Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Mobile Device Management
- The Modern Federal Threat Landscape
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- Satellite Communications: Acquiring SATCOM in Tight Times
- Transformative Technology: Desktop Virtualization in Government
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
Industry driving development of first-ever critical infrastructure cyber framework
Thursday - 6/13/2013, 5:27am EDT
The National Institute of Standards and Technology is leading that effort called for in President Barack Obama's February Executive Order by bringing together industry and other private sector experts.
Obama's order gave NIST 240 days to release the first version of the framework, which is intended to be a continuously evolving, voluntary, baseline set of standards and practices to help safeguard the nation's critical infrastructure from attack.
So far in the first 120 days, NIST has held two public workshops and gathered more than 200 responses to its request for information on the framework process.
Patrick Gallagher, NIST's director, said industry input will determine what the preliminary version of the product looks like when it's released this fall.
"We use the word 'framework' as a term of art, but the idea is very simply to get industry to develop whatever it would take that, if implemented, would result in enhanced cybersecurity performance," he said during a Senate Appropriations Committee hearing on cybersecurity Wednesday. "That would include a large measure of standards."
The power to shape technologies
But Gallagher said industry needs to lead the standard-setting process. He said collectively, private sector companies have the capacity to understand what needs to be done on an ongoing basis. NIST, on the other hand, as a relatively small agency, does not.
Patrick Gallagher, director, National Institute of Standards and Technology
In its initial analysis of the industry input it's gathered so far, NIST says it's identified several common themes.
Among them, respondents overwhelmingly said the framework should encourage critical infrastructure providers to take a cybersecurity approach that's organized around risk management rather than rigid compliance. Also, respondents said the framework needs to take into account that many of the companies involved are multinational firms subject to international standards, and that the framework needs to be flexible enough to work across multiple sectors of the economy.
Gallagher said making the framework flexible will be a key determinant of whether it's actually adopted and used by industry.
"How generic or how sector-specific this framework looks is actually the exact question the participants in the framework are tackling," he said. "The good news is that in spite of the strong differences across sectors, they're all dependent on a core set of communication and IT technologies. One of the big advantages they have in all working together is that they can drive that performance into the market. They can then buy these IT services and IT equipment at a lower cost because they're helping to define the market. I think the bottom line is that doing good cybersecurity has to become good business. These framework processes have to be compatible with profitable and well-run companies, and it may very well turn out that the framework's more about management and business practices than it is about technical controls, and that's OK if it helps us achieve the level of performance we're looking for."
Lawmakers turn away from cyber
Gallagher's testimony highlighted one of the many tasks the White House directed agencies to take under the executive order, but it mostly was an aside during the hearing.
Gen. Keith Alexander, commander, U.S. Cyber Command
In the wake of those revelations, Gen. Keith Alexander, NSA's director and commander of the U.S. Cyber Command, told senators it's time for his agency to reassess the way it uses contractors in its intelligence operations.
"I have grave concerns over the access that he had, the process we did, and those are things I have to look into and fix from my end," he said. "I would point out that in the IT arena, some of these folks have tremendous skills to operate networks. That was his job for the most part. He had great skills in that area, but we have to go back and look at these processes, the oversight, where they went wrong and how we fix those."
In an interview with The Guardian, Snowden claimed that as a system administrator, he had data access that most intelligence analysts did not, including the ability to wiretap virtually any American's phone conversation.
JIE could solve some problems
Alexander said that's not true, and he knows of no way for any NSA worker to do what Snowden claimed. But he said it is true that he would have had greater access to data than most NSA employees.
"The administration of that IT infrastructure was outsourced about 14 years ago. Not just us, but many others in government. As a consequence, we have system administrators who are contractors working and running our networks," he said. "They don't have total visibility to the network, but in this case, this individual had access to key parts of it. That's of serious concern to us and something we have to fix."
Alexander said the Defense Department's envisioned transition to a future network infrastructure it terms the Joint Information Environment could solve some of the challenges.
"That is a huge step in the right direction," he said. "Cloud security and encrypting data are things that we can and should do. But that's going to take time and a significant effort, I don't want to mislead you. I wish we had it, and I wish we could go back in time."