Agencies Seek Industry Help in Developing Cybersecurity Framework
Cybersecurity stakeholders began a comprehensive discussion Wednesday during the first government cybersecurity workshop about how U.S. companies can reduce their cybersecurity risk. The event, hosted by the Department of Commerce, was coordinated by officials from the National Institute of Standards and Technology (NIST), the Department of Homeland Security and the White House. The series of workshops aims to elicit input from the private sector about what current best practices and cybersecurity guidelines companies are using to protect themselves as agencies implement the directives of President Barack Obama’s February cybersecurity order (CD Feb 14 p1), the officials said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
White House Cybersecurity Coordinator Michael Daniel said U.S. companies and the government need to “make the bad guys work a lot harder to do what they are trying to do.” A “core piece” of that effort is to create a baseline of “well-understood cybersecurity capabilities” to curb the increase in persistent intrusions, violations of privacy, theft of business information and denial-of-service attacks, he said. Daniel said the executive order and the development of a cybersecurity framework “are just a down payment” for more congressional action. Lawmakers need to “firmly embed and incorporate privacy and civil liberties safeguards into all aspects of cybersecurity,” he said. Lawmakers must also “strengthen our nation’s critical infrastructure cybersecurity by further increasing information sharing -- particularly from the private sector -- back to the government, by promoting an adoption of the framework of standards even more broadly, updating the federal laws that govern how we do our own security inside the federal government, giving law enforcement the tools to fight crime in the digital age and harmonizing data breach notification requirements."
Commerce Deputy Secretary Rebecca Blank said the success of the government’s effort to develop cybersecurity guidelines is “largely dependent on industry involvement,” in a separate speech. “Now, more than ever, we need your commitment and your leadership to help protect American businesses and America’s infrastructure,” she said. “The long-term goal is to develop a living framework that adapts as the risks ‘out there’ change, and that relies on industry-developed standards to help businesses and organizations know when and where they might be behind the curve.” Blank said she hopes to hear from companies about the cybersecurity threats they face, what technologies and services they think would be helpful to protect their networks and what they're doing to reduce their cybersecurity risks.
NIST Director Patrick Gallagher said the workshop was an “important milestone” in carrying out the executive order. The order tasks DHS and NIST to help U.S. owners of critical infrastructure secure their networks from cyberthreats. The order directed NIST, in collaboration with U.S. companies, to lead the federal development of voluntary cybersecurity standards and best practices.
The resulting cybersecurity framework will have to be “baked in” to the operations of critical infrastructure companies, said Gallagher. But he said the government “will not be seeking to tell industry how to build your products or how to run your business. Instead we will be relying on critical infrastructure industries to dictate their needs for technological products and services and allow the market to evolve in a way that embraces both security and innovation.” NIST’s approach to the executive order is to identify “core standards, methodologies, procedures, processes ... to achieve this new baseline,” Gallagher said. The framework’s guidance will be technology neutral and will include steps to measure a company’s performance in implementing the framework’s standards, he said.
NIST’s initial conversation to develop a baseline cybersecurity framework began with the agency’s open request for information (RFI) about what cybersecurity practices are already being used by companies, Gallagher said (http://1.usa.gov/15QcRrB). The RFI, with an April 8 deadline, has already received nearly 50 comments, will soon become public and will “serve as the foundation for NIST’s development of a cybersecurity framework,” he said (http://1.usa.gov/Z7UJmc).
DHS Deputy Secretary Jane Lute said it’s “time we did something about” the serious cyberattacks that threaten U.S. critical infrastructure networks. “We know and believe as a government that we face a dangerous combination of known and unknown vulnerabilities and adversaries with strong and rapidly expanding capabilities,” she said. The agency is working to increase the amount of cyberthreat information that it shares with the private sector, she said. “We are going to do more, and we are going to do it sooner."
The order tasked DHS with overseeing the private sector’s implementation of NIST’s forthcoming cybersecurity standards and offering incentives to adopt them. The order also directs DHS to identify which critical infrastructures are at the greatest risk for attacks that could result in catastrophic effects on public safety, economic security or national security. The Homeland Security, Commerce and Treasury departments are required to detail their final recommendations on incentives to the White House in June. But “no single department can do all that needs doing when it comes to the cybersecurity of this nation,” said Lute. She said DHS is actively looking for companies to help drive “cybersecurity innovations that can help shape best practices” for U.S. critical infrastructure.