Eight months following the release of a guide to best practices and standards for the public and private sectors to better manage network security and related risks, the response from the private sector in general has been positive, the White House official responsible for developing and coordinating cyber security policy across the federal government said Thursday.
“In general we’re seeing more and more different uses for the framework,” Michael Daniel, special assistant to the President and Cybersecurity Coordinator, said during a discussion about cyber security hosted by the Center for National Policy and the Christian Science Monitor. He said that different sectors are coming up with “their own sort of overlays for the framework.”
The Obama administration in February released the Cybersecurity Framework following a year of development, which was coordinated by the National Institute of Standards and Technology in partnership with the private sector.
Some companies say they aren’t completely adopting the framework yet are still using it internally and are using it to benchmark their own progress around cyber security, Daniel said. “You’re seeing different sectors come up with their own sort of overlays for the framework.”
He also said that the administration is also getting positive feedback about the framework from some foreign governments that are looking to implement it within their domestic context.
Regarding public sector adoption of the framework, Daniel said that the Office of Management and Budget’s (OMB) release last week of annual guidance for information security of federal networks ties the Federal Information Security Management Act closer to the framework.
“That is clearly the direction we are moving in,” he said. “We are bringing those principles in how we manage the federal government’s own cyber security. And we’re developing an overlay for the federal government that is related to the framework.”
The new guidance from OMB “establishes a new process for DHS (Department of Homeland Security) to conduct regular and proactive scans of Federal civilian agency networks to enable faster and more comprehensive responses to major cybersecurity vulnerabilities and incidents,” Beth Cobert, deputy director for Management at OMB, said in an Oct. 3 post on her agency’s blog. “This new process complements existing agency information security operations, to include network scans, and will provide a consistent scanning methodology that quickly identifies risks and vulnerabilities that may have government-wide implications.”
Regarding J.P. Morgan Chase’s [JPM] recent disclosure that personal data of millions of individuals was exposed in a cyber attack over the summer, Daniel said he didn’t know if the bank had followed the framework’s guidelines whether it would have prevented the breach. The company has said that exposed data includes names, addresses, phone numbers and email addresses.
Daniel said that the framework helps users manage cyber security from a “risk perspective” and helps them tackle the problem.
The cyber attack against J.P. Morgan is part of a “broad trend of the targeting of U.S. critical infrastructure,” Daniel said, and how “we can do a better job of protecting that critical infrastructure…is particularly concerning to us.”
Daniel touched on three broad trends that he sees in the cyber threat landscape. One is that as the Internet connects to more things, whether cars or household items, the threat vectors expand and the security problem becomes more difficult.
He also said that cyber attackers are moving “up the threat spectrum” and going beyond graffiti to taking destructive measures.
Finally, attackers are becoming more sophisticated, Daniel said.
“Hacking is a big business and they are run like businesses,” he said. “And many of these organizations actually operate along very structured corporate lines.”