Communications Industry Contributing ‘Leading Edge’ Cybersecurity Standards to Framework
The National Institute of Standards and Technology’s (NIST) second workshop to develop the Cybersecurity Framework, set to begin Wednesday, will delve deeper into actually creating the framework, industry officials said. NIST and the Department of Homeland Security are working with industries considered to be components of the U.S.’s critical infrastructure to draft the voluntary framework as directed by President Barack Obama’s cybersecurity executive order (CD Feb 14 p1). Participants are expected to begin creating the initial set of standards, best practices and procedures that will be included in the draft version of the Framework that’s expected to go public in October (http://1.usa.gov/Z5zzJD).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The communications industry’s years of work on cybersecurity issues likely puts it “at the leading edge in this area,” said Robert Mayer, USTelecom vice president-industry and state affairs. “We'll be able to show the gold standard for industry establishment of development, adoption and implementation of best practices.” The industry’s efforts included development of the Alliance for Telecommunications Industry Solutions’ cybersecurity framework and other industry standards body organizations’ guidelines, Mayer said. ATIS was among the groups that submitted their existing guidelines to NIST as part of the agency’s Request for Information (http://1.usa.gov/Z5zFB9). Participants at the workshop will use those responses and a NIST analysis of the comments as it crafts the framework. The industry has also been involved in cybersecurity work through the FCC’s Communications Security, Reliability and Interoperability Councils (CSRIC) II and III; work will now continue in the recently-announced CSRIC IV, he said. “We have things in place that we can put on the table and say ‘Look at the things we're already doing. You can check that stuff off because we've already been there, done that,” said Danielle Coffey, Telecommunications Industry Association general counsel. Many companies within the sector also provide cybersecurity services as part of their business portfolio, Mayer said.
The industry will also be able to contribute by continuing efforts to update cybersecurity standards, said John Marinho, CTIA vice president-cybersecurity and technology. A cybersecurity summit during CTIA’s annual meeting last week focused on the industry’s current best practices and how to evolve them in the future. The summit also discussed ways to educate consumers about cybersecurity, he said. “That whole aspect of consumer education and having a blueprint for technology as we go forward becomes critical because it creates what [NIST Director] Patrick Gallagher talked about when the executive order first came out, which that this is a living document -- this is a living process,” Marinho said. Publication of the framework’s final version, expected in February 2014, will be “just the starting point, because from there it becomes an ongoing process to address these threats,” he said. “The threat actors are very sophisticated. They don’t play by the same roles the rest of us do.” Other industry groups are also continuing to work on cybersecurity issues outside of the framework process -- both ATIS and TIA are planning workshops on cybersecurity in June (CD May 15 p21).
The communications industry is self-motivated to advance its cybersecurity standards, so “it remains to be seen how helpful” the framework process is in “pushing us to go beyond where we've already gone,” Coffey said. The industry may be able to benefit from information on any vulnerabilities that other sectors have discovered in their own internal systems, since “all U.S. enterprises benefit from understanding new threats and vulnerabilities,” Mayer said. The communications industry can also learn more about other sectors’ individual requirements, Marinho said. “We see all of the different sectors, but haven’t had the ability to freely exchange information and freely collaborate,” he said. But learning about those vulnerabilities will only happen if information sharing becomes easier through laws like the Cyber Intelligence Sharing and Protection Act (CISPA), Mayer said. “Without that level of information sharing, and the liability protections that come from that, it will be impossible for us as a nation to engage in collective defense,” he said. Mayer was among the witnesses at a House cybersecurity hearing last week that called on the Senate to pass CISPA (CD May 22 p9). The bill passed the House in April.
NIST has fully embraced the “voluntary framework construct,” but Mayer said he’s concerned that Sections 9 and 10 of Obama’s order “could fundamentally undermine the voluntary framework.” Section 9 would determine which critical infrastructure sectors are at the “greatest risk” of cyberattack; Section 10 would require federal agencies to assess their cybersecurity regulatory requirements. Those sections have a “different feel to them,” Mayer said. “It’s helpful to recognize that a regulatory approach and a voluntary framework are mutually exclusive when you're looking at a single area of focus like cybersecurity.” Sectors that do not have much experience at addressing cybersecurity issues may need regulatory oversight once the baseline framework is set, “but that’s not the case with the communications sector,” Mayer said. “We've been at the vanguard on cybersecurity for decades. That’s our business.”