Cybersecurity Framework: Beyond StandardsHow a Service-Level Mindset Can Protect Critical Infrastructure
The National Institute of Standards and Technology characterizes the cybersecurity framework, a key element in President Obama's executive order [see Obama Issues Cybersecurity Executive Order], as a set of voluntary standards and best practices to guide industry in reducing cyberrisk to networks and computers deemed vital to the nation's economy, security and daily life.
But to get a better handle on ways to create the framework, Homeland Security's Bruce McConnell says stakeholders should think in terms of performance goals.
"What is the service-level agreement between the owners and operators of the critical infrastructure and the American people, with respect to performance [and] the delivery of essential services, in the face of a cyber-incident?" asks McConnell, a cybersecurity thought-leader who holds the title of senior counselor at DHS.
Outcome-Based Performance Standards
Imagine, McConnell says, a cyberattack that disables electrical power in a major metropolitan area. A performance goal could be in the form of a service-level agreement that promises to restore power in 90 percent of locations within four hours. That's an example of an outcome-based performance standard. "Then," he says, "the framework can address it by saying, 'Okay, if you're going to do that, then you need this level of cybersecurity.'"
Another example: A cyber-attack degrades cell phone service. The service-level agreement assures that 90 percent of first responders could complete their calls on the first try in such an event. The challenge facing stakeholders involved with creating the framework, according to McConnell: "How do we, collectively, write a framework that allows, from the cyber-hazard, the owners and operators to meet that agreement, if you will, with the American people?"
The Look of Success
The president, in the executive order, assigned NIST the responsibility to work with the private sector and other stakeholders to create the cybersecurity framework in a year. McConnell conjectures what the impact of the cybersecurity framework could be 18 months from now. "What would success look like?" he asks.
"People will be adopting that; people will be using it," McConnell says. "They'll be figuring out how to inculcate it into their regulations and in their businesses. The infrastructure as a whole would be healthier; it will be more resilient; it will be more secure."
In 18 months, he says, DHS would have compiled a small list of critical infrastructures that remain at risk. "That will help us understand better on a systematic basis, based on interdependencies and whatnot, what we collectively need to care most about."