NIPP may not address realities of information security

By Stephen Barlas, Contributor 13 Jul 2006 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The final NIPP (.pdf), published after two earlier drafts were savaged by IT industry officials for downplaying the increasing risk from cyberattacks, at least glancingly mentions the imperative of protecting networks and servers. However, critics say that for what is intended to be a comprehensive risk management framework for the nation's infrastructure, details are skimpy and emphasis is lacking.

Thomas Lehner, director of public policy for the Business Roundtable, a lobbying group for Fortune 500 CEOs, said he was encouraged that the final NIPP included more references to cybersecurity. He cited document language basically stating that the interconnected and interdependent nature of the nation's critical infrastructure and key resources makes it problematic to address the protec¬tion of physical and cyber assets independently.

"The NIPP clearly incorporates cybersecurity; that is a plus," said John Sabo, director of security and privacy initiatives at CA Inc. Sabo is also president of the Information Technology Information Sharing and Analysis Center (IT-ISAC), a cybersecurity trade group.

But Sabo, Lehner and others worry that even though it is a significant improvement on the two previous versions, the final NIPP still has miles to go before CISOs can sleep peacefully.

For instance, Lehner said that while the NIPP makes the valuable "problematic to address…independently" statement, it never suggests avenues for merging physical and cyber protection.

Reconciling the two won't be any easy task, said Sabo, but that is what the 17 sector-specific councils are charged with doing in 180 days; that's the deadline for preparing individual infrastructure protection plans for the telecommunications, IT, financial service, chemical and other industries designated "criticial" by the DHS. These plans will be based on the NIPP and sanctioned and released by DHS, but issued as guidance, meaning compliance by companies will be voluntary. The key part of each of those sector specific plans will be a risk assessment of the possibility of a cyber or physical attack and an estimation of its effects.

Sabo argued, however, that it will be difficult for security pros in each industry to merge those two risk assessments, especially given the lack of specificity in the NIPP. "There is a complex web of issues which have not been dealt with in the NIPP," Sabo said.

For example, a dam -- and most physical assets -- are built to certain specifications in order to resist threats, such as a storm, of a specified magnitude. If the dam breaks, the result can typically be predicted. But if vulnerability in an operating system is exploited, the asset, i.e. the computer, is not damaged. Rather, there is a loss of functionality throughout a network, the extent of which cannot be predicted in advance.

More from Stephen Barlas Congress considers several data protection bills Altering the legal landscape for data breaches Poor government security makes industry wary Federal budget for 2007 to boost cybersecurity

Other cybersecurity officials worry that the sector-specific plans will confine network security to a backseat as concern over dams, rivers, buildings and other physical assets drives each plan. "The NIPP focuses more directly on protection of physical assets," complained Lehner.

Even others wonder whether the NIPP or the voluntary sector plans will galvanize the private sector in the absence of a top DHS official to spearhead an industry assault on cybervulnerabilities. Paul Kurtz, executive director of the Cyber Security Industry Alliance, is a key voice in this camp. He co-chairs the IT sector coordinating council (SCC) work group writing that sector plan.

While Kurtz said that the eventual IT sector specific plan can be valuable, even if compliance is not mandatory, he said the bigger need isn't for plans, but rather is for "an interlocutor who is in a position to effectively get things done." The DHS created a new position of assistant secretary of telecommunications and cybersecurity one year ago. It has remained vacant.

"It is appalling we don't have a person in that job yet," Kurtz said. The top cybersecurity official at DHS is Andy Purdy, acting director of the National Cyber Security Division at DHS. He reports to Robert Stephan, assistant secretary for infrastructure protection. Kurtz asserted that Purdy has little sway inside DHS or among private sector organizations.

Stephen Barlas is a freelance writer based in Washington D.C.

Tags: Enterprise Data Governance,  Information Security Policies, Procedures and Guidelines,  Business Management: Security Support and Executive Communications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Information Security Policies, Procedures and Guidelines Schneier-Ranum face-off part 6: Audience questions Editor's Desk: Apathy and the Cybersecurity Coordinator Writing security policies using a taxonomy-based approach How to detect and respond to money laundering Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Business Management: Security Support and Executive Communications CISOs take measured steps to reduce social media risks Schneier-Ranum face-off, part 3: Compliance and security Cost of security, IT management add up at healthcare facilities, study finds Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Aligning network security with business priorities IT business justification to limit network access RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data masking  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary