Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
NIST, industry begin journey to develop cyber framework
Thursday - 4/4/2013, 6:24am EDT
Two central themes emerged yesterday from the first listening session to implement President Barack Obama's executive order on cybersecurity.
The first was obvious: collaboration must underlie the entire process of creating a cybersecurity framework to improve how critical infrastructure providers protect systems and networks.
But it was the second theme that will set the path forward for how providers and government create the central piece of the executive order, signed by the President on Feb. 14. Industry officials say the cybersecurity framework, which will pull together existing cyber best practices and standards that can be used across all sectors, must go beyond the basics of managing security risks.
Representatives from the critical infrastructure providers told the National Institute of Standards and Technology, which hosted the event at the Department of Commerce in Washington, that most already address the basic risk issues.
"One of the problems that we struggle with is: what is the measure of success? Security is not a binary. It's not you are secure or you're not secure," said Terry Rice, the associate vice president for IT risk management and chief information security officer for Merck. "We struggle to determine precisely where we should be making investments. And it's not just within IT. It's also within, if I have a dollar, do I spend it on research on Alzheimer's or cancer or some other affliction, or do I spend it on protecting my information and systems?"
He added the framework needs to address how best to measure risk.
"I'm not talking about the thousands [of metrics] we have at the tactical level today," Rice said. "But how do those [come] together to answer questions about risk that will allow us to make decisions about where we make our investments."
Merck already has an enterprise risk management plan, which looks at the top 10-to-12 risks that could impact the company.
Rice said cybersecurity has become an integral part of that risk discussion.
Economics of cyber
But Rice and others in industry say the framework must take into account the economics of managing risk.
Michael Papay, the vice president for information security and cyber initiatives at Northrop Grumman Information Systems, said there is a constant tug-of-war between economic costs and risk. Every company must come to terms with how much money it needs to invest to mitigate the biggest risks.
Papay said if Northrop's data is not secure then neither is the government's or any of their partners such as Lockheed Martin, Boeing, Raytheon and a host of other companies. And, of course, the opposite is true too. If one of Northrop's partners' systems is not secure, that puts Northrop at risk just as well.
Papay said the cybersecurity framework can't lose sight of the economics issue and must provide a critical set of controls to balance all the factors.
Striking this balance will not be easy, but that's also why Patrick Gallagher, the director of NIST, said the goal is not to reinvent the wheel or, for that matter, standards and best practices.
"Our initial plan is to organize along three main topic areas: managing risk, cyber hygiene and tools and metrics. This is because, based on what we've heard already from our stakeholders in government and industry, these are the pieces that will be critical," Gallagher said. "How do we prepare for the evolving threat? What are the core practices that ought to be considered regardless of your organizational mission? What are the tools and techniques to support those goals?"
Additionally, NIST will work with industry to try to identify and fix gaps in cybersecurity, and develop a process and governance model to ensure the framework is dynamic as threats change.
Major efforts underway
Several representatives at the workshop said their sectors already are taking steps to not only secure their networks and systems, but find the best mix of investment to meet their business needs.
Deborah Kobza, the executive director and CEO of the National Health Information Sharing and Analysis Center, said her group is looking at cyber from an all-hazards perspective.
"We are working with the health sector and have put in place a national cybersecurity council that has both public and private sector health stakeholders on that council," Kobza said. "We are implementing a national health care and public health cyber response framework."
The framework is focused on how cybersecurity impacts medical devices, the networks to generate electronic health records and other related technologies.
The government has pushed for health IT over the past decade, including offering $19 billion in reimbursements to doctors and hospitals under the Recovery Act. Kobza said this influx of money exposed a weakness in information assurance, but also the impetus for improvement.