2017 Cybersecurity Prediction: Adopting the NIST Cybersecurity Framework Will Save Companies Millions, Alleviate Lots of Grief and Anxiety

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

NIST Framework

The National Institute of Standards and Technology cybersecurity framework has the breadth and rigor to provide a meaningful framework for companies to succeed in their cybersecurity efforts in 2017, the authors write.

Paul A. Ferrillo Chris Veltsos

By Paul A. Ferrillo and Chris Veltsos

Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP in New York and is part of Weil's Cybersecurity, Data Privacy and Information management group, where he focuses primarily on cybersecurity corporate governance issues and regulatory matters.

Chris Veltsos is an associate professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes, and cyber risk strategist at Dr. InfoSec blog and a contributor to the SecurityIntelligence.com blog sponsored by IBM.

Paul Ferrillo and Chris Veltsos have published the book “ Take Back Control of Your Cybersecurity Now.” This article also features comments by Ron Ross, a Fellow at the National Institute of Standards and Technology (NIST), and Matthew Barrett, a senior computer scientist and project manager at NIST. We are grateful for their input and their comments.

There are tons of “cybersecurity predictions for 2017” articles, tons of “what the new administration will do on cybersecurity” articles, and even more “what the old administration wishes the new administration would do on cybersecurity” articles. These articles contain lots and lots of best practices. If we were printing these articles out, we would be killing a lot of trees, and even more brain cells. Do this, do that, these articles say. Kind of like arguing with my son over how to play his Nintendo Wii University video games. He knows best. I do not.

Well, now, hmm… Well my son may know more about his video games (and how to beat his old man handily), but his dad is a student of human nature. His dad has seen lots of bad things happen to companies of all shapes and sizes. Due to the economy, due to fraud, due to a lot of things I wouldn't wish on anybody. That is why I wrote Navigating the Cybersecurity Storm last year. See Bloomberg BNA, “ ‘You Are Going to Need a Bigger Boat’ in 2016 To Navigate the Cybersecurity Storm.” And that is why Chris Veltsos and I wrote “Take Back Control of Your Cybersecurity Now,” this year. To help and educate Corporate America understand the importance, necessity and application of good cybersecurity principles and governance. And to bring down something very complicated into bite-sized pieces that mere mortal directors and officers could understand, appreciate, and put into action.

We are not faulting any of these year-end articles, of course. They are someone's opinion. We respect that. Chris and I just have our own opinion, gained through 20 years of corporate governance, litigation and computer science experience.

Our opinion: cybersecurity is hard stuff. It is not one size fits all. It is not intuitive. And sometimes even the best of us don't get it. And that is why all the strategies and committees and best practices we all have known for years have not gotten us very far in the cybersecurity world. Our opinion: keep it simple silly. Keep it strategic. Why use a cleaver, when a butter knife will do?

Lost in the year end shuffle of articles is the seminal publication, the National Institute of Standards and Technology (NIST) Framework (the Framework). The Framework is something Chris and I have written a lot about. It is something which a lot of companies have successfully adopted already. It is something which works. Why does the Framework work? It's elegant simplicity. Identify, Protect, Detect, Respond and Recover—five elements only (not 20) and in plain English, not just for computer scientists and network engineers to adopt and use, but corporate directors and officers as well. See e.g., “ Why you should adopt the NIST Cybersecurity Framework.”

This simplicity was both anticipated and necessary:

According to Matt Barrett, a senior computer scientist and project manager at NIST, “The Framework was designed to bridge the communication gap between cybersecurity technologists and people in other fields; for example, other specialists and senior executives. For that reason, it was important to organize around a universally understood vocabulary. Identify, Protect, Detect, Respond, and Recover are simple and meaningful words for all parties. They allow proper consideration of cybersecurity by people who are not cybersecurity specialists. They also allow people who are not cybersecurity specialists to participate in cybersecurity decisions.” (*Personal correspondence with authors, reprinted with permission.)

