Though development is still underway, the government is looking for early adopters of its cybersecurity framework to better understand what helps businesses improve security and what should be changed in future versions.
“If the framework only lives on a piece of paper, we haven’t done our job.” Patrick Gallagher, director of the National Institute of Standards and Technology, said at a public workshop in Dallas Wednesday.
To be successful, the security standards need industry blessing, Gallagher said, and this week’s
event gives stakeholders a final chance to nitpick details before a finished draft is published for public comment in October.
Business groups said they generally support a framework so long as it remains voluntary and doesn’t create new burdens for industries with their own security standards.
Flexibility is also crucial.
The point of the framework is to develop a common language for companies of all sizes in more than a dozen industries responsible for U.S. critical infrastructure. Each industry and company faces unique threats, though solutions to mature defenses can be shared.
Some companies are aware of cyber risks. Others don’t know they’ve already been hacked.
Kyle Maxwell, a senior network security researcher at Verizon, said defense levels can vary considerably.
Some companies broadly collect threat data — things like bad IP addresses and domains — and generally know that bad things can breach their systems. But Maxwell said the most savvy companies learn know to analyze data and anticipate threats they will likely to face.
Security vulnerabilities can be internal — for instance on the company’s own servers — but they also exist anyplace data flows, Maxwell said — at accounting firms, for instance, at law firms, or at employee homes.
“Think about supply chain in this broader perspective of how do I know that my outside counsel is not getting destroyed by my adversaries?” Maxwell said on a workshop panel.
A framework discussion draft published in late August asks companies to outline their own risks and contemplate their ability to respond to problems.
Companies decide how mature their systems are currently and consider ways to improve.
Jeff Greene, a security expert at Symantec, said individualizing the framework is key to its effectiveness.
“If the framework is going to work, it’s important to realize that the application is going to be different from company to company, and even within companies,” Greene said.
The framework doesn’t dictate protocol, Gallagher said, but rather gives companies a way to organize and prioritize security.
NIST wants the framework to appeal to all levels of a company, from the front line to the executive suite, and the agency is asking for industry input on how the framework can evolve and better align with companies’ business goals.
The August discussion draft asks for feedback on whether the proposed framework is specific enough to be useful for companies and asks industry for ideas on how to make the framework cost effective.
With industry input so crucial, Gallagher also sought to reassure stakeholders that the agency’s public vetting process is credible, despite recent news reports that a 2006 encryption standard had been intentionally weakened by the National Security Agency to allow for spying.
“We would never work with anybody to deliberately weaken that,” Gallagher said.
Gallagher’s remarks echo a statement released yesterday by NIST in response to reporting by the New York Times and ProPublica.
This week’s workshop runs through Friday at the University of Texas at Dallas and is the fourth and final workshop since a February executive order tasked NIST with developing the cybersecurity framework.
A framework draft is due for public comment on Oct. 10.