Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and Director, National Institute of Standards and Technology (NIST) writes in the following piece about an interconnected world where cyberspace is at the core. How do we protect today’s critical infrastructure?
Just about everything these days—from banking to health care to the electricity powering our homes—is rooted in cyberspace. While this anytime-anywhere world brings many benefits, it also brings with it a constantly evolving set of security challenges.
It is these security challenges that have motivated President Obama to direct the National Institute of Standards and Technology (NIST) to work with industry on a voluntary cybersecurity framework for better protecting the nation’s critical infrastructure.
The idea is to use existing standards, guidelines and best practices to reduce cyber risk across sectors and develop capabilities to address the full-range of quickly changing threats. The framework will provide a flexible toolkit any business or other organization can use to gauge how well prepared it is to manage cyber risks and what can be done to strengthen its defenses.
It is vital that companies understand their digital assets and accurately assess the maturity of their cyber protections so they can properly allocate resources. These needs stretch across a spectrum from maintaining awareness of existing threats to preventing, detecting, and responding to attacks to recovering from them.
Development of the framework is a NIST-coordinated but industry-led effort that draws on standards and best practices already available. Any effort to better protect critical infrastructure must be supported and implemented by the owners and operators of that infrastructure.
Our task hinges on bringing the right people with the right expertise to the table. For the last several months, we’ve been soliciting information on the current state of cyberthreats and security, how to identify and manage risk, what standards exist or are needed, and how the framework should address these issues.
Our first two meetings in Washington, D.C. and Pittsburgh were well attended with a wide array of industries represented. We received more than 200 comments in response to our Request for Information. But we still need your input. We need to hear from you about what works and what additional tools you need.
As described in an update we’ve posted, we particularly want to hear more about foundational cybersecurity practices, ideas for how to manage privacy and civil liberties needs, and outcome-oriented metrics that leaders can use in evaluating the position and progress of their organizations’ cybersecurity status.
In a few weeks, we expect to post an outline of the preliminary cybersecurity framework, including existing standards and practices.
The framework will only be as good as the input received. So I urge you to get involved. Help us leverage the strengths of the private and public sectors and develop solutions in which both are invested.
The best way to ensure the security of the nation’s critical infrastructure is not by dictating solutions to industry. It’s by collaborating and encouraging innovation so that the private sector has effective, globally scalable practices that better protect against cyber threats and meet a wide range of business needs.
To learn more about the upcoming events, such as the 3rd Cybersecurity Framework Workshop, where the private sector will be able to help NIST fill in the framework in more detail or read the full post on Department of Commerce blog site or submit your ideas and suggestions to firstname.lastname@example.org.