ARGUMENT: FALLING SHORT ON CYBERSECURITYA Review of NIST’s Draft Cybersecurity Framework 2.0

Published 14 September 2023

Cybersecurity professionals, and anyone interested in cybersecurity, have noted that the gold standard of cybersecurity is getting a needed polish. “But all that glitters is not gold,” Melanie Teplinsky writes. NIST’s voluntary cybersecurity framework leaves organizations vulnerable to the nation’s most capable cyber adversaries. NIST’s proposed overhaul won’t change that.

Cybersecurity professionals, and anyone interested in cybersecurity, take note: The gold standard of cybersecurity is getting a needed polish.

“But all that glitters is not gold,” Melanie Teplinsky writes in Lawfare.

She continues:

The National Institute of Standards and Technology’s (NIST’s) Framework for Improving Critical Infrastructure Cybersecurity (CSF) is often touted as the gold standard for building a robust cybersecurity program. But voluntary compliance with the framework has largely failed to generate effective cybersecurity, leaving critical infrastructure and other organizations vulnerable to serious cyber threats such as ransomware. Now, nearly a decade after its initial release, the CSF is undergoing a major overhaul to address changes in technology, risk, and the overall cybersecurity landscape. The updated framework (CSF 2.0) is due out in early 2024, but if NIST’s recently released draft is any indication, CSF 2.0 is unlikely to fundamentally improve the nation’s cyber posture.

The CSF was first released in 2014 to reduce cybersecurity risk to critical infrastructure, yet in the decade since, that risk has only increased. According to the intelligence community’s 2023 threat assessment, “China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems,” and more recent reports indicate that Chinese state-sponsored hackers already have infiltrated a wide array of U.S. critical infrastructure organizations including telecommunications and transportation hubs. Voluntary compliance with the CSF simply has not been sufficient to generate effective cybersecurity for critical infrastructure. This reality was brought home by the ransomware attack on Colonial Pipeline in 2021 and is reflected in the Biden administration’s subsequent decision to impose mandatory cybersecurity requirements in key critical infrastructure sectors, including oil and natural gas pipelinesaviationrail, and water.

Nothing in CSF 2.0 is likely to change this state of affairs. CSF 2.0 explicitly expands the CSF’s scope beyond critical infrastructure to organizations of any size or sector, elevates the importance of cybersecurity governance, and emphasizes the importance of cyber supply chain risk management. But fundamentally, the framework is not changing.