Last week, ITI submitted its comments in response to the important and much-anticipated Preliminary Cybersecurity Framework issued by the National Institute of Standards and Technology (NIST). Since the Framework plan was put forward in February 2013 as part of President Barack Obama’s cybersecurity Executive Order, we have fully supported the collaborative concept behind it -- a concept in which NIST takes the lead in coordinating with all interested stakeholders in the development of a security framework that 1) is based on existing, voluntary, consensus-based standards and best practices; 2) allows critical infrastructure (CI) owners and operators to identify, assess, and manage their cyber risks; and 3) is technologically neutral.
One of ITI’s six guiding principles regarding effective cybersecurity policies is the need to raise awareness about what all stakeholders can do to improve their own cybersecurity. The tech industry can build leading-edge security technologies and services. We all can share information on threats we see so as to better protect our networks. Law enforcement can track down and arrest bad actors. But all cyberspace stakeholders - including CI owners and operators, as well as businesses of all sizes, citizens, and governments – also need to know what steps they can take to reduce risks to their property, reputations, and operations.
What tools do cyberspace’s stakeholders have to do this? Some of the most essential tools are global, voluntary, consensus-based standards, guidelines, and best practices to manage cybersecurity risk. A range of such standards and best practices are developed (and continuously updated) in standards development organizations and other groups populated by some of the best, technically competent, innovative minds in the world. These standards and best practices are focused on what organizations need. Specifically, they facilitate how to identify potential cybersecurity risks, protect against various risks, and, if incidents occur, detect, respond to, and recover from them.
Many organizations in the United States voluntarily use many of these standards and best practices to improve their cybersecurity risk postures. But some organizations likely do not use enough of the standards and best practices that might help them. I would surmise this is not because such organizations lack a keen desire to improve their cybersecurity, but rather they may not really know where to start or where to go next.
The NIST Framework aims to bridge this information gap, by seeking to help all interested entities -- CI owners, operators, and all others -- not only understand where to start, but also where they want to be and how to move forward. Significantly, the voluntary nature of the Framework allows flexibility for businesses to use those practices that fit their risk profiles, business models, and inherent interest in protecting their networks, customers, and assets. We believe the draft Framework is well on its way toward providing effective tools enabling much greater voluntary use of standards and best practices that can make a difference at the individual organization’s level, collectively raising all boats.
That’s why ITI’s comments stress how to make the draft Framework easier to understand by those who seek to use it -- and to give a more compelling case for them to do so. We urge NIST to create methodologies for key building blocks of the Framework, namely the implementation tiers and risk profiles, and amend guidance related to them to avoid unintended consequences. We also urge NIST to limit the privacy methodology to only those privacy-related considerations implicated by cybersecurity activities. Finally, we urge NIST to more clearly explain that the Framework references global standards and best practices. The Framework does this, but it’s not apparent unless you’re an expert on standards and know what you are looking at. A global audience is closely watching us develop this Framework, and it’s imperative that this audience understands the U.S. Government believes the most effective cybersecurity policies are workable globally.
We urge NIST to integrate our suggested changes. Doing so is essential if we are to achieve greater collective security and protect America’s citizens, critical assets, and infrastructures from ever-evolving cyber threats.