A few weeks ago, the National Institute of Standards and Technology (NIST) issued the final version of a new set of cyber security guidelines designed to help critical infrastructure providers better protect themselves against attacks. The framework was the result of an executive order issued by President Barack Obama last year that in part directed NIST to come up with a set of voluntary cyber security standards for critical infrastructure companies. The big question that remains is whether the proposed guidelines can truly improve cyber resilience and if they should be adopted by enterprises of all shapes and sizes.
Data breaches at Adobe, Target, and Neiman Marcus made headlines over the last few months. However, they’re just the tip of the iceberg. According to the Data Breach QuickView Report 2013 broke the previous all-time record for the number of exposed records caused by reported data breach incidents. The 2,164 incidents reported during 2013 exposed over 822 million records, nearly doubling the previous highest year on record, which was 2011. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in applications in order to embarrass corporate America, generate revenue, or carry out criminal activities. The growing number of cyber-attacks has become one of the most serious economic and national security threats our nation faces.
In response, President Obama issued Executive Order 13636, which mandated the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cyber security risks. This Cybersecurity Framework, developed by NIST with the collaboration of other government agencies and the private sector, establishes a common nomenclature to address and manage cyber security risk in a cost-effective way. One of the main objectives of the framework was to avoid placing additional regulatory requirements on businesses, but rather provide a risk-based approach to cyber security.
The NIST Cybersecurity Framework is comprised of three components: The “Core”, which represents a set of activities to anticipate and defend against cyber-attacks. The “Implementation Tiers”, which provide a set of measurements to assess to what degree an organization has implemented the core activities and benchmark how prepared they are to protect systems against an attack. The “Profile” can be used to identify opportunities for improving an organization’s cyber security posture by comparing a current profile with a target profile.
The NIST Cybersecurity Framework also includes a comprehensive collection of so-called Informative References, which are specific sections of standards, guidelines, and practices common among critical infrastructure sectors.
While several tech groups praised the decision to focus the framework on risk management rather than creating another check-box type regulatory compliance mandate, many industry experts believe it falls short on really driving cyber resilience.
Security-minded, mature organizations already have a solid understanding of how their network needs to be secured and have applied many of the standards, guidelines, and practices referenced in the framework. So while the framework doesn’t necessarily improve their cyber resilience, it does provide a common nomenclature and methodology to help less advanced organizations assess their level of security preparedness and benchmark themselves.
Notably, the framework falls short in offering incentives to organizations to apply the NIST Cybersecurity Framework, which was the original intention of the President’s Executive Order. Organizations too often lack the necessary resources to apply all of the outlined standards, guidelines, and practices. Without the commitment of management and board of directors to provide adequate resources for risk management, organizations’ security posture won’t significantly improve.
That’s because applying the NIST Cybersecurity Framework adds to the volume, velocity, and complexity of data feeds that must be analyzed, normalized, and prioritized. Without automation it can take months and even years to perform big data risk analysis and piece together an actionable security assessment picture. The Framework’s lack of incentives will most likely lead to an uneven adoption across commercial markets, except for the financial services, energy, and healthcare sectors which are under constant attack and have suffered the most serious security breaches.
Meanwhile, one of the most critical components for detecting and protecting against widespread cyber-attacks across different verticals and industries has been completely dropped from the NIST Cybersecurity Framework: the bi-directional sharing of sensitive threat information. It is well documented that cyber criminals are coordinating their efforts and sharing vulnerabilities and attack methodologies. To counter them, government and private industry must work hand-in-hand to quickly distribute information about threats. Sadly, the fallout from the Edward Snowden scandal might prevent the implementation of this type of collaboration for years to come.
In the meantime, commercial sectors must rely on information sharing communities such as the Financial Services Information Sharing and Analysis Center (FS ISAC) and Red Sky Alliance. These organizations offer threat feeds that organizations can leverage to contextualize threat information within their enterprise architecture.
The NIST Cybersecurity Framework is a good first step towards creating a standardized approach to cyber security, but requires many substantial updates before really improving our nation’s cyber resilience.