Members of a Senate committee, at a Feb. 4 hearing, received anecdotal evidence of how the National Institute of Standards and Technology's cybersecurity framework is helping businesses with risk management.
One by one, representatives of the banking industry and U.S. Chamber of Commerce, the CFO of a small telecommunications company as well the head of NIST described for senators how the voluntary best practices are proving helpful. But measurable proof of the effectiveness of using the framework to prevent damaging cyber-attacks is still lacking.
NIST Director Charles Romine couldn't give the Senate Commerce, Science and Transportation Committee a timetable for when the government standards organization will develop such metrics, saying NIST is "diligently working on trying to determine the best approach."
It's been nearly a year since the framework was unveiled. So it's time for NIST to quickly develop the metrics to measure the framework efficacy. Framework users need a way to know if it's truly effective.
James Lewis responds to Sen. Richard Blumenthal's questions on the framework.
Clearly, adoption of the framework is not an adequate measurement of its success. "Even if all companies were to voluntarily implement the NIST framework, it does not necessarily mean that there will be an improvement in cybersecurity," testified James Lewis, senior fellow at the think tank Center for Strategic and International Studies. "The measures listed by NIST are likely to improve security if implemented correctly, but to what degree there will be improvement is unknown, nor do we have any idea of how many companies have implemented the framework recommendations, or how well they have done so."
Lewis characterized the framework, along with President Obama's 2013 executive order to improve critical infrastructure cybersecurity, as "building blocks for better cybersecurity."
One organization that's using the framework as a building block is Silver Star Communication in Freedom, Wyo. CFO Jeff England told the committee that Silver Star has been using the framework since NIST released it as a draft in late 2013, providing the 88-year-old company with a disciplined approach to review cybersecurity practices.
"The framework has created an environment that encourages discussion, both internal and external, regarding its application in our organization," England said. "But above all, the greatest benefit from the framework has been the ability to use and adapt it within our organization such that it has become a meaningful management tool for improved cybersecurity practices."
Jeff England discusses incentivizing businesses to adopt the framework.
Supporters of the framework praise its voluntary approach, where best practices are offered to businesses to either accept or reject. "The voluntary nature of the framework has been the key to success for use within our organization," England said. "A regulatory mandate requiring the use of the framework creates a minimum standard environment. We believe this to be problematic because minimum standards are more likely to be treated as a checklist that can be delegated without having the necessary interdepartmental conversations regarding exposure and acceptable risk tolerance."
Scaling Back Regulations
Requiring business to do anything has generally fallen out of favor in Washington, including in the cybersecurity arena. That's especially true now, with regulation-averse Republicans controlling both houses. Even the White House is on board, as the voluntary cybersecurity framework demonstrates.
In a new White House blog, Cybersecurity Coordinator Michael Daniel discusses ways to streamline regulation. "We are beginning a process to identify federal regulations that are excessively burdensome, conflicting or ineffective," Daniel writes.
But can the voluntary approach be sustained, especially as more organizations fall victim to damaging cyber-attacks? The panel's ranking Democratic member, Bill Nelson of Florida, in his opening statement accurately noted what the committee was about to hear: "We shouldn't place any obligations of any kind on businesses to adopt strong cybersecurity standards. But as President Ronald Reagan used to say, 'Trust but verify.' And the problem right now is simple: As strong as the framework is, and as much as I trust that companies and industry sectors are working toward adopting it, there is no way to actually verify that progress."
Nelson makes a valid point. If we can't verify that the voluntary approach works, then the government must decide whether to compel businesses to comply with security standards. After all, insecure IT in one business could adversely affect its customers, suppliers and other stakeholders in this interconnected world.
But how will the success of the voluntary framework be measured? One way is to determine whether organizations that have implemented the framework have been victims of successful cyber-attacks. "If hackers still get in and data still flows out, the framework is not working," Lewis testified.
Daily headlines offer reminders that damaging cyber-attacks are on the rise. "We do not know if this is because companies have not adopted the framework, have been unable to implement it or if it is because the framework is ineffective," Lewis said.