Peter Margulies writes in with the following summary of recent NIST efforts to build a framework for best practices in cybersecurity:
The premise of President Obama’s Cybersecurity Executive Order (EO) is two-fold: first, that cybersecurity is a vital national objective, and second, that if Congress won’t act, the President will. This style of governance is not new. Teddy Roosevelt practiced presidential “stewardship” in defense policy---sending the Navy around the world despite Congress’s refusal to expressly fund the effort and protecting the environment from rapacious development. President Obama has displayed this brand of leadership before, most notably in measures such as Deferred Action for Childhood Arrivals that implemented portions of the Dream Act and could figure in immigration reform. The cyber EO is another example of what I’ve called the “new stewardship,” which focuses on dialog and rights, as well as the need for urgent action. A glimpse of stewardship’s promise and prospects was available last week at the Commerce Department in a well-attended meeting of government officials, academics, and private sector heavyweights on drafting the EO-mandated Cybersecurity Framework of best practices for critical infrastructure, coordinated by Commerce’s National Institute of Standards and Technology (NIST). NIST convened the conference not a moment too soon, since the EO requires that the framework be ready in less than eight months.
At the intersection of cyber and national security---which will be the subject of a conference June 17-20 with Paul, the Naval War College’s Mike Schmitt, Brown University’s John Savage and Tim Edgar, and Brookings’ Allan Friedman---arguments about the need for regulation hinge on dueling externalities. Jack has stressed negative externalities caused by lax private sector players who underinvest in cybersecurity, assuming that the public will bail them out in the event of a major catastrophe. Paul, in contrast, argues that regulation imposes externalities of its own. Prodded by regulators who reduce everything, including cybersecurity, to a bureaucratic checklist, companies may overinvest in the wrong technologies. When government pressures industry to purchase the cyber protection du jour, vendors prosper. However, if the rapidly changing cyber environment limits those fixes to the lifespan of a fruit-fly, the public loses.
The Obama administration’s response to these dueling externalities echoes the Progressive approaches that Teddy Roosevelt practiced. One strand of Progressivism took its cue from the civic republican ideas of deliberation that influenced the Framers. Group deliberation, on this view, could counter the urgings of self-interest. Deliberating together, people discover an interest greater than their parochial perspective, and act accordingly. The Progressives’ gloss on this deliberative model carved out a special role for the deliberations of experts. Teddy Roosevelt bought into the expert deliberation model, supporting legislation that in 1901 created NIST. President Obama’s cybersecurity order fittingly gave NIST primary responsibility for developing a latticework of best practices to “reduce cyber risks to critical infrastructure,” including the financial, information-processing, and power industries.
One question ahead of last week’s meeting was whether NIST would be able to resist the downside of expert deliberation: the tendency to engage in top-down prescriptions that do not give regulated parties a stake in the process or leave room for change. Last week’s meeting suggested at the very least that NIST was aware of this risk, and was inclined to take a different, more collaborative path. The event also demonstrated that Department of Homeland Security officials, who were prominent throughout the day, were fully cognizant of the privacy and civil liberties issues that come into play when the government and private sector collaborate on the protection of massive amounts of data, including sensitive personal financial or health information.
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and NIST Director, spoke of the need for collaboration and market-based solutions, and the importance of avoiding an unduly descriptive or prescriptive focus on any one technology---what he called a “technology-neutral” approach. Gallagher connected this collaborative approach to the strategy pursued in other recent technology initiatives, including “Smart Grid” for the power sector and measures promoting electronic health records.
Private sector representatives echoed the importance of this flexible, collaborative approach. Paul Nicholas, Microsoft’s Senior Director for Global Security Strategy and Diplomacy and a former White House and Defense Department official, noted that cybersecurity had to be a “living framework.” Robert Mayer, VP for Industry and State affairs of the US Telecom Association, urged government to help the private sector refine what he called the “business case” for cybersecurity. He explained, as did other panelists, that CEOs of major corporations would have to embrace the business rationale for cybersecurity to make effective changes in corporate culture.
Michael Papay, VP for Information Security and Cyber at Northrop Grumman, stressed the importance of what he called “layered defense.” Too often, Papay explained, both public and private sector entities see cybersecurity through a flawed spatial metaphor, jealously guarding their information “perimeter” from outsiders while ignoring internal sources of cyber risks. Papay and other panelists reminded the audience that dependence on electronic sources of information exchange can breed bad habits for employees. Spear phishing---electronic communication in which an outsider masquerades as an insider to persuade curious employees to click on a link containing malicious code that is then spread throughout the network---is a rising threat. The recent cyber incursions experienced by the New York Times apparently relied on this tactic. As part of a layered defense, some companies have conducted their own mock spear phishing operations. Handled correctly, these approaches can be a useful part of employee education, which is central to success in cyber security efforts. Sharing information about effective employee education could be a cardinal virtue of the entire NIST effort.
Conference organizers displayed a commitment to open dialog that could ease private sector wariness about partnerships with government. Bruce McConnell, Senior Counsel on Cyber for DHS’s National Protection and Programs Directorate and soon to be DHS Deputy Under Secretary, was candid in acknowledging this wariness. A questioner from the floor with a private sector pedigree noted a paradox in the government’s approach: the government wants transparency from business and industry, but often appears reluctant to disclose information to the private sector about current and future threats and vulnerabilities. DHS’s McConnell did not have any easy answers for resolving this paradox, but he candidly acknowledged the problem. That acknowledgment was a useful signal that the Obama administration views the NIST process as an opportunity to learn, not lecture.
Even if the NIST process aims to establish voluntary best practices, the private sector will face pressure to adopt those strategies. Tim Roxey of the North American Electricity Reliability Corporation (NERC), a veteran of industry standard-setting efforts, noted that his organization is certified by the Federal Energy Regulatory Commission (FERC), which regulates utilities. FERC will maintain a healthy interest in utilities’ adoption of NIST recommendations. Moreover, since cybersecurity lapses can materially change a company’s bottom line, the Securities and Exchange Commission may also expect that publicly traded companies disclose serious cyber episodes and steps taken to avoid future problems, including compliance with NIST best practices. In addition, in the still-emerging arena of insurance for cyber threats, carriers may use compliance with NIST best practices as a benchmark.
NIST’s Cybersecurity Framework cannot address a number of action items on its own. A number of panelists spoke out about the importance of government incentives, such as a federal government vendors’ preference for companies that adopt NIST measures. Administration officials seemed open to discussing incentives of this kind. Some information-sharing or joint cybersecurity efforts within the private sector may raise antitrust issues; regulatory and/or legislative relief may be necessary to address those concerns. In addition, private sector representatives were worried about liability for harm flowing from major cyber attacks. Could companies be sued by individuals whose financial or privacy interests were adversely affected by such intrusions? Private sector representatives seemed interested in promoting legislative efforts that would make liability more predictable (see Paul’s interesting paper), and possibly mitigate its impact.
The next NIST event will be a working three-day conference at Carnegie Mellon University over the Memorial Day weekend. While a number of panelists admitted that this was not their ideal vacation destination, all seemed invested in the effort to meet NIST’s ambitious eight-month timetable. At some point, maintaining a collaborative stance may clash with staying on schedule. Given the importance of the project, however, one hopes that implementation of this phase of the Cyber Executive Order can be both collaborative and timely.