In connection with the publication of “Take Back Control of Your Cybersecurity Now,” we wanted to focus on the first three elements of the Framework: Identify, Detect and Protect. We think they are the cornerstone of this great document:

Identify

This is a greatly overlooked element of almost any cybersecurity program because we create so much data every day—2.5 quintillion bytes of information each day are created. That is the equivalent of 10 million blu-ray discs, when stacked on top of each other would be the equivalent of 4 Eiffel Towers, one stacked on top of the other. We are creating this data in our businesses, financial transactions and in provision of our health and medical care. We are using this data to improve business processes and practices, innovate, create efficiencies and to improve business performance. And for multinationals, you likely don't have this data just in one place. You have it in many countries, the cloud and in data “lakes” where it is used for big data analytics. Data is the new gasoline for the digital economy. If you don't know what information you have, and its relative importance to your business, it would be awful hard to craft a sound cybersecurity strategy.

Companies need to wrestle the identify element of the Framework to the ground many reasons:

  • 1. Regulations and compliance – what data we have, use, keep and store may be subject to a panoply of both federal and international regulations, like Securities and Exchange Commission Office of Compliance Inspections and Examinations, Department of Treasury, Federal Financial Institutions Examination Council, Health Insurance Portability and Accountability Act of 1996, and the new EU General Data Protection Regulation;
  • 2. Cybersecurity – what data we have, use, keep and store will guide our cybersecurity strategy that it generally formed to protect “the crown jewels” from theft, attack or manipulation; this could be enhanced cybersecurity procedures (maybe virtualization or micro-virtualization of cloud servers to prevent lateral movement), tokenization or even encryption of documents or communications;
  • 3. Budget – what data we have, use, keep and have to protect will likely guide what monies we spend for cybersecurity defensive solutions and skilled personnel.

Protect

The Protect Element of the Framework is very much related to the Identify element. A couple of more words here though on “Protect”:

  • 1. Protect applies to the Cloud too: As we noted extensively in “Take Back Control of Your Cybersecurity Now,” the cloud has now become almost the preferred venue or repository for much of the IT network world. For some, it is more “Cyber secure” than most on-premises solutions. For others, it provides infinite storage, computing power, and network speed for more advanced big-data analytics, AI, and Machine Learning platforms. Just because you store stuff in the cloud doesn't mean you are off the hook from a security perspective. You are not. Same rules. Same regulation. Same peril if you are hacked. Companies must have the same visibility into their “cloud” as they would have if they stored their data down the hall in the data room. If you don't, you are way behind the curve.
  • 2. Protect means, as noted above, other items of security too, like next-generation firewalls, micro-virtualization of network machines and endpoint detection. Same rules again for a cloud environment.
  • 3. Protect also means protecting your industrial control systems and supervisory control and data acquisition, or SCADA, systems that run your machines, shops, plant floor and factories. There are devices that probably were never meant to be connected to the internet or an internet-connection communications platform. There are reams we could write on this topic, but three of the more important things come to mind: (1) visibility of your devices, i.e, can you tell if something is “not normal?” (2) can communications to and from your devices be hacked, spoofed or replicated? and (3) can you perform vulnerability assessments on these devices? If you can, you should.
  • 4. “Security by design”: while not exactly a new concept, security by design is worth mentioning again as software and hardware makers have managed to ignore this even in light of the recent security spats. Security by design is in our opinion one of the most important concepts of the year other than AI and Machine Learning platforms. With great clairvoyance, the NIST published Special Publication 800-160 in November of this year to describe the fundamental concepts and principle for building security into products and systems including devices that are part of the internet of things (IoT). Rather than hope and prayer, the concept was a simple one, i.e. build these devices with greater security the first time around so they can be trusted and integrated accordingly.

