Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

3 potential issues with the new Cybersecurity Framework

markpainter ‎02-13-2014 01:41 PM - edited ‎07-07-2015 09:22 AM

The White House just released a  Cybersecurity Framework developed by the National Institute of Standards and Technology designed to help critical industries both secure their networks and recover from successful breaches. While a move in the right direction, there are some foreseeable issues with the guidelines.  Here are the top 3 concerns and reasons businesses might not be so eager to rush towards adoption.


1) Voluntary is as voluntary does


Put simply, there's no teeth to the new standards as compliance is completely voluntary. So why are security standards for critical pieces of infrastructure not mandatory? For one, the political gridlock that has affected most things has also impacted security efforts (and also ensures no incentives such as tax breaks for adoption  will be forthcoming anytime soon - and the last time I checked, businesses were still coin operated). But moreso, it's because the fear of governmental backdoors and spying has created a climate of fear inhospitable to any legislation that would require mandatory measures (or network access) for any industry. Corporations have fought back hard against any meaningful legislation. After Snowden, it's hard to find fault with that. But for things whose security affects all of us, there has to be something better than "enlightened self interest."   


A lot of my security friends scoff at the notion that legislation can do anything to help solve our significant security challenges (pretty sure nobody would ever describe the average security professional's disposition as 'sunny'). I'm definitely not proposing that as a sole solution--most of all, because that's not nearly enough. Ask Target what being PCI compliant got them. Or to further that line of devil's laws keep criminals from doing anything. Those are both reasonable arguments. But what legislation can do is provide the appropriate amount of security budget for government agencies that protect data valuable to all of us. What it can do is move us towards a technology embraced by the rest of the developed world such as chip and pin credit card technology. And if it matters enough, it can create the proper sense of urgency across a broad spectrum of both private and public constituencies (see #3 below).


2) The government's own track record on security is woeful


Every now and then, I read something security related that at first scares me, but ultimately serves to make me want to throw things across the room. The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure was one of those. Qwerty much? Information potentially exposed  was shocking and included a listing of weaknesses in dams and sensitive Nuclear Regulatory Commission material. Agencies and departments known to have suffered some form of successful penetration included the Departments of "Homeland Security, Justice, Defense, State, Labor, Energy, and Commerce; NASA; the Environmental Protection Agency; the Office of Personnel Management; the Federal Reserve; the Commodity Futures Trading Commission; the Food and Drug Administration; the US Copyright Office; and the National Weather Service."  Keep in mind, this was still a governmental  report, and does not include things that had already been mitigated (surely).  But when free email account passwords require more complexity than elements of our national infrastructure, it's a problem for much more than just governmental credibility on the subject of cybersecurity.  If nothing else, at least there was ample material from which to discover what not to do.


3) Two years to comply is possibly a lifetime in cybersecurity


While there are no corporate compliance requirements, there is a mandate that government agencies adopt these  new standards within the next two years. Considering the above two points, that's a lengthy approach, to say the least.

There's been a growing sense in the security community that security just continues to get worse. I write about it frequently (and I'm not the only one). For instance, just since 2009, the average amount of time to resolve a successful breach has grown 130%. It begs the we have two years? Let's hope it doesn't take a cyber attack that costs human life before we acheive the proper sense of urgency on issues such as these.




0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all