In 2014, some twenty years into the Age of the Internet, and over fifty years after the computer revolution, the U.S. Government finally began to establish minimum standards for computer security. It is about time. Every computer system in the world, including your personal computers at home, are now under near constant cyber attack. The government acted through the Commerce Department’s National Institute of Standards and Technology (NIST). (You did not expect Congress to have done anything, did you?) It acted by getting together industry and academic experts on cybersecurity and preparing a writing that begins to articulate basic standards. It did not actually establish standards that anyone has to follow, mind you, but did create a framework by which organizations can measure and talk about standards.
In my opinion this process is moving too slow to protect our collective cybersecurity. We should be talking about specific minimum standards required by law, such as need-to-know network segmentation, external and internal firewalls, file encryption, and host-based intrusion detection technology. This should be required on all government and commercial networks. Still, this Framework is a first step. I just hope we get the cybersecurity we need to protect the Net before we all wake up someday and find that the Internet, and the national power grid which is connected to the Net, has been destroyed by attack from an unknown foreign government. See eg. Cyber War: The Next Threat to National Security and What to Do about It (2010) by Richard Clarke and Robert Knake. Our system is now very fragile, very vulnerable. Read Clarke and Knake’s book and you will see what I mean.
This blog will summarize the writing that NIST created: Framework for Improving Critical Infrastructure Cybersecurity. Although I have stylistic objections, and generally dislike all decisions by committee, especially ones involving the government, this is an important effort worthy of attention by all serious students of cybersecurity. Note this NIST activity was required by Executive Order 13636. The government needs to do more, much more, to harden our cyber systems, including imposition of mandatory minimum standards, but at least this is a start.
NIST, you will recall, sponsors the TREC scientific search studies that I have written about many times in connection with predictive coding research. Analysis of the Official Report on the 2011 TREC Legal Track – Part One (of three). Among its many other activities, NIST also keeps track of many standard software programs, such that deNISTing is now part of standard e-discovery jargon for technical culling of irrelevant ESI on the NIST list.
Government Cybersecurity Framework
On February 12, 2014, NIST released a 41-page document entitled Framework for Improving Critical Infrastructure Cybersecurity. In NIST’s words, the framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs. Good. We need that. This is, by the way, only part of NIST’s cybersecurity activities. Go here for a complete list.
Patrick D. Gallagher, the head of NIST, described this work in typical politically correct bureaucrat-speak:
The framework provides a consensus description of what’s needed for a comprehensive cybersecurity program. It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business.
NIST invited thousands of experts to submit comments and arrive at a consensus agreement on cybersecurity standards. No word on how many actually participated, but I suspect it was hundreds. The agreement embodied in the Cybersecurity Framework consists of three basic elements:
1. Core. This is the most important piece, somewhat equivalent to the CIA principles I have previously written about. The CIA Cyber Security Triad and 9ec4c12949a4f31474f299058ce2b22a. The core element is what they call the five functions: Identify, Protect, Detect, Respond and Recover. The functions guide understanding and structure of a cybersecurity program. They have the following meaning:
- Identify. Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect. Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond. Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
2. Tiers. This element pertains to measurement of whether security goals are being met. The four tiers range from informal, reactive responses, to agile and risk-informed. Tier One, aka Partial, is an organization with only incomplete, informal security procedures. Tier Two, Risk Informed, is an informed organization with defined processes and an integrated risk management program. Tier Three, Repeatable, is an organization slightly more together and disciplined than a Tier Two, and also has collaborating partners to assist it. Tier Four, Adaptive, is the strongest level of organization and discipline for cybersecurity. The two highest levels of security tiers come at the expense of decreased privacy and civil liberties, and substantially increased cost and operational burden, and as such may only be appropriate for high risk organizations.
3. Profiles. This element has to do with measurement of the overall levels of cybersecurity sophistication that have been attained. One organization may have multiple profiles related to the degree of security needed for the operational unit. Organizations should assess a Current Profile and a Target Profile. The Profiles indicate the cybersecurity outcomes currently attained, versus the outcomes needed to meet cybersecurity risk management goals. An action plan should be created to address the gaps identified between the Current and Target Profile.
Here is a flow-chart diagram they included to illustrate how an organization should assess and implement a risk management program that allows it to attain its desired Cybersecurity Target Profile.
The Framework for Improving Critical Infrastructure Cybersecurity was based on input from many industry and academic experts and written under NIST’s guidance. Aside from the few diagrams, which I liked, the document reminds me of the classic definition of a camel, namely a horse designed by a committee. It is amazing how many words experts can use to say so little. But, just remember, they have to water everything down to statements they all can agree to and are not controversial.
