As the Director of the Department of Commerce’s NIST, Patrick Gallagher is leading development of a cybersecurity framework of best practices as directed by President Obama’s executive order. We asked Dr. Gallagher to discuss the importance of the framework development, how industry can support these efforts and the expected impact it will have on critical infrastructure and telecommunications.
Q: Tell us the importance of this framework. Why is industry participation so important?
A: So much that we as a nation depend on today is rooted in cyberspace including banking, health care and even the electricity powering our homes. This anytime, anywhere interconnected world brings with it a constantly evolving set of security challenges.
The framework will serve as a toolbox for organizations, drawing on standards and best practices already available. Any effort to better protect critical infrastructure must be supported and implemented by the owners and operators of that infrastructure. And it needs to make sense to them and other organizations from a business perspective.
Therefore our task hinges on bringing the right people with the right expertise to the table and making sure that the end product is something that resonates with senior executives. For the last several months, we’ve been soliciting information on current approaches to cyber threats and security measures, how to identify and manage risk, what standards, practices and guidelines exist or are needed, and how the framework should address these issues.
This approach will significantly bolster the relevance of the resulting framework, making it more appealing for industry to adopt. This multi-stakeholder approach leverages the respective strengths of the public and private sectors, and helps to develop solutions in which both sides will be invested. We don’t want to dictate solutions, but rather facilitate industry coming together to offer and develop solutions that the private sector is best positioned to embrace.
We mean it when we say that this shouldn’t be NIST’s framework or the federal government’s framework. It needs to be the private sector’s framework.
We believe the know-how and capacity to address these challenges are largely in industry, and embracing that is the best way to have an agile process that can keep up with rapidly evolving technology and threats. Having an industry-led process vastly increases chances that the framework is compatible with business. The more we can align it with good business practices, what strong companies are already doing, the better. And with so many organizations operating in a global scale or at least a global context, it is important that the framework include practices that can transcend borders.
Our goal, of course, is to get the framework accepted and in use so that it reduces cyber risks. At the same time, we need an approach that can keep pace with innovation and allows improved practices and technologies to be quickly adopted as they enter the marketplace.
Q: How will the Cybersecurity Framework improve the cybersecurity of critical infrastructure?
A: The Cybersecurity Framework is an important element in improving the cybersecurity of our critical infrastructure. It will allow a business or other organization to gauge how well prepared it is to manage cyber risks and what can be done to reduce those risks.
It is vital that companies identify and understand their digital and other assets and accurately assess the maturity of their cyber protections when stacked up against the threats and vulnerabilities so they can properly allocate resources. If they can assess their assets, current situation, and general and specific risks, they can make cost-effective cybersecurity risk management decisions.
The Cybersecurity Framework needs to be scalable, actionable, threat-informed, and risk-based. And it needs to be integrated into an organization’s and industry sector’s overall risk management.
Q: Where does the framework stand today?
A: We plan to have our first draft of the preliminary framework ready by the end of August, in time for our next workshop, Sept. 11-13 at the University of Texas at Dallas. We’ve received an incredible amount of input through a Request for Information, three workshops, and directly to us, including via email at email@example.com.
The San Diego workshop in July was very successful. We gained consensus on the elements of the framework including a section for senior executives and a users’ guide to help organizations understand how to apply the framework. We’ve updated the list of important functions an organization should focus on through its cybersecurity efforts to: Identify, Protect, Detect, Respond, and Recover. This gives us a language around which everyone can collaborate.