Editor’s Note: Forbes has it completely wrong in criticizing the President’s selection of the National Institute of Standards and Technology (NIST) to develop the Executive Order’s Cybersecurity Framework. Throughout the implementation of FISMA and other activities, NIST has proven itself from a technical and management standpoint to have the knowledge, skills, deep understanding of national and international standards processes, and the commitment to transparency necessary to develop the Framework. The career professionals and leadership of NIST were the exact right choice by the President for the crucial task of developing the Cybersecurity Framework.
Obama’s Cybersecurity Action Reaches Too Far
Jody Westby
Since nothing has been happening in Washington lately except speeches, President Obama seized the moment and ended his State of the Union day by issuing an Executive Order (EO) and Presidential Policy Directive 21 (PPD-21) on critical infrastructure cybersecurity. As expected, the EO, closely tracked the leaked draft dated November 21, 2012.
The EO actually does a couple of good things: It authorizes government agencies to share classified and unclassified threat and technical information with critical infrastructure owners and operators and allows for the expedited processing of security clearances to personnel within these entities. This step should have been taken about ten years ago, but at least the government finally figured out that it could stop talking about information sharing and assistance and actually make it happen.
The EO gets it wrong by directing the National Institute of Standards and Technology (NIST) to develop a Cybersecurity Framework that includes “standards, methodologies, procedures, and processes . . . to address cyber risk.” Although one section of the EO establishes a voluntary program to support the adoption of the Framework by critical infrastructure owners and operators, another provision directs federal agencies with regulatory authority over these entities to submit a report on whether they have “clear authority to establish requirements” based on the Framework. The writing is on the wall: the Administration intends to maximize its regulatory powers to make the Cybersecurity Framework mandatory.
Why is this wrong? Because there is already a long list of internationally accepted best practices and standards (see my earlier blog listing them) that are available to critical infrastructure companies, which includes NIST’s guidance and standards that are freely available from its Cyber Security Resource Center. Cyber threats change on a daily basis, and security programs have to adapt to counter them. Mandatory requirements will only drive attention and money away from countering the real, current threat to checking compliance boxes.
