CybersecuritySkeptics doubt voluntary Cybersecurity Framework will achieve its goal

Published 19 February 2014

The Framework for Improving Critical Infrastructure Cybersecurity, developedby NIST following Executive Order 13636to promote cybersecurity, has been received with both support and skepticism from critical infrastructure industries. The 41-page document, put together by industry and government experts, offers guidelines on cybersecurity standards and best practices to critical infrastructure firms. It says its role is to be a complement to industries’ existing risk management practices.Skepticssay that without incentives, legislation, or enforcement, the guidelines will not be adopted.”The marketplace will punish any company that implements anything that could be considered excessive security, because it will increase their costs,” says an industry insider.

The Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology (NIST) following Executive Order 13636 to promote cybersecurity, has been received with both support and skepticism from critical infrastructure industries. The 41-page document, put together by industry and government experts, offers guidelines on cybersecurity standards and best practices to critical infrastructure firms. It says its role is to be a complement to industries’ existing risk management practices.

“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” President Barack Obama said in a statement. “America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.”

Several security-service firms are using the framework to assist their clients. IBM launched its Industrial Controls Cybersecurity Consulting Service to help companies apply the Framework to improve security initiatives and investments. “There is a growing need to apply advanced security to our increasingly interconnected critical infrastructure like power facilities, electrical grids, industrial manufacturing operations and others,” said Kris Lovejoy, general manager of IBM Security Services. “If organizations take the steps outlined in the Framework, they’ll be better positioned to protect themselves and their practices. 

Critics of the framework say that without incentives, legislation, or enforcement, the guidelines will not be adopted. Companies will use the framework to review or compare their cybersecurity initiatives with other industry players, but adopting the guidelines and recommendations will be considered an expense.

Some supporters of the Framework favor the “voluntary” format. Jeff Greene, senior policy counsel for Symantec, told eWeek that the framework will improve communication between security professionals and business executives. “It’s is a great lexicon and a good set of terminology to discuss technical details,” he said. “With Symantec, it has facilitated communication with non-technical people.”

Some security experts insist that the framework or legislation on the subject needs to be enforced in order for companies to adopt the recommended measures. “The marketplace will punish any company that implements anything that could be considered excessive security, because it will increase their costs,” said Dave Frymier, chief information security officer with Unisys. “But if the government steps in and requires a minimum bar that everyone has to come up to, everyone incurs roughly the same costs and we get improved security as a result.”

According to Gov Info Security, Adam Sedgewick, the NIST executive who led the writing of the framework, said the success of the framework will be measured by the number of organizations who apply it and whether it “reduces cybersecurity risk.”