Homeland Security Watch

News and analysis of critical issues in homeland security

February 13, 2014

Private-Public Cybersecurity Framework

Filed under: Cybersecurity,Private Sector,Resilience — by Philip J. Palin on February 13, 2014

Wednesday the White House “launched” the long-under-way Framework for Improving Critical Infrastructure Cybersecurity (41-page PDF).   A snow day has given me the chance to read it.

You need to turn to someone else for a technically competent reading-between-the-lines.  I have no particular competence in cyber hermeneutics.

Information Week reports, “Experts believe NIST’s voluntary Cybersecurity Framework will become the de facto standard for litigators and regulators.”

Several others suggest the voluntary standards are a reasonable step forward given the collapse of earlier efforts to draft legislation.  The US Chamber of Commerce continues to be suspicious of how even these kumbaya methods might be turned to satanic purposes.

The White House spin is well-set out in a detailed background briefing.

No one is suggesting the framework, even widely adopted, resolves vulnerabilities innate to the network.

Two aspects of the framework should not be taken for granted.  First, the methods to finalize the framework may be a model for future approaches to private-public problem solving.  The National Institute of Standards and Technology, a non-regulatory agency, played host and facilitator for a largely private-sector-driven process.  NIST did not try to drive the process in any particular direction, but was helpful in brokering practical paths for reaching consensus among sometime competitors and a variety of views.  ”Honest broker” is not the first thing many in the private sector usually attribute to the Feds.  It apparently worked here.

Second, several of the private sector “Big Boys” involved in the process (e.g. AT&T) have announced their intention to use audited compliance with the voluntary standards as a gateway for those enterprises from which they will purchase goods and services.

This tees-up the potential for a dynamic process of community self-enforcement that several studies (including many by my heroine Elinor Ostrom) have found are much more effective at proactive avoidance and prevention of problems, rather than after-the-fact sanctioning.  Given the “commons-like” characteristics of the cyber-domain this could be an important dynamic to consciously cultivate.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn

1 Comment »

Comment by William R. Cumming

February 13, 2014 @ 7:32 pm

Interesting post! A critique of the Framework on several other blogs including Lawfare.com!

Of most interest is the fact that NIST [National Institute of Standards and Technology] stepped in where others fear to tread. I did one of my high school science projects at the Harry Diamond Fuze Lab part of the former Bureau of Standards that morphed into NIST.
The subject was chrystallography [sic]!

Wondering if DHS signed off on the Framework since CIP and cyber security one of the main reasons DHS founded.

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>