New Cyber Framework Aimed at Small, Mid-Tier Defense Companies
The draft of the cybersecurity framework was released at the end of October, and NIST was gathering comments until Dec. 13. Its overarching goal is to set up voluntary information sharing regimes for each of the 16 critical infrastructure sectors identified by the Department of Homeland Security.
The framework is mostly directed at smaller companies and can help them implement standards and follow risk management principles and best practices, said Larry Clinton, president of the Internet Security Alliance. That is particularly true in the defense industrial base, where larger companies are seen as being ahead on cybersecrity.
“In general, these organizations do state-of-the-art cybersecurity. They have tremendous resources in scope and scale — among other things,” Clinton said.
However, further down in the supply chain, companies don’t have the same financial wherewithal and expertise, he noted.
The Presidential Executive Order — Improving Critical Infrastructure Cybersecurity released in February — called for NIST to create the framework. The executive order was a result of a recalcitrant Congress, which has had difficulty passing major bills such as the Cyber Intelligence Sharing and Protection Act.
A lot can be accomplished under the framework and executive order without the need for further legislation, cybersecurity executives told National Defense.
The defense and the financial services sectors are seen as two industries that are at the forefront of cybersecurity. Concerned about reports of China-based hacking enterprises stealing vast amounts of intellectual property, the Defense Department initiated the defense industrial base cyber security and information assurance program in 2007.
It was designed to gather reports on network intrusions, scrub the data to ensure the company contributing the information remained anonymous, and then push out reports to other participants. The program, administered by the chief information office, has since expanded, and is now serving as a model for the framework.
The framework includes principles that will reach across all sectors such as risk management, said Tom Conway, director of network security firm McAfee Federal. Companies need to know what assets are most at risk, prioritize, and take action to protect them.
“That is something the DIB has been doing for a while,” he said.
Keith Rhodes, chief technology officer at QinetiQ North America, said perfect security is impossible.
“You have to take a posture of always being under attack. That is just the nature of the beast,” he said. Once a company accepts that fact, then it can move on to identifying its most critical assets and boosting security around them.
“It is about risk. Understanding your threats, the vulnerability and value of assets that may or may not be compromised,” he said.
He lauded the information-sharing regime the framework puts in place.
“We have to be able to tell others, and others have to be able to tell us, what they see, what they know, what’s happening,” Rhodes said. “Without that, you really can’t know what the threat is. You’re looking through your soda straw, but you don’t really have the broader purview.”
Clinton and the others interviewed praised the voluntary nature of the NIST framework, even though it is a result of there not being any legislation to mandate participation.
“A lot of the larger organizations are probably already doing — or are in some cases — doing more than what is in the framework. They will raise their hand,” Clinton said. “But we want those small- and mid-size firms to adopt the framework. They are perhaps the target audience.”
However, these smaller companies have to see that volunteering their time and resources is worth their while, he added.
“If you want the framework to be sustainable as a voluntary system, which is what the administration is committed to, then it has to be cost effective,” Clinton said.
“It is clearly unsustainable to expect smaller firms to be continually making uneconomic investments in security. They won’t do it. Nobody can do it,” he added.
Conway said there are potential cost savings to participating in information sharing when companies don’t have to build or buy redundant infrastructure. Plus, there is also a shortage of cybersecurity personnel. Smaller firms “can leverage somebody else’s smart person.”
There is also the question of incentives, which may assist some of these lower-tier companies in achieving their cybersecurity goals. Those may require legislation, though.
There could be accelerated depreciation for network security products, tax credits for companies that agree to put cybersensors in place, limits on liability and insurance reform, Conway said.
Rhodes said it’s the government’s responsibility to make sure these small companies have the incentives to participate in a voluntary system.
“That means there has to be a good carrot and stick, and right now, there seems to be neither,” he said.
Incentives for defense firms to strengthen their cybersecurity, especially on certain sensitive programs, can be built into contracts, Rhodes said. That is what they do after all — compete for Defense Department business. The government has to choose which parts of the standards apply to defense contracts and insert them into requests for proposals.
Those who write the RFPs should state: “Prove to all of us that you won this contract because you had the smartest approach to security based on the evaluation criteria that we put in,” Rhodes said.
That kind of “carrot” would not require additional legislation, he added.
Defense Department agencies can show they are “serious about this by putting specificity into the evaluation criteria and actually evaluating based on those criteria,” Rhodes said. “Then I have all the incentive in the world. Because that’s the business I’m in.”
Conway said, “‘Fast moving and fluid’ are usually not used to describe regulations.” A voluntary system builds in flexibility.
Prescriptive or regulatory based measures restrict progress, he said.
“Look at where the technology has gone over the past three years with all the iPads and Android equivalents,” he noted.
Since the draft framework was released, Clinton has been a vocal advocate of beta testing the information sharing system. The purpose would be to avoid a fiasco similar to the rollout of the Affordable Care Act insurance exchange website.
“We do what any large firm would do when launching a large product and service. We reach out directly into the target audience and conduct a systematized beta test,” he said.
All sorts of unexpected difficulties will come up, he said. “We know that because that’s what always happens.”
After the bugs are worked out, then there can be a systematized cost-benefit analysis, and some key questions can be answered for the small- and mid-sized firms that are worried about their bottom lines.
What is it going to cost a company to implement the framework? How beneficial is it? How much security do you get? A beta test with agreed upon metrics can determine what is cost effective and what isn’t, Clinton said.
The biggest threat to small businesses is uncertainty, he added.
“If you’re not sure what you’re going to get … firms tend not to make those kinds of investments,” Clinton said.
A beta test can go forward without legislation, he said. Afterwards, there needs to be an independent assessment carried out jointly by industry and government, he said.
“We don’t want somebody putting their thumb on the scale here making it seem more cost effective than it is for political purposes,” he said.
Clinton said the Department of Homeland Security, which will be charged with setting up the system, can get the ball rolling on the beta test soon after the final framework is released in February.
DHS has coordinating councils comprising government and industry members for all 16 sectors, so the organizations are already in place, he added.
It needs to be a true collaboration, with government as a partner, and not trying to manage the whole enterprise by sending out orders, Clinton said.
“We’ve got the structures in place to do this, and do it properly. It will cost a little money, but not a lot,” he added.
Rhodes agreed. “It’s a paper exercise if you don’t test,” he said.
That calls up the question of whether there will need to be costly cybersecurity centers for each of the sectors. The financial services sector and some state and local governments are already doing this. The Defense Department’s chief information office has located its DIB cyber security information sharing program in Arlington, Va., less than a mile from the Pentagon.
Conway said: “At the end of the day, I think it is beneficial to have people in the same location, eating bad pizza in the middle of the night, rolling up their sleeves to solve a problem. That is always going to be needed.”
But ultimately it should move to machine-to-machine communication, where networks can respond automatically to a threat similar to a body’s immune system. The network identifies a threat and takes action without people in the loop, he added.