Only Suggestions and Encouragement – When we are at Cyber War
All you need to know about why the presidentially directed cybersecurity framework effort by the National Institute of Standards and Technology (NIST) represents (at best) minimal progress in our war against cybercriminals and nation-state actors is summed up in the second paragraph of the summary. The framework states that: “[i]t is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that “encourages” efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” Essentially, the framework only “encourages” industry (e.g., the critical infrastructure) to take a balanced “risk-based” approach to addressing the national cyber security challenges. The second paragraph of the summary also makes a point that this framework, and set of public/private mutually established standards is, by the way, “voluntary.” If you don’t like them (perhaps they are too hard) you should not feel compelled to use them.
“Encourages” and “voluntary” will not enable the U.S. (or our friends internationally) to win the cyber war. Make no mistake about it, we are indeed at war. Some simply do not understand cyber war and/or want to admit it and our enemies do not want us to believe it. However, multiple nation states are now following the lead of China and Russia to steal intellectual property and state-secrets for economic and military advantage. Cyber criminals continue to pilfer businesses and citizens of online identities and credentials to steal money and credit. And with the Internet-of-Things right around the corner, terrorists and even “hacktivists” will have new opportunities for, at a minimum, mischievous making and, at worse, placing lives at risk. It is war and we are losing.
In addition to reducing the framework to “cheerleader” status, the document contains another critical flaw. Even if the framework was mandatory for the critical infrastructure, the actual standards (Appendix A.) are considerably too broad and missing many critical elements. The framework is (needlessly) tied to traditional (and themselves, too broad) sets of cybersecurity standards (i.e., COBIT, ISO/IEC, CCS, NIST 800-53). These so-called standards are really other general guides to high level good cyber security things to do (e.g., make sure you inventory all your computers). An example of painful vagueness in the framework (and one of my favorites) is “PR.AT-1: All users are informed and trained.” Huh? Informed and trained about what exactly? How often? Should we test them as to their degree of knowledge? If we all interpret PR.AT-1 differently (which will clearly happen) we will end up with various levels of informed/trained employees. Standards are designed to be easily measured. Either yes, I met the standard, or no, I did not meet the standard. How is “Users are informed and trained,” a standard? A principle maybe, but not a standard.
The lack of technical specificity, and where details are most needed, is in the “Protect” section, specifically, Protect/Data Security (PR.DS). The framework standards make broad sweeping statements that organizations need to protect data both at rest and in transit. Well, thank you. That helps an awful lot. These standards are basically meaningless as, yet again, they allow for incredibly broad interpretation of what is meant to “protect data both at rest and in transit.” We all know the right answer is encryption! Why the guessing game? To be helpful, the framework needs to specify the requirement to encrypt sensitive data (more about that later) and describe how best to do it (i.e., point to the relevant FIPS. Pubs.). Another excessively broad and unhelpful “standard” is “PR.PT-4: Communications and control networks are protected.” Again, huh! This “standard” is actually more important than it may look at first blush. This is where the public/private partnership could have really placed an important stake in the ground and established a security standard for network interfaces (e.g., connecting corporate networks to the Internet). Internet connectivity is ground zero for the cyber war. It is primary vector for unauthorized access and exfiltration of sensitive information. However, as written, a public or private entity could probably get away with a “filtering router” and claim they have met the standard. This was clearly lost opportunity.
As important as the lack of useful (and measurable) specificity, the framework also simply fails to include some critical controls (that are included in many of the source document standards). For example, while the framework does mention the need for policies as an element of cybersecurity risk governance, it fails to specifically mention a number of generally accepted critical policies. Most glaring is any mention of policies regarding system security hardening standards, employee acceptable use/misuse of computing resources, mobile device computing, patch management and user access administration. The framework also fails to mention the importance of organizations establishing (as part of governance) a data stewardship standard for assigning owners of data and a process for granting access. Likewise, the framework does not include a standard for organizations to have a policy on data classification and tools to enable users to classify sensitive files. In fact, the framework would have been a great opportunity for the public/private partnership to begin establishing some common language for classifying sensitive critical infrastructure data that transcend organizational boundaries.
Taking the “glass is half full” perspective, the cybersecurity framework can be considered a beginning and, hopefully, set the stage for follow-on discussions that will lead to actual/measurable standards. However, taking the “glass is half empty” perspective, the cybersecurity framework reflects a lack of awareness of the cyber war now underway. Clearly, the words “encourages” and “voluntary” and the lack of real (i.e., measurable) standards do not strike fear into the hearts of our cyber enemies. Teddy Roosevelt once said: “"The American people are slow to wrath, but when their wrath is once kindled it burns like a consuming flame." Let’s hope that we now begin the work of producing useful (and mandatory) cybersecurity standards to preclude the need for a cyber-9/11 wrath.