Managing the complexity of today's systems and being able to claim that those systems are trustworthy and secure means that first and foremost, there must be a level of confidence in the feasibility and correctness-in-concept, philosophy, and design, regarding the ability of a system to function securely as intended. That basis provides the foundation to address the additional security concerns that provide confidence for the expectation that the system functions only as intended across the spectrum of disruptions, hazards, and threats, and to realistically bound those expectations with respect to constraints, limitations, and uncertainty. The level of trustworthiness that can be achieved in today's complex systems is a function of our ability to think about system security across every aspect of every activity, and in our ability to execute with commensurate fidelity and rigor to produce results that provide the confidence in the basis for those claims of trustworthiness. SeeNIST Special Publication 800-160.

As the summer of 2016 moved into September, the insecurity of the IoT became transparent when the website of noted blogger Brian Krebs was taken down by a massive distributed denial of service (DDoS) attack called Mirai. As later discovered, the massive attack (double all previous attacks) was engineered by attackers using insecure IoT devices to magnify the size of the DDoS attack. That attack then led to the Dyn Mirai DDoS attack, which led to NIST moving up the publication date of SP 800-160.

As noted by Ron Ross of NIST, one of the authors of SP 800-160, this acceleration was warranted and necessary. He noted: “We are pushing computers to the edge in every part of the critical infrastructure and providing wireless access through ubiquitous networks. Many of the vulnerabilities that exist in the systems and devices that support this infrastructure are buried in the complexity of the hardware, firmware and software leading to a dangerous susceptibility to damaging cyber-attacks.” (*Personal correspondence with authors, reprinted with permission.)

The security of the IoT is obviously a moving target, and has garnered much attention, especially with the soon changing Presidential Administrations.

Detect

This is perhaps the biggest element that has risen in importance since the Framework was announced in February 2014. The devil here is dwell time, i.e. the amount of time it takes an organization to find malware on its system. The average dwell time today for a non-bank is about five months. It takes an attacker approximately 3 days to set up residence on your network. So five months on your network is about five months too long.

This problem has been complicated over the past 12 months by variants of malware that might slightly change the signature on a piece of malware, or through latent (“silent but deadly”) malware that might lie dormant on your systems for months on end before it becomes activated and steals your stuff. Last year people talked about endpoint detection, i.e. the ability to see and stop malware at the individual device level. Today, people are talking about artificial intelligence and machine learning solutions that allow defenders of large computer networks to understand and know, at network speed, that something abnormal is happening on their network and it needs to be stopped. Fast.

Finally the detect element has risen to new height because many organizations and regulators have come to understand that network defense changes daily, and that new vulnerabilities can pop up at a moment's notice. So can spear phishing attacks and other forms of cyberattacks that might leave malware on your system. More and more today, companies are doing both vulnerability and compromise assessments in order to assess the status of a server, network or device. Or to see if they have had a breach. Regulators also understand the importance of these assessments as reflected in their guidance. Lastly, given the recent discussion and debates around the security of IoT, vulnerability assessments of key, internet-connected components of larger devices, machinery, factory plants and electric grids will soon (hopefully) be the norm rather than the exception.

While our focus in this article has been mainly on the Identify, Protect, and Detect elements of the Framework, organizations should not by any means ignore the Respond and Recover elements to ensure that they are ready to effectively address the inevitable breach. As anyone with emergency response experience would attest to, preparedness is to key to successfully navigate adverse circumstances.

So, there you have it. Our cybersecurity prediction for 2017. Given its breadth, importance and the great minds behind it, the NIST cybersecurity framework can provide not just a Framework to act, but a Framework to succeed in your cybersecurity defense. Used wisely, frequently and often, it is a living breathing document that lives up to the dangerous times we are seeing today. And NIST has announced that it will be working on an updated version of the framework, likely to version 1.1., during 2017, to enhance usability and provide guidance for metrics and measurements. But don't delay, get started on the road towards adoption of the NIST Framework.

For More Information

For additional information see “ Take Back Control of Your Cybersecurity Now.”

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security