Believe me, this is not exciting reading, although it is important. Be glad I read this stuff for you and will now translate this Inside-Beltway-talk into real English. But please, feel free to help yourself and download the Framework. While you are at it, download the handy-dandy NIST Roadmap for Improving Critical Infrastructure Cybersecurity that was published with it. Yes, that’s right. A document called a Framework requires another companion document to be read with it called a Roadmap to the Framework. I can summarize the nine page Roadmap for you with these words: the Framework is just a rough draft, and we hope it will get much better over time as we release a series of updates.
Cyber Framework Executive Summary
The Framework begins with an Executive Summary that really does not say very much. Here is the first sentence, the one which all of the experts were apparently able to agree to and felt would set the proper tone for this document:
The national and economic security of the United States depends on the reliable functioning of critical infrastructure.
Ya think? Next thing they do is point out that risks to cybersecurity are a bad thing and we all ought to do something about it. Duh, again. They conclude the opening paragraph with this sentence:
It (cybersecurity intrusions) can harm an organization’s ability to innovate and to gain and maintain customers.
This is politically correct code-speak for look out, Chinese government hackers will steal your trade-secrets and ruin your business, and thus weaken our economy, unless you get your act together and start doing a better job with cybersecurity.
Too bad they cannot just say that, but I can, so please, take this all seriously. I might not like the writing style of this document, but it is important, and so is our defense from black-hat hackers. We all need to try to grasp the principles and best practices that these experts have made in this first attempt at articulating national cybersecurity standards. Maybe in version 2.0 they will hire a professional writer and not be so damned politically correct, but I doubt it.
Framework Provides Common Language
One of the important achievements of this document is the creation of an agreed upon common language for understanding, managing, and expressing cybersecurity risk both internally and externally. They even agreed upon a glossary of selected terms (Appendix B), and, get this, a list of acronyms (Appendix C). Here are a few of the definitions I found interesting (most were not, and it is surprising how small the glossary is):
Cybersecurity. The process of protecting information by preventing, detecting, and responding to attacks.
Privileged User. A user that is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
Risk. A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Terminology is important, and this is helpful service that NIST can provide. I hope that they will significantly enlarge on the Glossary in future versions.
Establishing or Improving a Cybersecurity Program
The Framework creates a standard seven step program to establish or improve a cybersecurity program.
Step 1: Prioritize and Scope. A journey should always begin by figuring out your destination. What are your objectives? Your priorities? With this in mind you start to make strategic decisions on cybersecurity implementation. You start to determine the scope of systems and assets to protect. You also identify different business needs and associated risk tolerance within various divisions of an organization and prioritize accordingly.
Step 2: Orient. Once the scope of the cybersecurity program has been determined for the various subunits, you identify the related systems and assets, and the regulatory requirements and overall risk approach for each. This requires identifying the threats and vulnerabilities of those systems, and the relative importance of the information that each contains.
Step 3: Create a Current Profile. Next you prepare a Current Profile by reference to the five functions and your level of achievement with each. The Current profile should contain an objective evaluation of your Tier level achievements and deficiencies.
Step 4: Conduct a Risk Assessment. You next analyze the operational environment of your computer systems and evaluate the likelihood of attacks of various components. This includes a through consideration of the impact that a successful intrusion could have. Here it is important to include emerging risks and threats, and the vulnerability of your data. For instance, any risk assessments going on right now must include consideration of the OpenSSL Heartbleed vulnerability. See eg. HEARTBLEED: A Lawyer’s Perspective On Cyber Liability and the Biggest Programming Error in History.
Step 5: Create a Target Profile. Now you are ready to create the Target Profile to go with the Current Profile. The Target Profile focuses on the assessment of various subcategories of the five Functions: Identify, Protect, Detect, Respond and Recover. Appendix A includes a list of standard Function categories, as shown in this summary diagram Table 1:
Here is where you articulate your cybersecurity goals. Where do you want to be? What do you want to improve and how? The subcategories of the five Functions are often customized to fit the needs of the particular organization and its unique cyber risks. The categories shown in Table 1 above are just general suggestions.
The needs of external stakeholders should also be considered when creating your Target Profile. In NIST’s words, external stakeholders include related sector entities, customers, and business partners.
The reference to related sector entities is interesting. To put it bluntly, do you have any secret information that the Chinese or other unethical competitors might want? Do you maintain in your systems any information belonging to your customers that hackers might want? Think here about law firms holding terabytes of their clients’ data in e-discovery. As I said before, law firms are the soft underbelly of corporate data security. Best Practices in e-Discovery for Handling Unreviewed Client Data.
