Senate Commerce Pushes for New Cyber Legislation During Hearing on NIST Framework
Senate Commerce Committee members used a hearing Wednesday on the National Institute of Standards and Technology’s Cybersecurity Framework to call for further cyber legislation, including cybersecurity information sharing and data breach notification. NIST released its “Version 1.0” framework almost a year ago (see report in the Feb. 13, 2014, issue) and continually has emphasized that private sector use of the framework is entirely voluntary. NIST Information Technology Laboratory Director Charles Romine told Senate Commerce that the Cybersecurity Framework needed to remain voluntary for NIST to continue receiving active participation from industry stakeholders in developing the framework. NIST is set to lead a technical workshop on the framework at Stanford University Feb. 12, the day before a planned White House-sponsored cybersecurity summit. President Barack Obama is expected to outline executive actions at the summit that will facilitate cyber information sharing via the Department of Homeland Security, an industry lobbyist told us.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Senate Commerce Chairman John Thune, R-S.D., led the push Wednesday for new cybersecurity information sharing legislation, saying it’s an “absolutely necessary missing piece” following Senate passage of five DHS- and NIST-centric cybersecurity bills in December. Congress’s Homeland Security and Intelligence committees are also involved in developing information sharing legislation, with the Homeland Security committees considering proposals that would put DHS at the center of domestic cyber information sharing and the Intelligence committees considering whether to again focus on some form of the controversial Cyber Intelligence Sharing and Protection Act.
Senate Commerce ranking member Bill Nelson, D-Fla., said he’s skeptical that a fully voluntary NIST framework can be effective in the long term without definitive metrics on private sector use of the framework. Voluntary use of the framework is only effective “as long as everybody is volunteering,” Nelson said. He said he’s concerned that “as strong as the framework is, and as much as I trust that companies and industry sectors are working towards adopting it, there is no way to actually verify that progress.” No metric currently exists to “determine how rapidly and effectively companies are using the framework to strengthen their cybersecurity or whether companies are even implementing the framework,” Nelson said. “Until then, the framework will never fulfill its potential.”
NIST is working to create effective metrics of framework use, Romine said. “The amount of momentum is pretty striking” given that the framework is still less than a year old, he said. Sen. Gary Peters, D-Mich., said the correct metric for NIST framework use isn’t “how many folks are adopting the framework, but how effective it is.” Other federal agencies already collect some cybersecurity-related data, said Jim Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy program. Available statistics from the FBI and U.S. intelligence agencies on foreign hacking “would suggest we’re not doing so well,” Lewis said. The NIST program will only remain voluntary until “there are too many incidents to ignore,” he said.
Industry stakeholders said private sector adoption of the NIST framework has been effective, though Nelson wondered how they could say that “everything’s working” given recent data breaches at Sony Pictures (see 1502040030">1502040030) and other entities. “The threat is quickly evolving,” said Ann Beauchesne, U.S. Chamber of Commerce vice president-National Security & Emergency Preparedness Department. The private sector relies on the NIST framework’s flexibility and “want[s] to protect their information,” she said. Silver Star Communications Chief Financial Officer Jefferson England said that the framework “helped provide us with a disciplined approach to reviewing cybersecurity practices within our organization” and that the voluntary nature of the framework “has been key to success” for the Wyoming-based telco.
Nelson’s concerns about whether the NIST framework should remain voluntary are a “180-degree” turn from “what people have been saying” since NIST began its development in early 2013, said Arent Fox Senior Government Relations Director Alex Manning, former staff director for House Homeland Security’s Cybersecurity Subcommittee. Voluntary framework use has been central to NIST’s development of the framework “from the get go,” he said in an interview. Nelson’s comments ultimately will only “muddy the waters” on cybersecurity legislation rather than presenting a serious impediment, given that most other senators were in favor of keeping the framework voluntary, Manning said.
Sen. Richard Blumenthal, D-Conn., said there needs to be “greater government direction” on incentives to encourage private sector improvements to cybersecurity. “We are susceptible now by choice,” he said. “The best and most immediate response is for the private sector to do more with the encouragement and incentives that the government can provide.” The five cybersecurity bills that Congress passed in December mainly codified existing cybersecurity work at DHS and NIST, but didn’t address incentives like liability protections for companies that strengthen their cybersecurity.