Standards on the Horizon: What Matters Most?

Posted on in Presentations

Standards work driven by NIST and ENISA impacts...everything. Time to market. Interoperability. International trade. Human and environmental health. Technology is moving fast, driving further innovation, and our ecosystem relies upon clear standards. What matters most from the last 12 months? And what’s most critical in the coming 24? Hear from the leaders how to shape your roadmap and priorities.

Video Transcript

   >> ANNOUNCER:  Please welcome panel moderator Laura Koetzle.


   >> LAURA KOETZLE:  All right. So, thank you to all of you who stayed. Yay.


   You are the few and the more than – the larger number of people than we perhaps thought – and the proud.


   So, welcome to you all. I'm going to introduce my fantastic panel first and then we're going to get started. So, in order of how far they are sitting from me, first we have Juhan Lepassaar, who is the Executive Director of ENISA. And then we have Dr. Laurie Locascio, who is the Director of NIST and the Undersecretary of Commerce for Standards in Technology. And Patti Titus, who is the Chief Security Information Officer and Chief Privacy Officer at Markel Corporation.


   So, thank you all for being here and thank you all for being here very, very much.


   So, before we get started with the actual, you know, related content of this program, I have got a question for my panel. Have any of you grossly offended the organizers of the conference over the last several months? Anyone?


   >> JUHAN LEPASSAAR:  It was a long time ago.


   >> LAURA KOETZLE:  It was a long – maybe they still remember.


   >> PATTI TITUS:  I don’t think so.


   >> LAURA KOETZLE:  I thought not but apparently Juhan has.


   So, I’m your most likely culprit probably, let’s face it, and I'm fairly certain I haven't offended anyone recently. So, I'm going to assume that we should be optimistic and think that this time slot, which is of course the last thing standing between you all and the Hugh Thompson Show with Christopher Lloyd, is not a punishment but rather a vote of confidence. They have faith that we can make this interesting. So, when you all fill in your session surveys, you will have to tell us whether we did or not.


   So, let's talk a little bit about what we're doing here in case you were wondering. And I wanted to explain kind of what we want to accomplish with the panel and how we put it together and then we'll get started with the sort of questions and answers, I promise.


   So, we collectively are aiming to distill the last couple of years of security standards and guidance and all the things that impact our practices and our industry and our organizations down to some of the most important things, as well as preview the next two years or so of critical developments as we can.


   So, this is why we're thrilled – and so I'm going to explain the composition of the panel a bit so forgive all the preamble. So, we're thrill to have Laurie on the panel to represent NIST, which of course drives many of the most influential standards here in the US. And we're also thrilled to have Juhan to represent ENISA. And so, if you’re not as familiar with ENISA, don’t worry. He’s going to tell us a bit more about ENISA in just a minute, which of course is the EU agency directed to – dedicated to cybersecurity.


   So, some of you may be wondering, hey, what's Patti doing on the panel? So, she is what makes this panel different. So, no pressure, Patti. You are the one who makes this the best and most interesting standards panel that all of you will be joining recently, I think.


   So as a CISO and Chief Privacy Officer from Markel Corporation, which is an insurance company with about $13 billion in revenue and substantial operations on both sides of the Atlantic, Patti and her team have to implement standards from both sides of the Atlantic, balance guidance from different regulatory agencies and from different sources of guidance, and figure out how to deal with those things when they are in conflict. So, I thought having Patti on this panel would be an excellent sort of practical counterpoint to how does this actually all work when you have to negotiate those things.


   So, think about – think about those things as you listen to us for the next little while, and hopefully you will walk out of here with a real sense of both what's happened and what's coming from two of the most important sources of guidance that we all have as cybersecurity professionals, and also how to balance those things thanks to Patti being on the panel.


   Okay, so, with all that preamble, let’s get started and talk a little bit about what we're doing here. And so, I think I'd like to start off, and with apologies to my fellow Europeans in the audience, because this is a conference in San Francisco and the attendees tend to be at least half from the Americas, I am guessing that some of you are a little less familiar with ENISA than you are with NIST. So, Juhan, if you you will indulge me for a minute and just give everybody a couple of minutes on ENISA’s remit and what it does and how they should think about it, that would probably be very helpful.


   >> JUHAN LEPASSAAR:  Thanks a lot. Thanks for having me, by the way. So, the main goal of my agency is to ensure a high common level of cybersecurity across the union. Easy peasy.


   So, and how we do that is we help Member States, twenty-seven countries in the EU, to implement the EU legislation on cybersecurity. We give them a lot of guidance, guidelines on how to do that in order to make sure that the critical sectors of Europe are well protected, they are resilient.


   We organize exercises. We do a lot of market studies recently as well. And we continue to be inspired by the work – the good work that NIST does in this side of the Atlantic in our endeavors in order to ensure a high common level of cybersecurity.


   So, this is, in a very brief nutshell, what we do. And, of course, part of this work is to collaborate not only within Europe but also outside Europe. But more and more we do that. I'm very happy and grateful also to the American partners that the level of cooperation in recent years has gone up. And of course, it is not only about public authorities but also private sector players. So, these past four days, I have been having bilaterals, trilaterals with a number of you and I'm really grateful also for you for extending this collaboration to ENISA.


   >> LAURA KOETZLE:  Excellent. Thank you. So, as many of you may know but perhaps not, NIST has an even broader purview than ENISA does. So, we are most familiar with its cybersecurity guidance and standards. But NIST has guidance and standards on everything from fire prevention to neutron research. I know because I looked this up. But given that this is RSA Conference, we're going to focus on the cybersecurity end of things.


   So, Laurie, I'm going to ask you to kick us off a bit by saying, if you think back over the last sort of one to two years and the sort of standards that you’ve helped establish and the guidance that NIST has issued, what things stick out to you as sort of most noteworthy and that you expect to be most impactful either already or over the coming couple of years?


   >> LAURIE LOCASCIO:  Yeah, so, thank you for that question. And I’m really excited to be here and represent NIST. I have wonderful people with me in the audience who are from NIST and hopefully you’ve seen them on different stages throughout the week.


   But you know, NIST, you mentioned that NIST has a very broad portfolio, and we do. We’re very unlike a lot of other national measurement institutes around the world in that our mission is very expansive. It really is there to promote industrial competitiveness and U.S. innovation.


   And through the years, as we have grown and we continuously change and grow and develop our portfolio, and as the digital economy has grown, we have really grown along with that and so our IT portfolio has grown and communication technology portfolio has grown. So, yeah. So, I just wanted to mention that because I feel like we're very different than other national metrology institutes around the world.


   And the way that we develop our standards is, you know, I think the magic in the way that we do it is really that we engage very, very closely with our stakeholders. We listen to you. We bring you together in a lot of different fora. We ask for your input and we really take that to heart and bring it into our standards development.


   And then another thing that really I think makes our standards very solid is that we have strong technical backing behind that. So, we have very deep technical research and technical depths so that when we come to the standards table with our guidelines and our documentary standards, we really have the technical people who can back that up. And so, now I’ll actually answer your question.


   Which is –


   >> LAURA KOETZLE:  I had faith.


   >> LAURIE LOCASCIO:  I just wanted to mention a few things that were special about NIST first.


   But I will just pick a few things that I think are highlights for the past – for the past year. This morning, I think there was a really crowded room and overflow room for CSF, the Cybersecurity Framework 2.0. So, releasing that draft I think was really critical and we have just gotten so much excitement and so much interest and we’re really happy to engage internationally as we develop CSF 2.0. Perhaps I can talk about that a little bit more later.


   And the of second thing that I really wanted to bring up is the AI Risk Management Framework, which has also been very well received and something we’re very proud of that was released at the beginning of the year.


   There are so many other things to choose from but I know you wanted me to keep it short so I will stop there and hopefully bring some other things to light later.


   >> LAURA KOETZLE:  Excellent. Don’t worry, we’ll get to some of the others later on, I’m sure. All right. So, I’m going to pass to you the same question, which is if you think about the same period, the last sort of one to two years, and what you think will be most impactful over the coming period? Which are the pieces of guidance or certification initiatives, thinking about all the things that ENISA does that really stand out to you as most important from the last period?


   >> JUHAN LEPASSAAR:  So, not to be too competitive, but just today we actually published a paper on standardization in AI. And I'm sure it is going to be very impactful in the future, also illuminating the policy development at the EU on the AI Act, et cetera, and the future standardization that needs to be done.


   But if I really look back now, I think our work at 5G, the 5G Tool Book has been the most impactful in terms of markets and also in terms of ensuring the future reliability and resilience of our core networks. Then of course, the standardization and the certification workstream that we have undertaken in recent years. So, common criteria, cloud services, 5G are the things that we have been really, really focusing our energy on. It is not yet impactful but it is not out there but I hope that common criteria will be the first scheme that is going to get an implementing act in this year and we will roll it out in the years to come. So, yeah. These are the highlights, I would say.


   >> LAURA KOETZLE:  Great. Okay. So, Patti, I'm going to toss this question to you. So, and you don't have to limit yourself to the things that Laurie and Juhan just mentioned. But if you think about the last two years for you and for your team, which sets of regulations, standards, guidance – you can pick from sort of the whole raft of things, have been most impactful for you and the why?


   >> PATTI TITUS:  Well, there's only been like one or two, right?


   >> LAURA KOETZLE:  Sure.


   >> PATTI TITUS:  So, obviously GDPR is one of those things that's impacting everybody. And the ripple effect to that is the CCPA. So, as a privacy officer as well, I have to keep that in mind.


   But I think what I really have enjoyed about both regulations is that there is alignment, although it might be seen as competitive. Zero Trust is really critical. And we're all waiting with breathless anticipation for the EU AI Act. NIST beat you to the table on that one. They put out the Ethical Use of AI. So, of course, we're very interested in those as we think about acceptable use for our teams.


   And then being in the insurance industry, we're keenly focused on the PRA, which is regulatory for our EU friends. And then in the U.S., the New York State Department of Financial Services Cyber Regulation, which seems to be more of the model of what the other states are following. So, it's nice that rather than, you know, we take that as a high watermark. GDPR we take as the high watermark for our privacy program. And we align our control frameworks appropriately with those. And I will talk a little bit more about how we do that in further questions.


   >> LAURA KOETZLE:  Great. Okay. So since both Juhan and Laurie have mentioned AI and their competing portfolios of recent publications, I thought we would talk about that.


   So, I will start with Juhan and then go to Laurie. Because the EU AI Act is sort of in the middle, right, we haven't actually finished passing it yet, talk to me a little bit about how you expect things to proceed from here. And one of the things that I was thinking about as I attended some sessions earlier in the week is that for all of us who live and work in Europe, we already have some protections in the GDPR thanks to the automated decision-making rules and our right to object to the decisions made by sort of automated systems of any kind, whether they are artificial intelligence or not. So, that sort of – so, that's a thing that sort of European consumers can think about for themselves. So, I'm curious as to how you are thinking about this and what you expect to happen.


   >> JUHAN LEPASSAAR:  I was waiting for this ChatGPT question. Everybody is talking about it, so. But I think when we look at the whole ecosystem, there is a lot going on. I think there is plenty of work for all of us, so that’s the good news.


  >> LAURIE LOCASCIO:  I think so.


   >> JUHAN LEPASSAAR:  I mean, tracing, from the paper that we published as well, one of the workstreams that we really look at is the traceability of data and how can we ensure data integrity in this process.


   There is another workstream that looks at testing, you know, you need to test these AI systems. These AI systems use large scale data. How do you securitize these distinct frameworks?


   There is this whole question about ethics there which I'm not going to go into but I mean, the issue of the GDPR or how do you marry cybersecurity and data protection? I mean, we don't know yet what we need to do there. Because also if I look at say, now when we are drafting the cloud scheme, the certification for the cloud scheme, we look at security requirements. We don't – we don't look at the GDPR requirements. But what we are doing is that we are working together with the European Data Protection Board in order to draft also in parallel, a protection profile that would take into account the GDPR requirements so that it will ease the compliance for the service provider also in that front.


   So, although we have two different regulatory regimes, one about cybersecurity, one about data protection, we tried to find tools and models that fit both of these. For the AI, the regulatory regimes that are going to apply are multiple. They are not just cybersecurity and GDPR. There are very many others. So, finding the right tools to do that – and standardization I think helps a lot, is a big, yeah, big challenge for the years to come.


   >> LAURA KOETZLE:  Certainly. I think if we hadn't already realized that in the last month or two, probably brought that home to us very well.


   So, Laurie, I am going to turn this one to you because of course, you’ve published the AI Risk Management Framework relatively recently, plus you’ve got the Trustworthy and Responsible AI Resource Center at NIST. And those are all, unless I have misread things, those are all voluntary. So, I'm curious sort of how you intend to drive adoption at NIST of the framework and sort of, of the tools that you are providing?


   >> LAURIE LOCASCIO: Yeah, you know, well, I would say any time we develop guidelines like that, as I said before, we really reach out, we talk to people, we engage them. We really are looking for the optimal solution that they will want to voluntarily adopt. And that's where we ended up with the AIRMF and risk management framework, the AI Risk Management Framework, just to spell that out for people who aren’t familiar with it.


   And so, actually, the response was overwhelming positive and the adoption is happening very rapidly. So, it is already being picked up by a lot of tech companies, throughout government. So, I think really the way that it was developed has really promoted its use and adoption. But yes, absolutely. The work that we do is generally done that way where it is voluntary.


   But I think the excitement around it, we are really seeing that there is lot of excitement and energy around it and everywhere you go, obviously, people are talking about ChatGPT, even in Washington, of course, and it is a subject of a lot of Washington conversations as well.


   So, what I would say is that, you know, the AIRMF is about promoting trustworthiness in AI. And it is really pro innovation at the same time that it is there to protect people, right. And so, it's really balancing those two things.


   We're in the Department of Commerce and we're really there to make sure that that the U.S. thrives in the global economy, as I said at the beginning. So, that idea of being pro innovation, make sure you are not squelching innovation, but at the same time, protecting people as we are developing AI is really important. That's what the AIRMF is about, that balance, and really exposing the risk that you have to consider when you are thinking about that balance.


   I would say that we've developed this resource center as a way to help people navigate through their measurement and validation and understanding of the AI products that they're developing. And so, there are datasets there that people can use. It is really a repository of standards. It’s a hub where people can look at best practices and new measurement methods and ways to evaluate AI.


   So, we're not – we haven't just stopped with the AIRMF. We are really trying to bring it forward to answer the needs of the community as to how to use it and how to incorporate it into your thinking.


   >> LAURA KOETZLE:  Got it. So, I'm going to skip back to something that Patti said earlier. And Patti, I'm going to ask you a question about this specifically, which is, you had mentioned that, probably, I’m guessing, the Executive Order on Zero Trust was sort of what you were thinking of top of mind as sort of standards things that were impactful.


   But I'm curious kind of how you and your team were approaching Zero Trust kind of before the executive order, if you were, and then sort of after it. Did things change at all or kind of if you think back over the last kind of two, three years, how did that progress?


   >> PATTI TITUS:  So, Zero Trust isn’t a new concept. It has been around for some time. And I think that every organization aspires to try to maintain control of your infrastructure and who is accessing it. That is probably the number one issue that we have to deal with from a threat actors gaining access to our environment. The standards are a way to actually put some thinking around it. I think it is also helpful for our internal auditors so internal auditors can think about this as well.


   I think the biggest problem that we have as an industry is the definition of Zero Trust, which is where I think the standards bodies take away the questions. So, if you talk to one vendor or your talk to another vendor, you are going to get a different idea of what Zero Trust is. And it is usually formulated based on what product they are selling.


   And so, we have to kind of cut through the chaff and get to reality. And that's where a standards body can define it and we can build upon that definition. And that I think is really key for us where we don't have to second guess. We don’t have to use ChatGPT to go out and figure out what is the standard and what does it mean to me. So, we have been implementing it in thoughtful and purposeful ways.


   So, you can go all in. I know some companies, some CISOs have done that. They ripped the Band-Aid off and overnight they are making these bold decisions. But I like to think about things as how can we create a way to bring our organization along on the journey and change the culture and talk about the why we're doing something.


   So, a standard will give you the basis for how to do it and what the thinking should be around it. And our job as operationalizing those standards into our infrastructure, into our thinking, and I think ultimately into helping our customers, which are all our employees as well as their families and anywhere else that we can reach to, to think about Zero Trust or these standards as ways to make our world more secure and build that operational resilience that we all need.


   >> LAURA KOETZLE:  Got it. So, one of the other areas that stood out to me as I was thinking about kind of recent development in standards and guidance and certification and so on over the last little while was developments kind on both sides of the pond on I guess what we can put under the header of cybersecurity supply chain risk management. So, it’s a different product liability scheme for software and all the rest of it.


   So, I'm going to start with Laurie because obviously NIST has published some guidance on cybersecurity supply chain risk management relatively recently. So, I wondered sort of how the uptake of that framework has gone and sort of what you have observed so far? And then we're going to talk about what's happening in Europe.


   >> LAURIE LOCASCIO:  Yeah, so, it’s funny because I have sat in a lot of meetings throughout this entire conference and this comes up a lot, cybersecurity supply chain risk management. It’s something NIST has been doing work in this area for about a decade, I think. And that really led into and fed into the Executive Order 14028 that came out in 2021 that then asked us to extend that to cybersecurity supply chain risk associated with software specifically.


   So, that – I think that vision was really important and it also feeds into our updated guidance in that area. But we have – when we were developing that new guidance, we – I think we got input from over a hundred, about 130 different individuals and organizations who really informed us on their needs for cybersecurity supply chain risk management. And so, we've really been building this portfolio for a long time and it all fed into this guidance backed by strong research.


   I just want to mention, if I can just veer away from this for just one second and talk about supply chain risks in general. NIST has been given the $50 billion for the CHIPS and Science Act to manage the semiconductor – the chips portfolio, bringing semiconductors back to the United States, and really dealing with supply chain issues that we saw so prevalently throughout the pandemic.


   That $50 billion, $39 billion of that is for bringing back manufacturing in the U.S. for semiconductors to deal with basic supply chain issues. And $11 billion of that is for R&D to really keep and cement the semiconductor industry here.


   But earlier in the week there was talk on – that dealt with chips and security and supply chain security, and I just want to say that building into our thinking is really this – this guidance that we produced, which is about securing both the hardware and the software involved in the supply chain for semiconductors.


   >> LAURA KOETZLE:  Got it. So, Juhan, let's talk about our side of the pond for a minute. I would be very interested in your view of the Cyber Resilience Act proposal and on the software supply chain transparency parts of it and cybersecurity parts of it, as well as the implications for open source, because I have – I have heard a lot of discussions about that over the course of the last week. So, talk to us.


   >> JUHAN LEPASSAAR:  I have two hours? If you want me to answer all of these questions. Minimum.


   Anyway, I think we had an interesting discussion also backstage before the panel, talking about CRA and the GDPR. And one of the things that when GDPR came along and people started suddenly to realize that there are actually some requirements to protect privacy. And you know, it was like, you know, we wonder, because these requirements were actually there a long time ago already. And what CRA does is essentially it makes people realize that there are security requirements when you develop products or software. And it makes them stick.


   So we – we see CRA as kind of a GDPR in cybersecurity that puts in place a framework whereby producers, service providers, needs to adhere to certain security requirements if they put products on market. It applies both to software and hardware, to all connected devices.


   So, for us, it is an essential missing piece of the puzzle. Because if we look at now our threat landscape, 67% of incidents happen because of known vulnerabilities, because the products and services are riddled with loopholes. And we need to do something. And it is not fair to put the onus only on the end user. And I think this shifting of responsibility more towards the parts of the supply chain which actually are capable of dealing with this responsibility is something that is not happening only in Europe via the CRA Framework but also it is happening here in the United States.


   Now, we have a bit of different ways and means to do that. Europe, in Europe we love legislation. You love litigation. So, but I think the aim is very much the same.


   Now SBOMs; I think one thing that we feel and we very much understand in the current framework is that the lack of transparency about what different components are there in the products and services that we use is not helpful. And indeed, the CRA puts in place a notion that manufacturers need to develop this catalog of software that they use. And in case there is a motivated request from the supervisor authorities, they need to make it available.


   Manufacturers, of course, voluntarily can also make this catalog available to end users if they want but that's not an obligation.


   But this kind of an understanding, one of the pieces that you put into your product that make it work, is fundamental when we come to making sure that these products are resilient and trustworthy. And the knowledge about it, I think, is something that is currently lacking. And this lacking of knowledge only helps the bad guys. It does not help the defender. And I think that's where we need to start.


   How can we shift the framework, recalibrate the framework to help the defenders, to help – to make sure that our markets, our market space, the products that are put on the market are resilient and can be defended at all.


   >> LAURA KOETZLE:  Got it.


   >> JUHAN LEPASSAAR:  Less than two hours.


   >> LAURA KOETZLE:  Very much less than two hours. But I'm going to give you a few more minutes, but not two whole hours. So, there are a lot of folks who are concerned about the open source side of things specifically because open source “products,” in quotes, don't have manufacturers or, you know, developers in the same way as for what corporate developed products do. There is a lot of worry in the community of open source developers and people who use open source, which includes most of us one way or another, as an – so will open source kind of be seriously disadvantaged if the CRA comes into force in sort of current proposed form? What's your thinking there?


   >> JUHAN LEPASSAAR:  I'm not a legislator. I'm not a commissioner. So, I’m the part of the EU Executive that helps to implement all this stuff. Of course, the CRA is still very much in the kitchen. So, we don't know what the sausage is going to be when it exits the kitchen. But in the current commission proposal, open source is not part of the scope of it. So, I think that should reduce worries.


   And I think everybody acknowledges that open source is a very important part of the field. And most of the proprietary products they use in some form or another are open source. But we don't know where it is and where it isn't.


   I think if I look back for, you know Log4j, that was the big effort that everybody had to undertake to suddenly understand, you know, am I using it? Am I not using it? And I think clearer understanding and where are the – where is the open source parts in our components, I think that helps everybody. But we are not, at least at this stage, the commission proposal, and I haven't heard it from the legislators either that they are seriously considering including open source in the scope of the CRA.


   >> LAURA KOETZLE:  I think that’ll be really good for people to hear so I'm very glad I asked you because there is certainly a lot of misperception there.


   So, I'm going to turn this to Patti for a moment. So, thinking for you as a consumer of all this, right. So, you know, if we're going to radically oversimplify, one of the results of something like the CRA will be a sticker on the side of the metaphorical tin that sort of says, okay, complies with the requirements. And so, you'll have – and that will give – hopefully give sort of end users better information about what's actually in the box that you are using.


   So, I'm curious, Patti, how you are thinking about this both with kind of the guidance issued from NIST, what we think we will see from the CRA knowing that the sausage is still being made and pick your favorite legislation related cliché. What do you sort of – thinking about things as a consumer of this, what do you sort of hope that will come out before the end as it were?


   >> PATTI TITUS:  So, standards would be great. The gold seal of approval, wonderful. I do get a little bit concerned when we start asking vendors to create SBOMs and then provide them to us. So, if someone was an arbiter sitting in the middle as the honest broker, that’s where I prefer to see it. Versus give me the SBOM, I might lose the SBOM, the bad guy knows the bill of material for your software product. Now I can create a vulnerability or an attack vector into that software.


   So, I think there has got to be somebody sitting in the middle of this. In the U.S., I might say it might be MITRE, where MITRE would be the one that would be the holder of this information, high value target, and now I'm concerned about potentially that, kind of like our password vaults that just – some of the commercial ones keep getting attacked. And so, I think there is a little bit of concern. I can see this, having been in a software development company at Symantec, that I would have been concerned giving up my bill of material to an entity that I would want to protect it. If the entity could prove to me they could protect it through maybe again, using an honest broker or there was a review process to say yes, you get the gold star or the checkmark on the box, I think that would be great.


   But I do think we have to think through the mind of the threat actor. And that's kind of what I think is difficult sometimes when there's a disconnect between a standards body and us in the field or those that are operationalizing these or dealing with the threat actors on a daily basis, which is why I love the relationship that's been built with our standards bodies where we can actually have preview and have open dialogue.


   The fact that you are here sharing information with this organization, with the RSA Conference, and making yourself available is really critical to hear what the people are saying. Sometimes you have to do that with some filtration on.


   But I do think it's important that we think about our standards and what we're asking companies to do based on am I asking you to give up intellectual property? Who is going to protect that intellectual property? And I get very concerned when it is a single agency who is going to do it, who is going to approve it. That creates a challenge for high value target. Having been a person that had national security clearance and I had prayed that OPM would keep my data safe. So, I think there's opportunity to try to figure out who can that honest broker be in the middle that actually gives that checkmark.


   I could probably go on for hours about this but I think I'm going to take the lead and just stop there.


   >> LAURA KOETZLE:  Okay. So, I'm going to switch gears a tiny bit and I'm going to ask us to look forward. So, Laurie, when you think about sort of what the team is working on at NIST, which is a vast variety of things as I think we've all seen, what do you – if you had to sort of – if you had to gaze into your proverbial crystal ball, which of the things that you’re currently working on, whether it’s Standards with a capital S, guidance, anything is fair game, what do you think is going to be most impactful that you will be sharing with us over the next year or two?


   >> LAURIE LOCASCIO:  I'm hoping I get more than one.


   >> LAURA KOETZLE:  You do get more than one. Go for it.


   >> LAURIE LOCASCIO:  I will start where I ended with Cybersecurity Framework 2.0. You know, that is clearly, I think, going to be very impactful. When we had our first workshop around Cybersecurity Framework, we had thousands and thousands of people sign up. I think 7,000 participants signed up. Over a hundred countries.


   Now, for us, that's a real indication that people are really watching what's coming and want to participate and want to contribute and really are hoping that this guidance, this next guidance document is as impactful as the first one. And I'm sure it will be. There are some new pieces of that, in particular governance, and that's really been greeted with a lot of enthusiasm.


   So I had mentioned, you know, this idea that we want to hopefully not compete but really share and come together when it comes to developing things like this, which if we come together, it really does benefit all of our countries respectively. And so, I think that's – that would be the first one.


   The second is the new guidance on digital identity. We are revising that currently. And you know, really the goal of that is to decrease fraud and decrease threat and also increase equity. And so that, we're excited about that new digital identity document. And I think the comment period on that just recently closed.


   Then I want to mention something else we're very excited about which I think was discussed a lot at the beginning of the conference, which is our post quantum cryptography standards. So, we have been, I think the first meeting that we had on this, the first workshop, was around 2015. We have come a long way. We ran a competition program and ended up with several algorithms that will be standardized and that are being developed into standards currently. So, of course, this is to protect us after that – after we have a quantum computer that can break our current ways of protecting our information. And so, we're really excited about that. And we have a lot of people around the world who have been asking us about that. We've met with a lot of companies this week who have brought up their excitement around it. They’re excited for us to be developing the standards so that then they can start to really prepare, because it's going to take a long time to do that that migration. So, we're happy and excited about that.


   The last thing I just wanted to mention is the area of IoT cybersecurity. We have had a lot of discussions about that at this conference as well. So, NIST has developed technical criteria that we hope that's leveraged into really increasing the transparency that people want to see around IoT products. So, I’ll limit it to that but there is a lot coming that I think people can be looking forward to at NIST.


   >> LAURA KOETZLE:  Those are excellent choices to think about as being impactful for the future. So, Juhan, I'm going to ask you a more specific question first. Don’t worry, I will ask you for the crystal ball question later.


   But of course, we’ve got the new version of the Network Information Security Directive which ENISA has had a large role in monitoring investments in in the past. So, I am assuming you are taking a similar role going forward. So, tell us a little bit about how or if that role will change and what kind of guidance you sort of – you are thinking about issuing over the coming months, because I know a lot of people here are interested in that.


   >> JUHAN LEPASSAAR:  Yeah. Thanks a lot for taking the interest in this. Indeed, it is a massive expansion of the original NIS directive. The number of sectors who are going to be – is going to be doubled. The number of entities who will fall in the scope of the directive is going to go up from, up to – we don't know actually but we expect up to ten times.


   So, it's a really massive work that ENISA, together of course with the Member States who bear the bulk of the implementation is now undertaking.


   So, we are very, very busy drafting and helping the commission to draft implementing acts but also putting in place guidelines and guidance on essential security requirements for the essentially important entities, looking at the – how the Incident Reporting Framework should change. Building a European Vulnerability Database. And I'm very grateful for our U.S. counterparts in MITRE and NIST also helping us in this.


   When it comes to incident reporting, we are in close contact with CISA to ensure that the reporting entities, a lot of them who are American, that we find ways how to align our systems so that we talk about the same things in the same way. So, there is a lot of talk about taxonomies and also standards that we can use.


   So, this is really the bulk of the work of the agency right now. But also, there is an operational element there. And why I'm very grateful and I mentioned that in the beginning as well, is that we felt that there is an interest from also U.S. private sector entities to help us in developing and taking these steps towards a better understanding of what you face so that we can take that into account in our work and implementing the NIS too.


   So, yeah. There’s a – again, with all of this, you can – I can blab for hours and hours and hours but I don't think that you would like that. So, just rest now.


   >> LAURA KOETZLE:  All right. So, I'm going to turn to Patti now, which is thinking about – we discussed a lot of different pieces of legislation, frameworks, standards, guidance, all kinds of stuff. Now, even given sort of the level of the coordination that we seem to be seeing transatlantically, which is fabulous, there are always going to be things that conflict or sort of don't quite match up and so on. And, Patti, you and your team will sit at the sort of pointy end of this, if you’ll forgive the phrase.


   So, how do you approach looking at all of these different sources of guidance and kind of sometimes requirements that are legal in nature? And where things conflict, how do you approach dealing with that?


   >> PATTI TITUS:  Let me take the easier part of that question first, which is how do they all harmoniously work together? So, I think what’s really critical when you’re looking – so, first of all, our program is built on the NIST CSF. But the framework is very flexible. So, it's forward backward aligned with the ISO and the BS standards. So, if we get an international request to pull our control framework, you know, you hit the button, you say pull me out a BS standard report, which is nice. So, the vendors have listened to us. They have created the appropriate tools to make it much easier for us to do that. And thank you to NIST because they did that forward backward mapping, I want to say, back in 2008. So, it’s been quite some time. You can tell I have been involved with this framework for long time. So, that's probably first and foremost is identifying what controls does your vertical market need.


   So, not all industries are created equal. So, manufacturing is going to have a set of standards and requirements using operational technology. You are going to have retail might be using something else because the point of sales machines. Financial services is under a different set of regulations. So, I think each vertical market, each industry needs to look at it and say what's the right level for us?


   I commonly refer to it as just enough just in time security. But those standards allow us to have flexibility to allow our business to innovate, which is really critical. If we clamp down on all of the standards and we take all of the framework and say we have to apply all of this, our business is never going to innovate. It's not going to grow. Actually, the best company is one that's not plugged in to the internet but that's just realistic anymore.


   So, where we see conflicts, it really is what for us from – it’s really about risk management. And so, it's identifying the standard and saying this system or application can't meet our control framework; how do we document that, think about the risk, quantify the risk, and then talk to the business about we're needing to accept this risk in order for this system to continue to operate? How do we put compensating controls around it where we can't apply the necessary controls itself, there is compensating controls?


   So, there is a lot of different things that we can do but I think the most important part is you better document it. You better have a plan. Because if something kind of goes sideways, the regulator is going to come in and ask to see why didn't you follow this framework or this standard? How did you document your risk appetite statements? How did you document your waivers? How did you determine that you were going to accept that risk?


   And really, to be 100% honest with you, I do not believe that a CISO or a CIO is responsible for accepting risk for the business. So, how do you take that accountability and press it back to the business. That is a challenge. I will say it is not an easy thing to overcome. But what I love is when I say to a regulator or an auditor, they say what framework are you using? NIST CSF. And they’re like, okay. We're going to go pester someone else. That's like the best of all worlds.


   But there are going to be conflicts. And we have to determine for our business which ones are we going to accept, which ones are we going to document as acceptable risk, and I think that's a part of the challenge. No two vertical markets, no two companies are the same. And I think once we recognize that, then we can be adaptive and flexible in the frameworks, which is why I appreciate that NIST and ENISA are guidelines. They are not mandatory you must do, and I think that gives us opportunity to be flexible, innovative, find that right balance for our companies, and make it work.  


   >> LAURA KOETZLE:  Got it. So, Juhan, I'm going to give you your crystal ball gazing opportunity here. So, if you think about the next sort of twelve to twenty-four months, what things will you be doing the at ENISA that you are sort of most excited about putting out there into the world?


   >> JUHAN LEPASSAAR:  Well of course, certification remains one of the issues for us. We hope that in the next twelve months, the current candidate schemes that we are working on will be adopted and implemented by the commission.


   And that, of course, means that there will be a lot of work for ENISA to guide and help the community to ensure the uptake of these certification schemes which are, I have to stress, voluntary. So, that's part of the excitement.


   I think the other part that excites me is a bit outside of the scope of this discussion, is the workstream that ENISA quite recently has been really upgrading skills in order to ensure that we have the right skills in the cybersecurity community for the future. I mean, we have been talking about ChatGPT, et cetera, but I think the kind of skills and expertise that we need inside the security in order to deal with all these issues also is going to shift and change.


   The commission just last week came out with another proposal called Cyber Solidarity Act which also proposes to enlarge the mandate of ENISA in order to also look at certification of cybersecurity service providers, trusted service providers, which probably will involve quite a lot of the work on the skills. So, yeah, I’m quite excited about the future.


   But the most excited I am about this new opportunity of collaboration and cooperation across different sectors and fields and private and public sector entities, cross Atlantic as well. This is something which is new at the scale that it is now happening, and I really hope that it carries forward.


   We're very good at summitry. Let's organize a summit. Let’s organize a meeting. And normally very bad at follow-up. This time, I hope that the follow-up will be there because the needs are there and the same sort of problems and look like the same sort of thinking about solutions is also there in both sides of the Atlantic. So, I'm very excited about that as well.


   >> LAURA KOETZLE:  Excellent. Okay. So, now we come to the “lightning round,” in quotes, of our session here.


   Patti, you have two very influential people on the stage with you. So, if you are going to make one request of NIST and of ENISA over the coming say twelve to twenty-four months, what would it be?


   >> PATTI TITUS:  It’s the theme of this conference, we’re stronger together. A single set of standards would be or at least fully aligned.


   >> LAURA KOETZLE:  Perfect. The conference organizers thank you for the emphasis on the theme. So, Laurie, question to you in reverse, which is you have a lot of us in this industry in the room here and listening digitally and loads of people who are going to watch this later on. So, what would you ask of us? We ask a ton of NIST and Patti just asked yet something else of you. So, what would you ask of us?


   >> LAURIE LOCASCIO:  So, the administration is developing a strategy around standards related to critical and emerging technology, and NIST will be the agency who will be leading the implementation of that strategy. And so, I guess what I would ask for you, from you, is really your – to give us feedback, to work with us as we implement this strategy that's going to be coming out of the administration soon, and also to meet us at the standards table.


   >> LAURA KOETZLE:  Juhan, what do you want to ask of everybody here and listening digitally and listening later on?


   >> JUHAN LEPASSAAR:  I would echo Dr. Locascio in this, but I would also ask you to have an open mind. I understand that there is a lot going on and the shift towards asking you to bear more responsibility is hard. And it's not going to be easy. We don't yet know all of the solutions but I think we are willing to work with you in order to find the right way and design the right path forward. And for that, I think both sides need to have a bit of an open mind. So, I would echo the comment, collaboration, alignment as far as possible, but also an open mind so that we can actually find the solutions together. Thank you.


   >> LAURA KOETZLE:  Excellent. Well, since we are now the only people standing between all of you and the Hugh Thompson Show, we're going to – we’re going to clear the stage. Please join me in thanking my three fabulous panelists for all the insights that they’ve shared today. And thank all of you for coming. And please join us all in Moscone West at 3:15.

Laura Koetzle


VP, Group Research Director, Forrester Research

Juhan Lepassaar


Executive Director, European Union Agency for Cybersecurity

Dr. Laurie Locascio


Director and Under Secretary of Commerce for Standards and Technology, NIST

Patricia Titus


Chief Information Security Officer, Booking Holdings, Inc.

Share With Your Community