Matsui Urges NIST Develop Cybersecurity Framework Metrics
The National Institute of Standards and Technology should develop metrics and measurements to guide the cybersecurity framework (see 1909270056), said Rep. Doris Matsui, D-Calif., Tuesday. The framework has helped organizations assess cyber risks, but it must be a “living document,” she told the Information Technology Industry Council. NIST didn’t comment.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
COVID-19 created a fundamental change in the nature of work, with a larger share of the workforce operating from home, accelerating a change that has taken place over the past 15 years, Matsui said. This means increased reliance on personal devices and cloud services, which may not be secure, she added.
Modernizing information technology will allow the U.S. to build faster, more reliable and more resilient systems, said House Foreign Affairs Committee ranking member Michael McCaul, R-Texas, noting security modernization can’t be done without broader digital transformation.
The pandemic provides an opportunity to refocus efforts on policies that will strengthen cyber leadership, Matsui said. She cited the Internet of Things Standards Leadership Act, also by McCaul. HR-3811 encourages U.S. participation in international standard-setting bodies.
Providing metrics for continuous cybersecurity monitoring and validation would go a long way toward addressing internal and supply chain risks, said Tenable Chief Security Officer Bob Huber. An example of how the metrics might relate to the cloud would be quantifying things like patching cycles, patching cadence and other vulnerabilities, he said: There’s no “clearinghouse for metrics.”
Elevate cybersecurity discussions to the board level, Huber continued: It’s not the norm to have a cybersavvy director. Google Global Director-Security and Compliance Jeanette Manfra noted McCaul’s remark about security modernization. The pandemic highlighted the lack of investment in modernizing technology, which makes it more difficult to be agile, she said. To modernize, companies should prepare for future events like COVID-19 and associated downturns, she argued.
Criminal groups haven’t slowed their cyber espionage and attacks, said FireEye Senior Vice President Ron Bushar. He noted ransomware and extortion attacks rising, attributing some to the coronavirus. Manfra agreed, saying attackers are taking advantage of consumers and employees operating between personal and professional devices at home. Gmail continues blocking a large volume of traditional phishing scams, she said.