President Obama’s forthcoming Cybersecurity Framework won’t create an entirely new set of standards for banks, defense companies, and other members of the critical infrastructure, the director of the National Institute of Standards and Technology said today.
The framework “is basically going to be a collection of, probably references to existing standards,” said NIST Director Patrick Gallagher.
Obama’s Feb. 12 executive order directed NIST to produce a framework of “voluntary consensus standards” for members of the critical infrastructure to follow.
Regulation-wary executives weren’t sure whether that meant entirely new standards would be crafted in the span of the order’s 240-day timeline for producing a first draft of the framework.
The framework is one element of a shift in cybersecurity strategy by the White House. Attempts to improve cybersecurity through legislation have failed repeatedly, so the administration wants to push the private sector to agree on a common set of voluntary security standards that would be regularly updated.
NIST plans to drive the process, but says it wants input form the industry and outside experts about the technologies and practices that should be included in the framework.
Companies and universities have until April 8 to respond to a request for information. Workshops with the industry are also planned, including today’s at the Commerce Department headquarters in Washington, D.C.
“This is the last workshop where we will sit and talk at you,” said Matt Scholl, deputy chief of NIST’s Computer Security Division.
The next workshop is scheduled May 29 - 31 at Carnegie Mellon University in Pittsburgh.
Excerpts from the workshop >>
Complacency >> “I also worry a little about whether we’re setting a false sense of security by saying here’s a framework: Follow the framework and you’re going to be secure.” -- Scott Algeier, executive director of the Information Technology Information Sharing and Analysis Center
Information sharing >> “We absolutely need a better mechanism for getting actionable intelligence into our companies. I think the ISAC mechanisms are the right approach to that.” -- Terry Rice, chief information security officer, Merck & Co.
Vulnerable vendors >> “If our adversaries are all trying to attack tier 1 integrators, and you realize, wow, these guys are really up on their game; they know where the threats are coming from; they beat us every single time, (adversaries will) move down the chain.” – Scott Algeier
Collateral damage >> “The whole concept of the doctrine of cyber warfare is still being written. We don’t know how to behave in a cyber conflict – we nation states, where the power system, the water system, the health system and others are getting collateral damage.” -- Tim Roxey, chief cyber security officer at the North American Electric Reliability Corporation.
Gallagher on the framework >> “The framework itself, as I said, is basically going to be a collection of, probably references to existing standards. By the way, there may be more than one in different areas. The U.S. standards process is wonderfully competitive. We often have lots of options there. There’s no reason we have to walk away from that.”