Wednesday the White House “launched” the long-under-way Framework for Improving Critical Infrastructure Cybersecurity (41-page PDF). A snow day has given me the chance to read it.
You need to turn to someone else for a technically competent reading-between-the-lines. I have no particular competence in cyber hermeneutics.
Information Week reports, “Experts believe NIST’s voluntary Cybersecurity Framework will become the de facto standard for litigators and regulators.”
Several others suggest the voluntary standards are a reasonable step forward given the collapse of earlier efforts to draft legislation. The US Chamber of Commerce continues to be suspicious of how even these kumbaya methods might be turned to satanic purposes.
The White House spin is well-set out in a detailed background briefing.
No one is suggesting the framework, even widely adopted, resolves vulnerabilities innate to the network.
Two aspects of the framework should not be taken for granted. First, the methods to finalize the framework may be a model for future approaches to private-public problem solving. The National Institute of Standards and Technology, a non-regulatory agency, played host and facilitator for a largely private-sector-driven process. NIST did not try to drive the process in any particular direction, but was helpful in brokering practical paths for reaching consensus among sometime competitors and a variety of views. ”Honest broker” is not the first thing many in the private sector usually attribute to the Feds. It apparently worked here.
Second, several of the private sector “Big Boys” involved in the process (e.g. AT&T) have announced their intention to use audited compliance with the voluntary standards as a gateway for those enterprises from which they will purchase goods and services.
This tees-up the potential for a dynamic process of community self-enforcement that several studies (including many by my heroine Elinor Ostrom) have found are much more effective at proactive avoidance and prevention of problems, rather than after-the-fact sanctioning. Given the “commons-like” characteristics of the cyber-domain this could be an important dynamic to consciously cultivate.