Security Advisor
Government Releases Draft Cybersecurity Framework
The goal of the document is to bring both the public and private sectors to the same level of security so that information pertaining to threats can be easily shared between the two.
On Tuesday the National Institute of Standards and Technology (NIST) released its primary cybersecurity framework (PDF) aimed at both private enterprises and infrastructure networks.
The document's goal is to provide a voluntary how-to for organizations to protect themselves from outside attacks from hackers and how to guard against internal leaks and was part of President Obama's cybersecurity executive order issued in February.
"The Framework relies on existing standards, guidance, and best practices to achieve outcomes that can assist organizations in managing their cybersecurity risk," read the document. "By relying on those practices developed, managed, and updated by industry, the Framework will evolve with technological advances and business requirements."
The government-created framework focuses on five "cores" that organizations should be following to adequately manage and react to risks. They include:
- Identify: "Develop the institutional understanding to manage cybersecurity risk to organizational systems, assets, data, and capabilities." According to the NIST, this involves understanding both the motivation behind an attack and clearly defining a risk strategy.
- Protect: This tenant involves developing and implementing strong safeguards without interrupting the flow of critical infrastructure services.
- Detect: This core focuses on fully identifying an issue and analyzing the threat to provide timely counteractions and to strengthen safeguards for future attacks.
- Respond: Once an issue is detected, an effective plan should be formulated and actions prioritized to limit the amount of damage or infection.
- Recover: According to the document, this step should "Develop and implement the appropriate activities, prioritized through the organization's risk management process, to restore the capabilities or critical infrastructure services that were impaired through a cybersecurity event."
While the framework's cores lay out a very basic and obvious security plan, the goal more than educating organizations on how to fully protect themselves is to get both the public and private sectors on the same page so that information can be more easily shared between the two, as evident with Obama's initial announcement of the executive order earlier this year.
"Greater information sharing within the government and with the private sector can and must be done while respecting privacy and civil liberties," read the order. "Federal departments and agencies shall ensure that all existing privacy principles, policies, and procedures are implemented consistent with applicable law and policy and shall include senior agency officials for privacy in their efforts to govern and oversee information sharing properly."
So far, one of the bigger criticisms I can see with this framework is that the fact that corporations are not forced to comply with the recommendations, there is no incentive to follow it by the letter -- something this administration needs to occur to have the information sharing process flow smoothly. However, forcing these recommendations upon organizations will bring strong cries against unwanted or unnecessary regulation.
Further, I'm not quite sure who the framework benefits. While terminology may differ among the private and public sectors, the five core tenants put forth in the document are both basic and vague, and you would be hard-pressed to find any modern company not following a similar guideline today.
However, criticisms like these are exactly what the NIST wants to see with this draft before the final submission is handed over early next year.
"The goal of the framework is to bring together existing standards, policies and best practices into a tool organizations can use to ensure effective cybersecurity," NIST said in a statement. "We put out an early discussion draft to ensure that we got feedback -- including positive and negative -- on the framework as currently presented. We hope to get active participation from all stakeholders."
What's your thoughts? Is a comprehensive cybersecurity framework that stretches across both public and private sectors necessary? Does this document look to get us a step closer to that or is it a big waste of time? Let me know in the comments below.