NIST Cybersecurity Framework and Related Efforts Hurt More Than Help, GMU’s Mercatus Center Says
George Mason University’s Mercatus Center criticized recent federal government efforts to improve cybersecurity protections for critical infrastructure sectors, arguing in a report Thursday that those efforts “trade emergent resilience of the Internet for opaque control of it” (http://bit.ly/1nsRnsc). President Barack Obama’s 2013 cybersecurity executive order, among other things, resulted in the National Institute of Standards and Technology’s collaboration with the private sector on the voluntary Cybersecurity Framework, with the “Version 1.0” framework going public in mid-February. The Department of Homeland Security is now using its Critical Infrastructure Cyber Community program to encourage the private sector to use the framework (CD Feb 13 p5).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Although the framework is voluntary, some regulatory agencies are directed under the executive order to examine their own rules to see where cybersecurity rules could be changed. The SEC issued a directive Monday outlining potential questions its examiners may ask financial institutions during inspections about past cybersecurity incidents and their current cybersecurity plans (http://1.usa.gov/1l31ruI).
The Cybersecurity Framework draws from industry best practices that “are more robust, effective, and affordable than state-directed alternative,” and companies “already have intrinsic incentives to develop cybersecurity solutions” without government backing, the Mercatus Center said. The federal government can improve its cybersecurity response by more narrowly defining which sectors constitute critical infrastructure, purchase cybersecurity insurance for federal agencies to stimulate the private cyber insurance market and declassify additional information on known cyberthreats, the Mercatus Center said. James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy program, told us he does not believe all critical infrastructure sectors have incentives to improve their cybersecurity without government help.
The executive order and proposed cybersecurity legislation that’s currently stalled in Congress has been influenced by concerns about a potential “digital Pearl Harbor” that have thus far not materialized, said report co-author Eli Dourado, a Mercatus Center research fellow, in an interview. “We don’t see any evidence that these cyberdoom scenarios are likely to happen,” he said. “We do see a lot of data breaches where customer and taxpayer data is exposed, a lot of cyberespionage and a lot of cybercrime.” But those incidents are “different propositions” from the threats to critical infrastructure that prompted the executive order, Dourado said.
The recently publicized Heartbleed bug (CD April 11 p10), for instance, is a “serious vulnerability and it’s one that the community has responded to by patching the vulnerability, by upgrading servers, by changing passwords,” Dourado said. “I haven’t heard anyone suggest anything in the Cybersecurity Framework that would make that problem less severe.” Heartbleed is “a severe problem from a technical perspective, but yet we haven’t seen major fallout. It’s not the equivalent of planes falling out of the sky -- the type of digital Pearl Harbor rhetoric that we sometimes hear.”
The Mercatus Center is correct that the concerns about a “cyberdoom scenario” have proven unfounded thus far, but it’s incorrect in suggesting that all critical infrastructure sectors have sufficient incentive on their own to improve their cybersecurity, said Lewis, of CSIS. The Obama administration attempted to “cut down the middle” between instituting government-mandated cybersecurity standards and leaving standards development entirely to the private sector, Lewis said. “By itself I don’t think the entire private sector can do it,” he said. “The telecom sector and the financial sector have extremely powerful incentives to do work on cybersecurity, but for other sectors the picture is much more uneven.” Both sectors were heavily involved in NIST’s creation of the Cybersecurity Framework. If every sector had that inherent level of incentive to improve its cybersecurity, “we wouldn’t see every company under the sun getting hacked every other week,” Lewis said.