“The specter of more significant cyber risk looming, and we should move toward greater cyber resilience on a national scale.”
Although authorities have at least initially said no connection exists between power outages in three of the country’s largest cities on the same day, it is kind of weird. It’s not weird that in this day and age cyberterrorism is the first thought that comes to mind when such a significant coincidence occurs. Regardless of the conclusion reached, previous incidents like the takeover of a New York dam have fostered a lack of trust in our government’s will and ability to protect vital infrastructure from cyberattacks.
In view of the unease about potential attacks on critical public facilities, what’s the “one BIG thing” government could do to make the nation safer? Widespread assessment of cyber risk and resilience by adopting the NIST Cyber Security Framework (CSF) seems to be at the top of the list. The authors described their Framework as “not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework will vary. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks.” (“Framework for Improving Critical Infrastructure Cybersecurity,” NIST, Feb. 12, 2014)
In the last two years, NIST CSF has emerged as the de facto method for gauging the maturity of an organization’s cyber resilience and continuously managing cyber risk. At present, it is the foundation for a pending executive order, for pending congressional legislation, and for pending actions in over 30 state legislatures. Each of these measures require Federal and state agencies to measure and report on the status of the steps they have implemented to guard against cyber breaches, using NIST CSF as the common benchmark.
What would be the outcome of widespread assessment of government facilities, including transportation and utility infrastructures? There’s a saying, “What’s measured improves.” A comprehensive cyber risk assessment would improve operational excellence, since examining roughly 400 controls to assess cyber risk would identify many areas that need attention, set priorities for tighter controls, and would drive the changes necessary to improve.
If national legislation passes, and agencies have to follow the legislation’s mandate to assess their resilience in a standardized way, it’s likely that commercial entities will follow suit. Assuming pervasive use of CSF in both the private and public spheres, a massive amount of data about internal processes would accumulate in a short period of time. Internal NIST assessments have been done sporadically before, but no way has existed before to aggregate massive amounts of data on internal policies, processes, and technology. Enactment and implementation of the proposed legislation would drive that.
With the specter of more significant cyber risk looming, we should move toward greater cyber resilience on a national scale. Our national economic and technical infrastructure comprises multiple critical components that are interconnected. For example, a supplier that fails to deal effectively with cyber risk can impact hundreds in its supply chain.
We all need to tighten up policies and processes that ensure proper management of cyber risk. Adopting and implementing a national assessment standard would be a big step forward.