Cybersecurity Framework: Beyond Standards

How a Service-Level Mindset Can Protect Critical Infrastructure
Cybersecurity Framework: Beyond Standards

The National Institute of Standards and Technology characterizes the cybersecurity framework, a key element in President Obama's executive order [see Obama Issues Cybersecurity Executive Order], as a set of voluntary standards and best practices to guide industry in reducing cyberrisk to networks and computers deemed vital to the nation's economy, security and daily life.

See Also: Healthcare in The Cloud: Detecting and Overcoming Threats to Ensure Continuity & Compliance

But to get a better handle on ways to create the framework, Homeland Security's Bruce McConnell says stakeholders should think in terms of performance goals.

"What is the service-level agreement between the owners and operators of the critical infrastructure and the American people, with respect to performance [and] the delivery of essential services, in the face of a cyber-incident?" asks McConnell, a cybersecurity thought-leader who holds the title of senior counselor at DHS.

Speaking on a panel at the Center for Strategic and International Studies Feb. 15, McConnell provided a few theoretical ideas on measures that could be incorporated into the cybersecurity framework.

Outcome-Based Performance Standards

Imagine, McConnell says, a cyberattack that disables electrical power in a major metropolitan area. A performance goal could be in the form of a service-level agreement that promises to restore power in 90 percent of locations within four hours. That's an example of an outcome-based performance standard. "Then," he says, "the framework can address it by saying, 'Okay, if you're going to do that, then you need this level of cybersecurity.'"

Another example: A cyber-attack degrades cell phone service. The service-level agreement assures that 90 percent of first responders could complete their calls on the first try in such an event. The challenge facing stakeholders involved with creating the framework, according to McConnell: "How do we, collectively, write a framework that allows, from the cyber-hazard, the owners and operators to meet that agreement, if you will, with the American people?"

The Look of Success

The president, in the executive order, assigned NIST the responsibility to work with the private sector and other stakeholders to create the cybersecurity framework in a year. McConnell conjectures what the impact of the cybersecurity framework could be 18 months from now. "What would success look like?" he asks.

"People will be adopting that; people will be using it," McConnell says. "They'll be figuring out how to inculcate it into their regulations and in their businesses. The infrastructure as a whole would be healthier; it will be more resilient; it will be more secure."

In 18 months, he says, DHS would have compiled a small list of critical infrastructures that remain at risk. "That will help us understand better on a systematic basis, based on interdependencies and whatnot, what we collectively need to care most about."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.