Officials Cite Cybersecurity Progress Under NIST Framework, Say More To Do

Numerous officials cited advances in implementing the 2014 framework, which detailed industry standards and best practices to improve the resiliency of critical infrastructure sectors, including communications, through voluntary, collaborative efforts. Alan Davidson, the Department of Commerce’s director of digital economy, said the framework had shifted the aim from preventing all cyberattacks to risk management that focused on responses and recovery. “We see initiatives with real progress that we can all rely on and leverage," he said, arguing the Internet's success cannot be taken for granted in the face of various challenges, including cybersecurity.

Adam Sedgewick, NIST senior information technology policy adviser, said his Department of Commerce agency has sought to increase awareness of the framework, provide the appropriate level of detail in guidance and work with international stakeholders. “We’ve been very pleased with the results,” he said. “Overall, it’s been a positive experience,” agreed Jeanette Manfra, counselor to the deputy secretary at the Department of Homeland Security, which helped coordinate agency implementation of the framework for critical sectors. NIST “did a fantastic job” working with agencies, said John Carlson, chief of staff of the Financial Services Information Sharing and Analysis Center.

The FCC’s Clete Johnson said the framework created a “common language” for communicating and managing cyber risks. “It’s really aimed at a common understanding, not necessarily a common approach,” said Johnson, chief cybersecurity counsel for the Public Safety and Homeland Security Bureau. To implement the recommendations in the communications sector, FCC Chairman Tom Wheeler advocated developing a “new paradigm” of collaboration that would not prescriptively tell industry what it had to do, but would go beyond “happy talk” and stimulate “dynamic” industry-led cybersecurity efforts, he said.

A Communications Security, Reliability and Interoperability Council's report in March (see 1503180056) included a recommendation to allow companies to hold confidential meetings with the FCC to discuss their specific cyber risks and practices without fear of negative repercussions, Johnson said. “Companies have to know they’re not walking into trouble” by sharing information that could lead to an “enforcement action” or provide a “short-cut to a rulemaking,” he said, noting the commission was still fine-tuning administrative details and hopes to begin a “beta phase” this fall. "We've got to get this right," he said.

Wheeler said recently the meetings would discuss company cyber-risk management priorities, methods and effectiveness. "The FCC’s role is not to second-guess a company’s business judgment or to micromanage its implementation of the NIST Framework," he said in Oct. 7 remarks. "We simply care about one question: Are the cybersecurity protocols on which we jointly agreed working? It is a shared responsibility that must be a first priority for those who build and operate networks as well as those who oversee that activity."

Christopher Boyer, a CSRIC member who worked on the recommendations, said he believed the process had been “fairly successful” to date. “One of the reasons the framework has worked is precisely because it’s not a regulatory document,” said Boyer, AT&T vice president-global policy. Instead of presenting industry with a regulatory checklist of requirements, companies can adapt the recommendations to their specific situation, he said, adding that members are looking to get small and midsized companies more involved. Attorney David Turetsky, who heads Akin Gump's cybersecurity initiative, said it simply takes time for some industry practices to filter down to small companies, but he also called the NIST and CSRIC efforts successful.

Two officials said the NIST framework was a “living document” that could be improved. “It’s time for an update,” said Davidson, who said the Department of Commerce and other entities have learned valuable lessons that can be shared. “We certainly think some of the sector guidance could be applied more broadly,” said Sedgewick. Davidson also spoke of holding new multistakeholder processes to examine cybersecurity risks that fall between sectors and can be better addressed through coordinated efforts.

Turetsky said the efforts would accelerate if Congress would finally enact legislation to give companies liability protection when sharing cybersecurity information. “We need to move forward with real-time information sharing,” said Turetsky, a former FCC bureau chief and deputy assistant attorney general. He said the Senate seems close to striking a reasonable balance in the Cybersecurity Information Sharing Act (S-754), but added: “Cybersecurity and privacy are not at loggerheads." Cybersecurity is critical to privacy, he said. Carlson said all parties must understand serious adversaries populate cyberspace: foreign governments and interests, organized crime, terrorist groups and a variety of hackers.

The European court ruling against the data-transfer safe harbor was "disappointing," particularly the lack of a “glide path” for companies that relied on it, Davidson said. He said the administration was working closely with European partners to conclude a new safe harbor agreement, and he was hopeful of a positive outcome. “We feel a strong sense of urgency,” he said. Davidson also said President Barack Obama recognizes both the need to have strong encryption and to address the real concerns of law enforcement and national security agencies, though the administration is not pushing legislation for now.