In February 2014 the National Institute of Standards and Technology (NIST) issued a new set of cyber security guidelines designed to help critical infrastructure providers better protect themselves against attacks.
The framework was the result of an executive order issued by President Barack Obama in 2013 to establish a set of voluntary cyber security standards for critical infrastructure companies. One year later, has the NIST Cybersecurity Framework had any measurable impact on improving cyber resilience or was it just smoke and mirrors as many opponents predicted at the time?
The NIST Cybersecurity Framework was born out of the realization that cyber-attacks represent one of the most serious economic and national security threats our nation faces. The framework offers:
• A set of activities to anticipate and defend against cyber-attacks (the “Core”)
• A set of measurements to assess to what degree an organization has implemented the core activities and benchmark how prepared they are to protect systems against an attack (the “Implementation Tiers”)
• A “Profile” that can be used to identify opportunities for improving an organization’s cyber security posture by comparing a current profile with a target profile.
In addition, the NIST Cybersecurity Framework includes a comprehensive collection of so-called Informative References, which are specific sections of standards, guidelines, and practices common among critical infrastructure sectors.
By assembling all these data points in a single repository, the government provided a common nomenclature and methodology to help less advanced organizations assess their level of security preparedness and benchmark themselves. In this regard, the NIST Cybersecurity Framework was a good first step towards creating a standardized approach to cyber security. However, it became immediately apparent at the time of its release that the framework required many substantial updates before it could really help improve the nation’s cyber resilience. It’s not surprising that, despite some anecdotal evidence presented to a Senate committee at a February 4th hearing, there has been no measurable proof that using the framework can help prevent cyber-attacks.
Ultimately, the NIST Cybersecurity Framework provides some valuable building blocks for implementing better cyber security practices, but is not a silver bullet for preventing cyber-attacks and data breaches. It’s important to understand that guidelines and regulations are static by nature and therefore cannot evolve to detect and mitigate morphing threats. Meanwhile, regulatory compliance moves far too slowly to keep up with cyber-attackers. Guidelines can also expose holes in proposed measures, which attackers can use as a blueprint for their attack strategy.
Ultimately, proper security measures and best practices are just one part of the solution. One of the biggest challenges for organizations is managing the sheer volume, velocity, and complexity of data feeds that must be analyzed, normalized, and prioritized to even stand a chance of detecting a cyber-attack. The Target breach was a good example. Although the best-of-breed technology in place was able to detect the intrusion early on, the alerts were buried in a sea of data which prevented the security team from connecting the dots and responding in a timely fashion. Instead, a third-party reported the stolen data being posted on the Internet and exposed the breach.
Without data automation it can take months and even years to perform big data risk analysis and piece together an actionable security assessment. Findings ways to use technology to overcome the lack of human resources needed to extract intelligence from security feeds and respond in a timely fashion should remain a focal point for organizations.
In this context, the NIST Cybersecurity Framework is an important building block, but still just the first step towards implementing operationalized defenses against cyber security risks.