The Framework for Improving Critical Infrastructure Cybersecurity, newly released by the U.S. Commerce Department's National Institute of Standards and Technology (NIST), got tremendous play a year ago at the RSA Conference in San Francisco. Even though NIST is a non-regulatory federal agency, a capacity crowd attended former head of Homeland Security Michael Chertoff's talk during the "Special Forum on Cybersecurity: New Directions from the White House" session at the annual security confab.
Released on February 12, the NIST Cybersecurity Framework Version 1 debuted on schedule -- in time for this year's RSA Conference. Despite collaboration among government, industry and academia to develop the "voluntary, risk-based" framework, the initial clamor of the information security crowd has dissipated because little has changed. While the president's executive order proclaimed that the private sector should voluntarily follow the NIST cybersecurity guidelines -- which offer organizations, regulators and customers information on risk management, cybersecurity tiers and best practices -- the government cannot enforce the recommended measures.
If your organization is among the private-sector entities thankful to dodge the costs and headaches of complying with federal security regulations, be careful what you wish for. The release of the NIST framework comes at an awkward time for a U.S. government struggling to counter negative reports about its record on data privacy and cybersecurity. Many people are wondering why the federal government is not doing more to address cybersecurity on computer networks or taking action when sensitive data is breached. The questions persist despite ongoing revelations about NIST standards that may have intentionally weakened encryption and National Security Agency (NSA) surveillance programs. In addition to the growing threats posed by terrorists, nation states and malicious hackers, it's hard to find anyone who hasn't received an unsettling email from Target or notification from their banking institution that their debit and credit cards are once again being reissued due to the possibility of compromise. (The NIST framework offers guidance on "a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities.")
It's not a gigantic leap to wonder what has to happen before the tipping point is reached and federal legislation results. At least 46 states including early pioneer California (SB 1386) have security breach notification laws that legislate cybersecurity and discourage mishandling of unencrypted, personally identifiable information on computer networks. Massachusetts, Oregon and Minnesota have taken it a step further by developing security framework mandates or partial codification of Payment Card Industry Data Security Standards in an attempt to make liable companies that allow a breach.
As ubiquitous compromise and data theft raise urgent questions about adequate cybersecurity and risk management, are organizations doing enough to protect sensitive information? According to the2013 Global Encryption Trends Study sponsored by Thales e-Security and conducted by the Ponemon Institute, since 2005 more companies are investing in security programs that include enterprise-wide encryption strategies. Adoption of enterprise encryption strategies is highest in Germany, followed by the United States and Japan. The top five drivers for encryption programs in the United States are to lessen the impact of data breaches (59%), protect an organization's brand or reputation (45%), comply with data security or privacy regulations and requirements (36%), ensure an organization's privacy commitments are honored (32%) and reduce the scope of compliance audits (17%).
Perhaps, the irony in all this is that technology companies such as Microsoft, Google and Yahoo have banded together to strengthen their encryption strategies and legal protections so that the NSA can't eavesdrop on their customers' data in transit between servers. Microsoft plans to implement improved 2048-bit encryption enterprise-wide and across services such as Windows Azure, Office 365 and Outlook.com by the end of 2014.
Will your security program benefit from the guidelines in the NIST Cybersecurity Framework? Let us know where you stand. Send comments on this column to firstname.lastname@example.org.
About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.