3 potential issues with the new Cybersecurity Framework

The White House just released a  Cybersecurity Framework developed by the National Institute of Standards and Technology designed to help critical industries both secure their networks and recover from successful breaches. While a move in the right direction, there are some foreseeable issues with the guidelines.  Here are the top 3 concerns and reasons businesses might not be so eager to rush towards adoption.

 

1) Voluntary is as voluntary does

 

Put simply, there's no teeth to the new standards as compliance is completely voluntary. So why are security standards for critical pieces of infrastructure not mandatory? For one, the political gridlock that has affected most things has also impacted security efforts (and also ensures no incentives such as tax breaks for adoption  will be forthcoming anytime soon - and the last time I checked, businesses were still coin operated). But moreso, it's because the fear of governmental backdoors and spying has created a climate of fear inhospitable to any legislation that would require mandatory measures (or network access) for any industry. Corporations have fought back hard against any meaningful legislation. After Snowden, it's hard to find fault with that. But for things whose security affects all of us, there has to be something better than "enlightened self interest."   

 

A lot of my security friends scoff at the notion that legislation can do anything to help solve our significant security challenges (pretty sure nobody would ever describe the average security professional's disposition as 'sunny'). I'm definitely not proposing that as a sole solution--most of all, because that's not nearly enough. Ask Target what being PCI compliant got them. Or to further that line of devil's advocation...like laws keep criminals from doing anything. Those are both reasonable arguments. But what legislation can do is provide the appropriate amount of security budget for government agencies that protect data valuable to all of us. What it can do is move us towards a technology embraced by the rest of the developed world such as chip and pin credit card technology. And if it matters enough, it can create the proper sense of urgency across a broad spectrum of both private and public constituencies (see #3 below).

  

2) The government's own track record on security is woeful

 

dam.jpgEvery now and then, I read something security related that at first scares me, but ultimately serves to make me want to throw things across the room. The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure was one of those. Qwerty much? Information potentially exposed  was shocking and included a listing of weaknesses in dams and sensitive Nuclear Regulatory Commission material. Agencies and departments known to have suffered some form of successful penetration included the Departments of "Homeland Security, Justice, Defense, State, Labor, Energy, and Commerce; NASA; the Environmental Protection Agency; the Office of Personnel Management; the Federal Reserve; the Commodity Futures Trading Commission; the Food and Drug Administration; the US Copyright Office; and the National Weather Service."  Keep in mind, this was still a governmental  report, and does not include things that had already been mitigated (surely).  But when free email account passwords require more complexity than elements of our national infrastructure, it's a problem for much more than just governmental credibility on the subject of cybersecurity.  If nothing else, at least there was ample material from which to discover what not to do.

 

3) Two years to comply is possibly a lifetime in cybersecurity

 

While there are no corporate compliance requirements, there is a mandate that government agencies adopt these  new standards within the next two years. Considering the above two points, that's a lengthy approach, to say the least.

There's been a growing sense in the security community that security just continues to get worse. I write about it frequently (and I'm not the only one). For instance, just since 2009, the average amount of time to resolve a successful breach has grown 130%. It begs the question...do we have two years? Let's hope it doesn't take a cyber attack that costs human life before we acheive the proper sense of urgency on issues such as these.

 

 

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation