This last week, the Obama Administration announced the release of its Framework for Improving Critical Infrastructure Cybersecurity and instantly sought to distinguish this framework from the plethora of other government and industry-sponsored frameworks that seem to be more interested in who the guidance was intended to serve rather than the substance of the guidance. For example, the Department of Energy just announced the release of the Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model, a nearly verbatim copy of their earlier Electricity Subsector Cybersecurity Capability Maturity Model that was updated this month. Both those maturity models reference controls that are nearly identical to the “new” Cybersecurity Framework drafted by the National Institute of Standards and Technology (NIST) with help from a cast of thousands.
As frameworks or models, all these documents fail to actually provide a plan for a cybersecurity program. They don’t tell companies what to buy, who to hire, or what processes to implement. Admittedly, they can’t do that, given the fact that the guidance is intended to cover one or multiple industries with varying business models, assets, and threats. They are intended to cover, at a high level, the elements of what should be part of a cybersecurity program. But their vagueness is nonetheless breathtaking at times. As Andrew Ginter with Waterfall Security Solutions notes, "The NIST framework never uses the word 'firewall.' It's that abstract.” It reflects the often academic nature of the approach that frequently favors formal models over practical advice. Of course, any suggestion of specific products or services would instantly be condemned as an innovation killer. But imagine if the government felt similarly constrained decades ago when deciding whether to mandate seatbelts and instead decided to reference passenger restraint systems. The guidance would have been less useful and left industry to choose what it meant to them and left consumers confused about what to buy. Time and again, we’ve recognized that too many choices, particularly when presented to non-experts, tend to be more overwhelming than liberating. Instead, we experienced technology lock-in with seatbelts, but industry still continued to innovate with airbags, anti-lock brakes, and a variety of other safety features. Administration officials refer to a “common language and common understanding” that the framework provides, but for most people, that really means a practical example like a seatbelt or a firewall. Because this is all voluntary, one wonders what all the fuss is about not wanting to reference specific technologies.
But therein lies the rub. It’s no secret that the administration wants this guidance to become mandatory or at least parts of it. And it can’t be mandatory or even deemed the standard of care if the guidance is too specific to not be applicable to a particular business model or process. Instead, we get more of the generic language that anyone can claim they comply with. In reading the framework, one cannot know enough to implement the desired control or activity without referring to the “Information References” cited next to each activity. For example, one desired control is that “remote access is managed.” Next to it is a reference to five different guidance documents that essentially say the same thing about remote access but are worded slightly differently. So, does one need to meet all of them to be compliant or just one of them? And if there are conflicts, which one takes precedence? It’s also no surprise that NIST references NIST Special Publication 800-53 in all but two of the subcategories in the framework. NIST 800-53 and its predecessors have served as the basis for regulations underlying the Health Insurance Portability and Accountability Act (HIPAA), the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) Standards, and countless other regulations and industry guidance. Nearly every time an industry or standards group starts out saying they want something more targeted or more appropriate to their constituency, they usually start with NIST 800-53 and then make a few nips and tucks. We are kidding ourselves to think there is much new around here, at least at the 50,000-foot level. The devil is most certainly in the details, but none of these guidance documents comes close to that.
So, as the title of this blog post suggests, what we’re left with is marketing. After several attempts to convince organizations that they need to take cybersecurity seriously, the framework seeks to present a layered approach that hopefully can attract the interest and, more important, the understanding of senior management who call the shots and control the budget. In that sense, it’s a laudable goal. For us technical folks, it may seem more like rearranging the deck chairs on the Titanic, but politics and marketing have to be an inevitable part of our business. However, we must be careful what we wish for. For many CEOs, cybersecurity threats present an intractable problem that appears unsolvable in the short term. They are likely to be victims of attack no matter what they do, and most have no illusions that this new framework will change that. In all likelihood, Target, for example, would have been compliant with every one of the framework’s controls, or at least it could make a credible argument that it was, absent the ever-important details implementation. Instead, CEOs may see an opportunity to get government off their backs when it comes to cybersecurity by “adopting” the framework by simply mapping what they currently do to it. So, while I applaud the administration for using the bully pulpit to raise the conversation to the executive and board levels, one must not mistake the industry praises as evidence that they’re now going to be opening their wallets wider for cybersecurity. If they were willing to or believed they had to do that, there would not have been such a fast and furious flow of compliments.