Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/3/2013
02:22 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

No Bold Moves On U.S. Cybersecurity Framework

New cybersecurity framework, to be created per a February Obama administration executive order, likely will draw heavily from existing cybersecurity standards.

Military Drones Present And Future: Visual Tour
Military Drones Present And Future: Visual Tour
(click image for larger view and for slideshow)
Even after months of outreach and research, the critical infrastructure cybersecurity framework created pursuant to the recent White House executive order might wind up as an aggregation of references to other, pre-existing standards instead of a comprehensively new framework.

However, that's not necessarily a bad thing, according to government and private sector cybersecurity leaders speaking at the National Institute of Standards and Technology's (NIST) Cybersecurity Framework Workshop at Department of Commerce Headquarters in Washington on Wednesday.

"The framework will probably be a set of references to existing standards," NIST director Patrick Gallagher said in remarks to a room full of public and private sector cybersecurity pros. Gallagher added that the framework seeks to create a "strong common language" around cybersecurity.

[ Is the nation at risk of cyber attack? Read U.S. Cybersecurity Status Weak, Reports Charge. ]

NIST is overseeing the development of the voluntary cybersecurity framework, which is one of a number of elements required under a February executive order that aims to improve critical infrastructure cybersecurity and encourage information to be shared between public and private sectors.

Government officials said they hope extensive outreach will encourage adoption. "We recognize that there are leaders in the private sector already implementing strong policies and procedures," said Jane Holl Lute, deputy secretary of the Department of Homeland Security. "We believe that the companies driving cybersecurity in their own current initiatives can help create best practices for all across the nation's critical infrastructure."

In a panel discussion after Gallagher, Lute and other government officials made introductory remarks, private sector cybersecurity executives echoed the need for a collaborative framework development process that draws on existing cyber standards.

"The bottom line to me is that an adopt-and-go approach, even though you may have to tailor it to your own environment, is much better than building from scratch," said Reid Stephan, information security manager at St. Luke's Health System in Idaho. St. Luke's has joined the National Health Information Sharing and Analysis Center (NH-ISAC) and has adopted a risk assessment approach based on NIST standards for risk assessment.

Government might also spark participation with incentives to companies that adopt the framework. The Department of Homeland Security, Department of Commerce, and the Treasury plan to issue a report to the President detailing various possible incentives, and Commerce recently issued a "notice of inquiry" to ask members of the public about incentives.

Initial development of the critical infrastructure cybersecurity framework will take place between now and October, when the first draft of the framework is due. The government is already actively gathering public input on a framework, with responses to a request for information due next Monday. The Department of Commerce also plans to hold at least three additional events beyond the Tuesday workshop, with the next event scheduled at Carnegie Mellon University in late May.

Beyond the references to other standards, it is unclear exactly what might go into the framework. NIST plans to organize framework development around three areas: managing risk, "cyber hygiene," and tools and metrics. "These are the pieces that will be critical," Gallagher said. "How do we prepare for the threat, what are the core protections that should be in place regardless of your mission, and what are the tools and metrics to be successful?"

The private sector representatives at the event proposed a number of possible content areas. Merck associate VP of IT risk management and chief information security officer Terry Rice said he'd like to see higher-order, standardized risk management metrics that draw on tactical cybersecurity data, and perhaps greater cross-industry standardization around identity management. St. Luke's Stephan called for a more risk-based than control-based framework.

Whatever the case, the end product will need to be flexible enough to grow with changes in technology, said Department of Commerce deputy secretary Rebecca Blank.

A well-defended perimeter is only half the battle in securing the government's IT environments. Agencies must also protect their most valuable data. Also in the new, all-digital Secure The Data Center issue of InformationWeek Government: The White House's gun control efforts are at risk of failure because the Bureau of Alcohol, Tobacco, Firearms and Explosives' outdated Firearms Tracing System is in need of an upgrade. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8105
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8106
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8058
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an use after free vulnerability. Successful exploitation coul...