John Gilligan (Maria Rock)
The much-anticipated National Institute of Standards and Technology (NIST) Cybersecurity Framework was formally released on February 12th. The expectation set for this Framework in the President’s Executive Order (E.O. 13636) released a year ago was that the Framework would provide a “set of standards, methodologies, procedures and processes … to address cyber risks” in the nation’s critical infrastructures. Over the course of the past year, the emerging NIST Framework has benefitted from substantial engagement with representatives from the public sector, academia and the industry. NIST’s efforts in this regard are to be applauded.
My personal hope for the framework was that it would provide critical infrastructure organizations with a tool that would clearly guide near term cybersecurity efforts as well as a roadmap for additional incremental improvements over time. This hope was based my strong view of the critical need for prioritized and authoritative guidance for near term cybersecurity implementation efforts.
Study after study has highlighted that cybersecurity protections in most organizations are not effective in addressing the most common and easily-launched cyberattacks. Recently Michael Daniel, the President’s cybersecurity czar, noted at the Cyber Innovation Forum in Baltimore that, “Simple, cheap attacks are used multiple, multiple amounts of times to generate huge amounts of revenue for the bad guys, whereas it takes us lots and lots of money to propagate defenses across the network.”
My opinion is that the situation that Daniel laments results from a lack of focus in our cybersecurity investments, not from a lack of investment. Government and private sector organizations are spending many billions of dollars implementing a wide range of cybersecurity measures; all of these measures have a “home” in the NIST Framework. However, the lack of effectiveness of these investments is self-apparent. I found as CIO of the Air Force, and others have similarly demonstrated, organizations can achieve rapid and dramatic improvements in improving cybersecurity with proper focus.
I assess the NIST Framework as a useful taxonomy that assigns widely recognized cybersecurity standards and guidelines into groupings or bins. However, in my view, it falls woefully short in contributing useful guidance toward the urgent need of protecting our critical infrastructure. This problem was described in the Executive Order a year ago as “one of the most serious national security challenges that we must confront.” If the NIST Framework is not going to provide the needed near term guidance, where can the critical infrastructure organizations go to find help?
Fortunately, I believe that there is a newly available source for the needed guidance. DHS announced at the recent RSA Conference the creation of a Critical Infrastructure Cyber Community Voluntary Program (C3VP). The C3VP has developed a checklist of baseline actions that is intended for state and local government elements of the nation’s critical infrastructure. To my pleasant surprise, and despite the clunky name of the initiative, the initial checklist developed by DHS for C3VP provides clear focus for near term cybersecurity actions. Happily for the broader federal government team, the near term actions recommended by DHS also map nicely to the NIST Framework.
The DHS checklist for C3VP includes 18 specific and easily understood actions to ensure a baseline level of cybersecurity protection. For example, the C3VP checklist includes the following four actions under the area of ‘Protect’:
1. Control Access Management System in place
2. Password Management System in place
3. Continuous vulnerability assessment
4. Securely configure hardware and software
For each action, DHS provides a set of clearly worded instructions to implement the action. Overall, I assess that the C3VP four-page checklist is outstanding as an initial focus for improving cybersecurity in our nation’s critical infrastructure.
Moreover, C3VP checklist would appear to parallel near term guidelines developed elsewhere. There is significant similarity between the C3VP checklist and the list developed by the Australian Signals Directorate, often called the “Top 4 Strategies to Mitigate Targeted Cyber Intrusions.” Studies conducted by the Australian Signal Directorate have demonstrated that implementing these strategies can mitigate 85 percent of targeted intrusion techniques.
The NIST Framework will continue to evolve. I am hopeful, that the evolution will result in guidance that is practical and focused. Until that happens, I would strongly encourage the Federal government and other elements of our Critical Infrastructure to consider implementing the DHS C3VP checklist. Cyberattacks on the Nation’s critical infrastructure are increasing. It is time to focus the investments in areas that will provide near term benefits. Kudos to DHS for the well-conceived checklist!