The cyber-threat ecosystem is complex, relentless, and rapidly evolving. It’s appropriate that those characteristics describe the work of creating national cybersecurity policy.
What dynamics currently shape federal cybersecurity policies? This was one of the questions Robert Mayer set out to answer in his 2017 National Cybersecurity Policy Update delivered at Sage’s 2017 CyberCrime Symposium. In his role as senior VP, cybersecurity for USTelecom, a trade association whose members range from tier-one global communications carriers to small rural cooperatives, Mayer’s familiar with the challenges of coordinating cybersecurity policy for diverse entities.
Mayer kicked-off his presentation with a little levity before diving into the heady world of cybersecurity policy-making. “For those of you expecting to learn what's happening in Washington more broadly, I won't be able to explain that at all,” he warned attendees. Fortunately, he added, “in cybersecurity policy, there's a little bit more rationality and some focus.”
Indeed, federal efforts to shape cybersecurity policy continue to accelerate, delivering some noteworthy results and a mountain of statutes, orders, reports, data, and other materials. A couple of key accomplishments resulting from private- and public-sector partnerships: the NIST Cybersecurity Framework v.1.0, whose stock continued to rise with the recent release of Draft 2 of NIST CSF v.1.1, and the National Cybersecurity and Communications Integration Center (NCCIC), where cybersecurity and communications specialists from government, business, and various international entities gather to conduct cybersecurity analysis, share information, and coordinate threat response and mitigation activities.
Decentralization Leads to Duplication
Still, with the White House issuing executive orders and policy directives around cybersecurity; the Departments of Justice, Defense, and Homeland Security overseeing operational functions in a cybersecurity context; the DOJ, DoD, DHS, Department of Commerce, Federal Trade Commission, FCC and FBI engaging in the policy-making process; and Congressional committees continually introducing new bills, the federal cybersecurity machine is decentralized and complex, said Mayer.
Over the past couple of years, he said, agencies and others have worked hard to rationalize the breadth of government activity on the cybersecurity front. Agency leaders recognize the need to keep all entities and their assets organized, coordinated, and informed, but it’s no surprise that a lot of work is duplicated.
For those on the industry side, like Mayer and the association members he represents, “one of the biggest challenges is dealing with the increasing number of activities underway in these agencies and the expectation that industry be at the table,” he said. “We have only so many resources to support that.”
Moreover, it’s difficult for companies, regardless of size or industry, to get a handle on the expansive cybersecurity landscape, much less how it affects their business, Mayer said. SMBs, particularly, are challenged. To help members and others navigate this cyber-terrain, USTelecom recently released its 2018 Cybersecurity Toolkit, a comprehensive guide to government cybersecurity initiatives; university-affiliated academic centers focused on security technology innovation, research, and policy; industry best practices; and cybersecurity strategies. The free toolkit includes 350-plus links to White House and agency reports, research analysis, and policy documents.
Seeking Cyber-Policy Simplification
Regulatory agencies approach cybersecurity in their respective industries differently. Some have strict security controls and compliance requirements, while others strive to stay flexible to encourage innovation. According to Mayer, Executive Order 13800, signed in 2017, set in motion activities that will have a major impact on the way federal agencies and industry approach cybersecurity and collaborate to resolve issues. While government agencies will be required to use the NIST framework for managing cyber-risk, industry sectors — which largely drove the development of NIST — can still choose how they implement the framework. Because President Obama’s Executive Order 13636 made framework adoption voluntary, said Mayer, private-sector organizations were willing to move toward a common cyber-risk management model. The new order risks turning NIST into a rigid compliance structure, which can backfire if agencies focus on a compliance checklist at the expense of security best practices.
For his part, Mayer prefers the FTC’s “reasonability” standard, applied by the agency in security violation investigations and when developing policy. When investigating security violation complaints, they base their verdict on whether they deem a defendant’s cybersecurity practices and actions reasonable. They also publish Start With Security, their report that highlights 10 basic cyber-hygiene principles and documents 50 actual cases, complete with the names of the negligent, that illustrate different cybersecurity fails.
“Every CEO should review every problem identified in the FTC’s Start With Security report and ask their CIOs and CISOs if their organization has protections for all of them,” said Mayer. That’s a good baseline, considering many companies don’t practice simple cyber-hygiene.
“We’re one serious cyber-incident away from a strict regulatory regime,” said Mayer. “So, we’ve got a big problem if organizations can’t bother to practice basic cybersecurity blocking and tackling.”
This is the seventh post in our series presenting key takeaways from our 2017 CyberCrime Symposium, held November 2-3, 2017. The program was packed with an incredible line-up of speakers discussing the latest tools and techniques being used by cybercriminals, and most importantly, what attendees could do to enhance their organization's cyber resiliency. If you couldn’t get a seat at the event — centered on the need to “Think Global, Act Local” — or want a refresher on various sessions, this is a not-to-be-missed series!