Do you think your client’s competitors, including the Chinese, might want to read the email of your clients’ top officers? How many companies out there would do anything, for instance, to be able to read Steve Jobs’ final instructions. I am sure that Apple has a strict Tier Four cybersecurity system. Apple Insider, July 7, 2010, quoted one former Apple employee as stating:
The measures that Apple takes to protect its creative and intellectual environment are unparalleled in the valley.
Another former employee provided more details in the same Apple Insider article, Former employees shed light on Apple’s internal corporate culture:
One employee said that employees working on secret projects at Apple must “pass through a maze of security doors, swiping their badges again and again and finally entering a numeric code to reach their offices.” Once inside the top-secret areas, employees are often monitored by surveillance cameras as they work. Those working with the most sensitive projects are allegedly instructed to “cover up devices with black cloaks when they are working on them, and turn on a red warning light when devices are unmasked so that everyone knows to be extra-careful.”
I wonder what Apple’s current Target Profile looks like? Do they really have private Apple police? I suspect that only a few people in the world even begin to know the full extent of Apple’s security programs, both physical and cyber. We do know they are extensive. See eg. Exit of Apple’s security chief offers lessons for security professionals (Nov. 7, 2011, Security Director News). With the Samsung litigation I am sure it has ratcheted up considerably in the last few years.
Step 6: Determine, Analyze, and Prioritize Gaps. Next you make a formal comparison between the Current Profile and the Target Profile to determine gaps. Then you create a detailed action plan to bridge the gaps. All action items should be prioritized and resources allocated accordingly. The plan should discuss mission drivers, and include a cost/benefit analysis, and statement of risks. What are the possible consequences of not attaining the various aspects of the Target Profile? What is the likelihood of failure to attain the goals with the funding requested? What funding increases could improve the possibility of your achieving the Target profile?
A decision is then made on what resources are needed to address the gaps. Typically, in most organizations, this will involve compromises and tradeoffs in some way. The idea is to make these budgetary decisions as intelligent as possible with awareness of the probable consequences.
Using the two Profiles in this way allows you to make informed decisions about cybersecurity activities. This also supports general risk management activities and enables cost-effective, targeted improvements.
Step 7: Implement Action Plan. You now move from planning to action. You implement the plans made in the first six steps to bridge the gaps between the two Profiles. As part of this implementation you constantly monitor your current cybersecurity practices against the Target Profile.
They do not specifically say this, but I would expect you would need to periodically stop and revert back to step three (Create a Current Profile) and iterate all of the remaining steps. Cybersecurity is an ongoing activity. There are always new challenges to meet.
Privacy and Civil Liberties
Pursuant to Presidential directive the cybersecurity Framework paper includes a section on protection of individual rights, including privacy. In view of the Snowden revelations, it is hard to take the government too seriously when it writes on this subject. Also see Eg Judge John Facciola Exposes Justice Department’s Unconstitutional Search and Seizure of Personal Email.
But for what it is worth, here are the fine words that NIST urges you to follow, even if the government itself does not:
To address privacy implications, organizations may consider how, in circumstances where such measures are appropriate, their cybersecurity program might incorporate privacy principles such as: data minimization in the collection, disclosure, and retention of personal information material related to the cybersecurity incident; use limitations outside of cybersecurity activities on any information collected specifically for cybersecurity activities; transparency for certain cybersecurity activities; individual consent and redress for adverse impacts arising from use of personal information in cybersecurity activities; data quality, integrity, and security; and accountability and auditing.
Also see: Executive Order 13636 Privacy and Civil Liberties Assessment Report, compiled by The Privacy Office and the Office for Civil Rights and Civil Liberties Department of Homeland Security (April 2014) (Reports on government’s compliance with EO 13636 with 152 pages of extreme bureaucrat-speak.) (Executive order 13636 prompted NIST to created the Framework, and ordered “federal agencies to develop and incentivize participation in a technology-neutral cybersecurity framework, to increase the volume, timeliness, and quality of cyber threat information it shares with the private sector, and to work with their senior agency officials for privacy and civil liberties to ensure that privacy and civil liberties protections are incorporated into all of these activities.”)
I fully expect there will be a tremendous amount of litigation on these civil liberties and privacy issues in the future, especially where non-governmental organizations are involved. In any event, a good cybersecurity plan must always consider the impact of productivity and employee morale in any cost-benefit analysis.
The Framework for Improving Critical Infrastructure Cybersecurity is a valuable resource and important first step in development of uniform standards for cybersecurity. In spite of my stylistic objections and general distrust for government projects, I can recommend this document for your study and reference.