The cybersecurity breach at Sony Pictures, which the FBI says is the work of the North Korean government, is the latest in a series of high-profile attacks on major US companies in 2014 -- the same year that President Obama directed the National Institute of Standards and Technology to create the voluntary Cybersecurity Framework based on existing standards, technology, guidelines and practices in order to reduce cyber risks to critical infrastructure.
Today, the NIST Cybersecurity Framework is rapidly seeing increased adoption -- especially in highly regulated industries like the financial services sector. Although the framework itself and the Executive Order 13636 "Improving Critical Infrastructure Cybersecurity," are not actual laws, the SEC and many other federal agencies are reportedly relying upon the Framework in enforcing their own information security-related guidelines and regulations while mandating that government contractors and subcontractors comply with it.
The force of a tidal wave
While the theory behind the Cybersecurity Framework seems sound, compliance with the Framework is difficult to enforce and brings into question its inherent value. At the NRS Technology and Communication Compliance Forum in Boston in November, compliance professionals discussed numerous laws, regulations and guidelines related to popular enterprise technology advancements.
Among all these relevant legalities ripe for the picking apart, the one compliance subject that kept coming up at the Forum was that of the NIST Cybersecurity Framework -- and for good reason. Cyber insurance carriers are increasingly asking clients to use the Framework and related testing as a matter of policy eligibility and premium determination.
"[The Framework] doesn't have the force of law, but it has the force of a tidal wave," said Alexander Southwell, a partner at Gibson, Dunn & Crutcher, former cybercrimes prosecutor and panelist at the event.
The tidal wave that is the Framework is perhaps best described as complicatedly simple. It outlines and breaks down, inter alia, five cybersecurity goals, four cybersecurity implementation tiers, seven steps for managing a cybersecurity program, and five core functions -- replete with multiple categories, subcategories and corresponding references to a plethora of other security standards and related documents. It would seem that the only thing missing from the self-described "living document" is a partridge in a pear tree.
A lot of the focus at the Forum was on these five functions of the Framework core -- respectively: Identify threats, Protect against threats, Detect attacks, Respond to attacks, Recover from attacks -- and how they are broken down.
Ed McNicholas, a speaker at the Forum and partner at Sidley Austin, speculates that the reason for the inclusion and highly specific rundowns of these functions is one of semantics -- so that IT workers, privacy and compliance officers, attorneys, and other people within the business can refer to it "to speak a common language" and effectively communicate their work and needs with each other.
"I think that this was an effort by [the Department of] Commerce to help that translation process," said Nicholas. "I think it actually is … a useful document."
Not the be-all, end-all
The Framework, however, should not be an organization's InfoSec be-all and end-all. It is but one tool to have in the arsenal; even the Framework itself expressly states that it "is not a one-size-fits-all approach to cybersecurity risk for critical infrastructure."
In addition, by itself, the Framework may not actually fully comply with relevant cybersecurity regulations or best information security practices.
For instance, particularly when compared to the comprehensive categorization and informative references used to define the rest of the Framework core functions -- especially the "Identify" and "Protect" functions. The "Recover" function receives little attention and treatment in the Framework.
However, recovery and mitigation are key components to various SEC and Commodities Futures Trading Commission regulations. Consequently, for all its emphasis on the Framework, the SEC may not find Framework compliance alone satisfactory for its needs.
Mere regulatory compliance aside, the attack recovery process is just as important to good information security practice as everything that comes before it. Speaking at the Annual Advanced Cyber Security Center Conference (also in Boston) in November, former Secretary of Homeland Security and current security consultant Michael Chertoff, took care to stress this point.
"If your view is, 'Prevention, prevention, prevention, that's all I'm focused on,' that is going to be doomed to failure," said Chertoff. "If you put all your emphasis on one area, you are actually losing your ability to get defensive depth."
Indeed, federally-pushed guidelines like the Framework may be useful, but can only go so far when it comes to real security and preparation.
— Joe Stanganelli, Freelance Contributor, special to The New IP