U.S. Releases Draft Cybersecurity Framework

The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) released its draft of a voluntary cybersecurity framework on Oct. 22 that will allow both private and public companies that work with critical infrastructure to better evaluate cyber risk, and prepare better defenses against ever-increasing online attacks.

NIST's “Preliminary Cybersecurity Framework,” to be finalized in February 2014 after a period for public comment, originated with an executive order from President Barack Obama, which identified cyber threats to critical infrastructure as “one of the most serious national security challenges” and directed NIST to produce the framework document. See, “Improving Critical Infrastructure Cybersecurity,” Executive Order 13636 (Feb. 12, 2013). The new framework sets out specific steps and best practices for organizations ' small and large, public and private ' to follow in order to better protect the country's critical infrastructure.

“At minimum, what it does is it enables organizations to appreciate the need for greater risk assessment and risk management as it relates to cyber,” Tom Kellerman, vice president of cybersecurity for security software company Trend Micro Inc., told Internet Law & Strategy's ALM affiliate CorpCounsel.com. See, “Sci-Fi Web Videos Warn of Cyber Threats of the Future.”'

The cyberthreat to critical infrastructure, Kellerman emphasized, is quite high. Street crime globally is down 10%, he said, but cybercrime has skyrocketed ' largely because criminals realize that the most valuable information and critical points of attack can be found in online networks. “Every major organized crime syndicate in the world has created divisions dedicated to hacking,” he said.

The government's document sets out a risk-based approach to fighting cybercrime, outlining five basic functions for security strategies: identify, protect, detect, respond and recover. The framework imposes no legally binding regulations, but instead aims to serve as a model that companies can tailor to their own, more specific cybersecurity needs and circumstances.

Phillip Smith, senior vice president of government solutions at Trustwave Holdings Inc., an information security company, told CorpCounsel.com that the framework presents good guidelines for companies, but he stressed that it is still up to leaders at individual companies to implement them if the U.S. wants to make sure its infrastructure is fully protected. “I'm not advocating that the government try and regulate what should be done for security, but anytime you have a voluntary standard ' how effective can it be?” Smith asked. See, “Using Managed Security Services to Battle Cyber Threats.”'

He added that cyber-risk management at companies is also a sector- and business-specific undertaking. The framework sets out standards and best practices at “a high level,” he said, and it remains up to companies and their cybersecurity teams to create their own risk profiles and determine what are the gravest threats they face. “It's a good start,” he noted, especially as the framework “keeps cybersecurity on the front burner.”

Michael Kaiser, executive director of the National Cybersecurity Alliance, agreed that companies will have to figure out how they can leverage the new framework standards: “I think a lot of work will be done in sectors and within organizations themselves as they go through and figure out: what do these things mean for us?” See, “Happy National Cyber Security Awareness Month!“'

Kaiser pointed to the document's potential to help public and private entities, as well as the companies and contractors they work with, take a long view on critical infrastructure security. “Hopefully it'll help us move away a bit from chasing the last threat and getting quagmired in this environment of constant threat and fear, to an approach where people can be more orderly and address the issue in a way that's adaptive to the company,” he explained.

Voluntary though it may be, the new framework, according to Kellerman, will raise the bar for in-house attorneys who want to show they are doing what they can to protect critical infrastructure from cyberthreats. He said that in the past, some in-house counsel have promulgated an “ideology of plausible deniability” when it comes to companies taking responsibility for cyber attacks ' but with new standards like the NIST framework, that era is fading away. He predicted that the minimum standards of care established by the government's plan could lead to an increase in liability, and in class actions against companies over their real or perceived cybersecurity shortcomings.

Rebekah Mintzer is a Staff Reporter for Corporate Counsel, an ALM affiliate of Internet Law & Strategy. She can be reached at [email protected].

The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) released its draft of a voluntary cybersecurity framework on Oct. 22 that will allow both private and public companies that work with critical infrastructure to better evaluate cyber risk, and prepare better defenses against ever-increasing online attacks.

NIST's “Preliminary Cybersecurity Framework,” to be finalized in February 2014 after a period for public comment, originated with an executive order from President Barack Obama, which identified cyber threats to critical infrastructure as “one of the most serious national security challenges” and directed NIST to produce the framework document. See, “Improving Critical Infrastructure Cybersecurity,” Executive Order 13636 (Feb. 12, 2013). The new framework sets out specific steps and best practices for organizations ' small and large, public and private ' to follow in order to better protect the country's critical infrastructure.

“At minimum, what it does is it enables organizations to appreciate the need for greater risk assessment and risk management as it relates to cyber,” Tom Kellerman, vice president of cybersecurity for security software company Trend Micro Inc., told Internet Law & Strategy's ALM affiliate CorpCounsel.com. See, “Sci-Fi Web Videos Warn of Cyber Threats of the Future.”'

The cyberthreat to critical infrastructure, Kellerman emphasized, is quite high. Street crime globally is down 10%, he said, but cybercrime has skyrocketed ' largely because criminals realize that the most valuable information and critical points of attack can be found in online networks. “Every major organized crime syndicate in the world has created divisions dedicated to hacking,” he said.

The government's document sets out a risk-based approach to fighting cybercrime, outlining five basic functions for security strategies: identify, protect, detect, respond and recover. The framework imposes no legally binding regulations, but instead aims to serve as a model that companies can tailor to their own, more specific cybersecurity needs and circumstances.

Phillip Smith, senior vice president of government solutions at Trustwave Holdings Inc., an information security company, told CorpCounsel.com that the framework presents good guidelines for companies, but he stressed that it is still up to leaders at individual companies to implement them if the U.S. wants to make sure its infrastructure is fully protected. “I'm not advocating that the government try and regulate what should be done for security, but anytime you have a voluntary standard ' how effective can it be?” Smith asked. See, “Using Managed Security Services to Battle Cyber Threats.”'

He added that cyber-risk management at companies is also a sector- and business-specific undertaking. The framework sets out standards and best practices at “a high level,” he said, and it remains up to companies and their cybersecurity teams to create their own risk profiles and determine what are the gravest threats they face. “It's a good start,” he noted, especially as the framework “keeps cybersecurity on the front burner.”

Michael Kaiser, executive director of the National Cybersecurity Alliance, agreed that companies will have to figure out how they can leverage the new framework standards: “I think a lot of work will be done in sectors and within organizations themselves as they go through and figure out: what do these things mean for us?” See, “Happy National Cyber Security Awareness Month!“'

Kaiser pointed to the document's potential to help public and private entities, as well as the companies and contractors they work with, take a long view on critical infrastructure security. “Hopefully it'll help us move away a bit from chasing the last threat and getting quagmired in this environment of constant threat and fear, to an approach where people can be more orderly and address the issue in a way that's adaptive to the company,” he explained.

Voluntary though it may be, the new framework, according to Kellerman, will raise the bar for in-house attorneys who want to show they are doing what they can to protect critical infrastructure from cyberthreats. He said that in the past, some in-house counsel have promulgated an “ideology of plausible deniability” when it comes to companies taking responsibility for cyber attacks ' but with new standards like the NIST framework, that era is fading away. He predicted that the minimum standards of care established by the government's plan could lead to an increase in liability, and in class actions against companies over their real or perceived cybersecurity shortcomings.

Rebekah Mintzer is a Staff Reporter for Corporate Counsel, an ALM affiliate of Internet Law & Strategy. She can be reached at [email protected].