Cross-Sector Flexibility, Industry Involvement Key to Cybersecurity Framework, Tech Industry Tells NIST
The framework will need to take into account how government and industry typically view critical infrastructure cybersecurity, Microsoft said. The government “tends to look at critical infrastructure as a monolithic collection of systems and services,” while industry “looks at core elements within its direct control or its contractual obligations to deliver services,” Microsoft said. If the government focuses too much on high-impact -- but low probability -- threat scenarios, the framework could include “requirements and compliance obligations that may not necessarily improve cybersecurity for critical infrastructure or private sector enterprises,” Microsoft said. The framework should be based on six foundational principles, Microsoft said -- risk-based, outcome-focused, prioritized, practicable, “respectful of privacy and civil liberties” and globally relevant. It should also include a cohesive risk assessment and risk management structure, Microsoft said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Microsoft said its experience has shown there are four key global cyberthreats -- cybercrime, economic espionage, military espionage and cyberconflict. The federal government will need to “ensure that the Framework addresses the most critical threats and enables the best defenses against those threats,” Microsoft said. The framework will need to take “potential avenues for attack and exploitation” into account, as well as threat actors’ motivations and capabilities, and key assets and information that could be targeted, Microsoft said.
Cisco Systems said a cross-sector framework will need to function while also maintaining “flexibility, agility, and innovation across different types of infrastructure, architectures, and business models -- while at the same time recognizing and respecting the significant differences between and within the different sectors.” The framework will also need to be iterative and flexible enough to “allow best practices to evolve over time to meet those changing threats,” Cisco said. The framers will also need to ensure the framework focuses on “thoughtfully applied security” and to structure practices in a way that allows for sector-specific use, Cisco said. “One size does not fit all” in cybersecurity practices, but there are likely to be common themes that emerge over time, Cisco said (http://1.usa.gov/10QQKeW).
Cross-sector standards need to rely on consistent security ecosystem approaches, Level 3 Communications said. “Inconsistency in vendor security model approaches, or complete lack of [sic], requires the industry to customize and invent their own implementation solutions, if they have the capacity to even do so,” Level 3 said. “This causes a breakdown of security in the supply chain for providing and implementing security controls for deployed technology, making ’standards’ much different in implementation depending upon the maturity of the vendor platform being deployed and adopted.” Adoption of security automation protocols like CVE and OVAL, as well as other protocols like CMSS, SWSS and CVRF, is “key to building consistency in vendor solutions that allow a more refined security maturity model that can be normalized across sectors,” Level 3 said. Improving cybersecurity practices will revolve around advanced cybersecurity research that focuses on threat mitigation and vendor adoption of industry standard security models, Level 3 said (http://1.usa.gov/149mx2e).
Critical infrastructure providers need to “understand any gaps that may exist between their [Compliance Driven Security] postures and the current ’threatscape,'” VeriSign said. “A critical inspection of such gaps, perhaps, could identify would-be requirements that might be imposed on critical infrastructure and providers.” While CDS is an “important component of the overall security posture needed for cyber infrastructure ... we also feel that it should not be mistaken for a solution” to current and future cyberthreats, VeriSign said. The gap between CDS and Intelligence Driven Security (IDS) continues to grow as attackers’ tactics evolve, VeriSign said. Since the size of that gap remains unclear, “creating a framework to track and describe emerging threats would be a very useful first-step,” the company said. “It is our belief that a structured vehicle that could facilitate providers’ abilities to continually quantify the gaps between CDS and IDS, and which could inform information sharing efforts, would be invaluable in shaping future security frameworks and practices” (http://1.usa.gov/10R8YPV).
CTIA said any NIST-led framework should be “performance-based, industry-led, and internationally harmonized.” To remain flexible, the framework should remain industry-driven and avoid “technical or operational mandates,” CTIA said. Industry participants can create workable performance-based goals and scalable implementation, the group said. While agencies can help the industry formulate goals, they should not direct the discussion. While NIST has a lot to offer in the coming framework development process, its work “may be constrained because companies may be reticent to publicly share security information, and because policy-makers’ goals are not yet clear,” CTIA said (http://1.usa.gov/XBxEy4).
The Telecommunications Industry Association (TIA) said NIST and other agencies can help leverage public-private partnerships to address current and emerging threats, and should continue efforts to stimulate additional threat information sharing between the government and industry. The federal government can also aide in funding cybersecurity efforts by addressing “economic barriers” critical infrastructure operators face in addressing security issues, as well as prioritize funding for ICT and cybersecurity research and development, TIA said. While government has an important role to play, industry will need to be the ones to set and adopt the framework, TIA said.