director for the cyber security division in the Science & Technology Directorate of the Department of Homeland Security. Tousley, who also attended a number of the workshops that led to the creation of the document, believes the authors were successful in engaging the industry across a number of geographies and business sectors to get a “full sampling” that led to the framework's guidance.
The standard itself is composed of three sections: the “core,” which represents a set of activities to anticipate and defend against cyber attacks; the “implementation tiers,” which provide a set of measurements to assess to what degree an organization has implemented the core activities and benchmark how prepared they are to protect systems against an attack; and the “profile,” which can be used to identify opportunities for improving an organization's cyber security posture by comparing a current profile with a target profile.
Another participant in the countrywide workshops, Ed Hammersla, managing director of Raytheon Cyber Products, a wholly-owned subsidiary of Raytheon Co., says the framework has succeeded in “laying down something that's useful to a wide number of entities from critical infrastructure to state government agencies.” He views the endeavor as “mission accomplished” on two fronts: the framework created a public-private partnership, that includes significant input from industry stakeholders; and it can serve as a basic tool for organizations to determine where they are in managing their cyber risk. “There really wasn't anything like this before,” Hammersla says.
Like Hammersla, Kent Landfield, director of standards and technology policy for Intel Security, believes that the framework also serves to create an over-arching taxonomy for cyber risk and cyber security that organizations can use to better communicate and compare where they stand. Landfield, who was involved in the development of the framework and led the NIST delegation on behalf of Intel Security, adds that the issuance of the framework will likely raise awareness among top executives and boards of directors about cyber security risk, as well as help them “make intelligent decisions about where to invest and how to address risk.” He insists that, rather than a framework, the document is really more of a tool for improving an organization's security program.
“We can't say where it's a perfect magic bullet, but it's a step in the right direction to get to the right people,” says Landfield. “That's a critical advancement.”
The good news is that the NIST Cybersecurity Framework avoids placing additional regulatory requirements on businesses and provides a risk-based approach to cyber security, says Torsten George, VP of worldwide marketing and products for Agiliance.
Charles Hessifer, sales engineer for federal sales for Tenable, agrees. “First and foremost, it doesn't bring to the table any additional requirements…on top of the one million we already have. It helps organizations get started and assess where they are…and it puts into business model perspective how cyber security should be handled today.”
But, does the framework accomplish any more than serving as a good start? Some say this is where the document falls short. “I love the fact that we're doing this at all,” says Jason Fredrickson, senior director of enterprise application development for Guidance Software. “The bad guys are way ahead of us in working together and there are a lot of people looking to the government to come out with rules and strategies [for cyber security]. I love the fact that we're doing this, I just don't think this does it very well.”
While Fredrickson admits that the framework does create a consistent vocabulary for describing vulnerabilities and drawing top-level attention to risks, he says the guidance breaks down around best practices and lacks the detail and more aggressive stance for which he was hoping. This idea that the framework could be seen as vague and lacking teeth was echoed by other industry onlookers, even if they generally appreciated its existence. (Fredrickson believes the framework would be stronger with the addition of guidance on proactive forensics, detecting anomalies and promoting more collaboration amongst security professionals.)
George says he also sees the framework as falling short in offering incentives to organizations to apply the NIST Cybersecurity Framework, which was the original intention of the President's Executive Order. “Organizations too often lack the necessary resources to apply all of the outlined standards, guidelines, and practices,” say George. “Without the commitment of management and board of directors to provide adequate resources for risk management, an organizations' security posture won't significantly improve. That's because applying the NIST Cybersecurity Framework adds to the volume, velocity and complexity of data feeds that must be analyzed, normalized and prioritized. Without automation it can take months and even years to perform big data risk analysis and piece together an actionable security assessment picture.”
In addition, George says that one of the most critical components for detecting and protecting against widespread cyber attacks across different verticals and industries has been completely dropped from the NIST Cybersecurity Framework – the bi-directional sharing of sensitive threat information. “It is well-documented that cyber criminals are coordinating their efforts and sharing vulnerabilities and attack methodologies,” he says. “To counter them, government and private industry must work hand-in-hand to quickly distribute information about threats.” George admits, however, that the consequences following the revelations by Edward Snowden might prevent the implementation of this type of collaboration for years to come.
Pirc believes that the structure is lacking in the ability to really measure and quantify the framework against implementation. “You can follow the framework by the book, but it does not guarantee that the various security products that are deployed provide you the level of security that gives you reasonable security and reduced risk of exposure.”
Brian Contos, vice president and chief information officer for advanced threat for Blue Coat, sees it as offering “marginal value… because it lacks the carrot or the stick” as incentives to adopt better cyber security protocols.
Indeed, a study from George Mason University's Mercatus Center released in mid-April went so far as to claim that the framework could end up being more of a hindrance to supporting critical infrastructure in its efforts to mitigate risk than a help. The Mercatus report expounds that the government's document is too rigid in its guidance and ultimately could end up holding back the “spontaneous, creative sources of experimentation and feedback that drive internet innovation.”
Even Tousley (right) admits there is a challenge when it comes to putting words into practice. “The most significant challenge, in my opinion, is that the executive order [extends more than] 16 different critical infrastructures, each made up of different companies,” he says. “It's really complicated to implement this across sectors, all making their own risk investments and decisions.”
For his part, Pirc defends the framework as a successful cross-industry collaboration that “might be vague in some areas, but I think that is largely because there are many different industry verticals that adopt the framework and every industry has different requirements.”
The point, he says, is that one must leave some room in the framework for those variances. “As for those who think the framework is too rigid…well, often there are people who want to simply keep applying the same old security best practices and who aren't very willing to change. As a security professional, I would say that if you aren't willing to venture outside of your comfort zone in how you approach security, then you might want to make sure you've invested in some great cyber insurance.”
Whether or not they are content with this first iteration of guidance, most supporters and critics do believe that the framework will likely evolve or, at minimum, serve to help direct the security and risk mitigation efforts within specific industries. “I do think we'll see a version 2.0 at some point,” says Landfield, adding that the next step needs to be outreach – getting organizations to adopt the framework and apply it to their own sectors. George believes the second iteration of the NIST Cybersecurity Framework will most likely have to add incentives for adoption, “since the current voluntary concept will keep adoption rates at very low levels.”
Hammersla says the general feedback is that organizations want to “do something with this… address our cyber security strategy in the context of the framework. In which ways you do that, how much you want to accept that, they're not all sure of exactly how to do that.” Still, he is optimistic that organizations will embrace the vendor- and industry-agnostic guidance and best practices will emerge.
“The framework is a starting point, and more needs to be done by NIST and agencies like DHS, as well as by the companies themselves,” says Tousley.
And, says Pirc, as with anything new, it will take time to gain traction and adoption. “The way I see the framework evolving stems around the employment of metrics. I believe a well-defined set of metrics will serve to showcase the efficacy of the framework and add more validity to the model which will increase the potential for adoption.”