NIST, DHS push for more engagement around cyber framework

Thursday - 3/27/2014, 4:18am EDT

Lauren Larson reports.

Download mp3

Six weeks into the implementation of the White House's framework to help protect the nation's critical infrastructure, federal officials say they are seeing progress, but also areas that need help from Congress.

Despite initial skepticism from industry, the National Institute of Standards and Technology and the Homeland Security Department are figuring out how to keep the private sector engaged and participating in improving cybersecurity.

"How do we continually, in a phased approach, maintain the private sector's involvement as we do the adoption? We will learn. We're putting all our resources out to the private sector. We are not asking them to report if they've used it or not," said Phyllis Schneck, deputy undersecretary for cybersecurity at the National Protection and Programs Directorate at DHS. "We want to look at our outreach, study our metrics and stay involved with large companies. And [we're] asking their suppliers to be more secure, so that when you connect to a smaller company, you don't endanger the larger company. ... A lot of basic cyber hygiene and guidelines that are mentioned in this framework could have prevented a lot of the attacks that we've seen thus far."

Schneck came to DHS from the private sector six months ago. She witnessed phase one of building the cyber framework from the industry perspective.

"The success of this, as I saw in the first phase from the private sector, comes from the fact that the private sector is very bought-in," she said. "They know that they designed this thing with us, with NIST. They have a lot of trust in that. So, we want to maintain their input as we build how we rate the success."

Every company has a different level of awareness in terms of cybersecurity. Schneck said small businesses may pose the biggest threat to the security of all companies.

"Small to medium business, that's a huge risk. These are companies that have no idea, in many cases, that they have something to protect, and yet they are connecting to everyone else, making the rest of us less secure with very small budgets," said Schneck.

She emphasized the importance of building a culture of cybersecurity.

"Many in the field say that there are two kinds of companies and entities right now: those who know they're compromised and those who don't," Schneck said. "So the issue is, how do we raise cybersecurity to a business discussion? I think the framework and the voluntary program will get it to the boardroom, because it becomes part of the risk. We don't force people to lock their doors and, yet, they do. So, this is part of a culture of security that has been talked about for 12 years."

Liability protection

While DHS and NIST are trying to build the partnership, Congress needs to address liability protection for companies.

Sen. Ron Johnson (R-Wis.) said fear of legal entanglements may be hindering participation. He pushed for broader liability protection, saying the less likely a company is to be sued, the more likely it is to share information.

"Right now, it seems to me that we are erring on the side of limited liability protection or no liability protection," he said. "As a result, we're not getting the information that everybody believes is absolutely crucial if we're going to provide cybersecurity."

Schneck said companies want to know that reporting to the government is not going to hurt them in some way. She said the more comfortable the private sector is with the relationship, the more information will come in. She said the administration's plan for targeted liability would be helpful.

"I think that the targeted liability protection that the administration is looking at right now would help us because it would protect companies in the instances defined to share information, and they wouldn't get hurt by that and wouldn't be liable, nor would their shareholders," she said. "It wouldn't be so broad that it threatens — even the perception of threatening — our privacy and civil liberties, because we are fighting to protect our way of life. So, it's a balance."

She also offered a word of caution.

"We need the experts from the science side, the legal side, the administration to find that balance. Because we don't want to err on the side of not honoring the privacy and civil liberties that we are all here to fight to keep," Schneck said.

What about the workforce?

DHS and NIST also must address workforce issues, as finding the people to do the cyber work hasn't been easy, officials say.