Earlier today the Senate Commerce, Science, and Transportation Committee heard testimony from a range of experts regarding how the private sector has responded to the NIST Framework.
Hearing Memo
Building a More Secure Cyber Future: Examining Private Sector Experience with the NIST Framework
Senate Commerce, Science, and Transportation Committee
Wednesday, February 4, 2015
Witnesses
Dr. Charles Romine
Director of the Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce
Ms. Ann M. Beauchesne
Vice President
National Security and Emergency Preparedness Department
U.S. Chamber of Commerce
Mr. Paul N. Smocer
President of BITS
Financial Services Roundtable
Mr. Jefferson H. England
Chief Financial Officer
Silver Star Communications
Dr. James Lewis
Director and Senior Fellow, Strategic Technologies Program
Center for Strategic & International Studies
Key take-aways:
- All witnesses praised the NIST framework for its adaptability, for starting conversations about cyber risk within companies, and for the organic way it is being adopted in the private sector.
- All witnesses, except Mr. Lewis, said they hoped Congress would not try to regulate or mandate framework implementation, and instead keep it voluntary.
- Many Democratic Senators seemed interested in codifying the framework in order to increase participation by making it mandatory and also trying to figure out how to quantify its effectiveness.
- There was agreement that nation-state actors are an impossible adversary and even 100% implementation of the NIST framework could not protect companies from that danger. There is a role for the government to play here.
- There was widespread agreement that insurance is a natural, private sector incentive for cyber risk mitigation.
Senator John Thune (R-SD) asked Silver Star…how have you been able to use the framework in a cost effective way to protect your network?
England: Our IT managers used it as a way to guide how they already did their current jobs. We added cyber risk to our meetings about risk management. There were ways we could apply the framework to what we were doing, at minimal cost initially. It created a dialog between executives and IT managers.
Why is a voluntary framework the best approach given the threat?
Romine: Voluntary doesn’t mean weak…voluntary can be very effective. It maintains the engagement across sectors and provides for communication among different levels of the organization.
Senator Nelson said voluntary works as long as everyone is volunteering. He views this debate in two buckets: data security/privacy and national security. Given the number of attacks, how can you say the framework is working? How many companies have implemented the framework? How many companies have attributed cyber attacks to declining earnings?
Beauchesne: The bad guys don’t have regulations so we shouldn’t either. We need to be able to evolve to respond to the threats.
Senator Jerry Moran (R-KS) asked about small businesses – what incentives are there to get them to use the framework and how do we get them to participate in information sharing? What is the description of the typical company that participates in the information sharing systems (ISAC)?
Beauchesne: The framework is only a year old so we’re still socializing it. As we move along, the costs associated with implementing it will go down. We also really need information sharing legislation. That is the Chamber’s #1 cyber priority.
Smocer: ISAC participation ranges from large to small, but the smaller organizations are usually consumers of the shared information. Smaller organizations are usually supported by outside IT service providers, so they must be engaged as well. The framework then allows small businesses to ask the right questions of their service providers.
England: Insurance is a protection against liability, but like life insurance, it’s not much use to me if I’m dead. A small business like ours is dependent on the trust of our customers, so several events would put our going concern in jeopardy.
Senator Gary Peters (D-MI) asked how we assess the success of the framework. What data points do we need? If this is a start, but not enough, what else do we have to do? How do we incentivize a skilled workforce?
Lewis: We need to see how our nation-state foes fare against the framework. If incidents go down, then it’s working. The government may need to do more to respond to the nation-state actors.
Smocer: The framework is used as a baseline for cyber insurance underwriting. Insurance companies may see this as an opportunity to figure out risk scenarios.
Romine: We’re working with our government colleagues. We recognize that there’s a shortfall, but we’re making progress.
Senator Brian Schatz (D-HI) asked the witnesses how they measure the success of the framework?
Romine: Ongoing engagement with our industry partners. We’re still trying to figure out the best approach (metrics) for determining the success of the framework.
Smocer: Through the Information Sharing and Analysis Centers (ISACs) and the Financial Services Sector Coordinating Council (FSSCC) – they’re doing awareness surveys.
Lewis: The government sectors that oversee these companies need to collect data on who has been hacked. NIST isn’t the aggregator, but they could create standards for data collection. DHS doesn’t have the authority or resources. The different agencies have different authorities, but it’s not complete.
Senator Steve Daines (R-MT) asked how long it took to put together the framework before it was released. Given that it is now almost 2 years old, when do you think it will need to be updated? He emphasized the importance of keeping it fresh so that people continue to use it. How can you quantify the level of participation? How can you get to a comparative analysis?
Romine: The framework took the full year to create…from the release of the Executive Order, to requests for information, workshops, drafts, amended drafts, etc. The framework describes a process, not technology-specific, so it doesn’t necessarily need to be updated (yet). There is an internal assessment capability built into it. NIST is using outreach mechanisms with trades and companies to socialize the framework. It would be difficult to compare companies because they use the framework in different ways. It might be better to compare risk management as a whole across companies.
Senator Amy Klobuchar (D-MN) asked if there are industries that are doing better than others. How is the relationship with law enforcement? How important is information sharing and liability protection? Are there anti-trust concerns?
Romine: The sectors most critically-dependent on technology – such as financial, energy, regulated industries, etc – have a head start.
Smocer: We were encouraged by the President’s proposals. We want to see the liability protections apply to sharing both ways.
Senator Joe Manchin (D-WV) mentioned some cyber security programs the West Virginia National Guard and University of Charleston are teaming up on. If banks continue to bear the cost of breaches, what incentives are there for the retailors to beef up their own information security? There’s legislation in the works that would require shared responsibility.
Lewis: Consumers will see their costs rise. Some allocation of responsibility would be good.
Senator Tom Udall (D-NM) asked, what is NIST’s vision for cloud computing? Are you getting adequate participation from the private sector?
Romine: NIST has an ongoing cloud computing initiative in their Information Technology Laboratory (ITL). They’ve launched a cloud forensics initiative. Yes, the response from the private sector has been tremendous.
Senator Cory Gardner (R-CO) asked, how you define success? Are there private sector incentives (bank loan requirements, ISO ratings, etc)?
Romine: Look at the evolution of safety programs in the private sector. Over the course of decades, we’ve moved to a culture of baking safety into everything we do. We’re seeing signs that the conversations that need to take place in organizations are beginning to take place.
Beauchesne: There are things – nation-state actors – that companies can’t protect against. The Chamber is focused on keeping the framework voluntary and getting information sharing passed.
England: Also there to petition against over regulation. The framework is adaptable and affordable.
Senator Richard Blumenthal (D-CT) asked what progress has been made in developing better incentives? He said that eventually, companies’ failure to protect themselves has a cost that is born by society.
Lewis: Legislation is needed to fully implement the executive order
Could NIST work with federal agencies to provide a “certificate of compliance” to companies to incentivize them to implement the framework?
Romine: Not sure that would help. There are other incentives – reputational risk, insurance – that occur naturally.