NIST, industry begin journey to develop cyber framework

Thursday - 4/4/2013, 6:24am EDT

Jason Miller, executive editor, Federal News Radio

Download mp3

Two central themes emerged yesterday from the first listening session to implement President Barack Obama's executive order on cybersecurity.

The first was obvious: collaboration must underlie the entire process of creating a cybersecurity framework to improve how critical infrastructure providers protect systems and networks.

But it was the second theme that will set the path forward for how providers and government create the central piece of the executive order, signed by the President on Feb. 14. Industry officials say the cybersecurity framework, which will pull together existing cyber best practices and standards that can be used across all sectors, must go beyond the basics of managing security risks.

Representatives from the critical infrastructure providers told the National Institute of Standards and Technology, which hosted the event at the Department of Commerce in Washington, that most already address the basic risk issues.

"One of the problems that we struggle with is: what is the measure of success? Security is not a binary. It's not you are secure or you're not secure," said Terry Rice, the associate vice president for IT risk management and chief information security officer for Merck. "We struggle to determine precisely where we should be making investments. And it's not just within IT. It's also within, if I have a dollar, do I spend it on research on Alzheimer's or cancer or some other affliction, or do I spend it on protecting my information and systems?"

He added the framework needs to address how best to measure risk.

"I'm not talking about the thousands [of metrics] we have at the tactical level today," Rice said. "But how do those [come] together to answer questions about risk that will allow us to make decisions about where we make our investments."

Merck already has an enterprise risk management plan, which looks at the top 10-to-12 risks that could impact the company.

Rice said cybersecurity has become an integral part of that risk discussion.

Economics of cyber

But Rice and others in industry say the framework must take into account the economics of managing risk.

Michael Papay, the vice president for information security and cyber initiatives at Northrop Grumman Information Systems, said there is a constant tug-of-war between economic costs and risk. Every company must come to terms with how much money it needs to invest to mitigate the biggest risks.

Papay said if Northrop's data is not secure then neither is the government's or any of their partners such as Lockheed Martin, Boeing, Raytheon and a host of other companies. And, of course, the opposite is true too. If one of Northrop's partners' systems is not secure, that puts Northrop at risk just as well.

Papay said the cybersecurity framework can't lose sight of the economics issue and must provide a critical set of controls to balance all the factors.

Striking this balance will not be easy, but that's also why Patrick Gallagher, the director of NIST, said the goal is not to reinvent the wheel or, for that matter, standards and best practices.

"Our initial plan is to organize along three main topic areas: managing risk, cyber hygiene and tools and metrics. This is because, based on what we've heard already from our stakeholders in government and industry, these are the pieces that will be critical," Gallagher said. "How do we prepare for the evolving threat? What are the core practices that ought to be considered regardless of your organizational mission? What are the tools and techniques to support those goals?"

Additionally, NIST will work with industry to try to identify and fix gaps in cybersecurity, and develop a process and governance model to ensure the framework is dynamic as threats change.

Major efforts underway

Several representatives at the workshop said their sectors already are taking steps to not only secure their networks and systems, but find the best mix of investment to meet their business needs.

Deborah Kobza, the executive director and CEO of the National Health Information Sharing and Analysis Center, said her group is looking at cyber from an all-hazards perspective.

"We are working with the health sector and have put in place a national cybersecurity council that has both public and private sector health stakeholders on that council," Kobza said. "We are implementing a national health care and public health cyber response framework."

The framework is focused on how cybersecurity impacts medical devices, the networks to generate electronic health records and other related technologies.

The government has pushed for health IT over the past decade, including offering $19 billion in reimbursements to doctors and hospitals under the Recovery Act. Kobza said this influx of money exposed a weakness in information assurance, but also the impetus for improvement.