Simplicity in Return for Accountability

NIST Cybersecurity Framework

cyber security
Kevin Whalen

Week two of National Cyber Security Awareness Month (NCSAM) will “showcase how organizations can protect against the most common cyber threats. The week will also look at resources to help organizations strengthen their cyber resilience, including the use of the National Institute of Standards and Technology Cybersecurity Framework.”

DDoS attacks fit the bill in two ways.

First, DDoS attacks are very common. Arbor’s ATLAS infrastructure, sourced from 400 global customer deployments, with visibility into approximately 1/3 of all internet traffic, recorded 6.1 million DDoS attacks YTD through September.

  • 22,426/day
  • 934/hour
  • 15 per minute

Second, DDoS defense and the NIST Cybersecurity Framework came together for the first time this summer. Given the importance of internet availability to our society, and the dynamic nature of DDoS threats, the first ever threat profile for DDoS attacks using the NIST Framework was created by The Coalition for Cybersecurity Policy and Law. The group focuses on education and collaboration with policymakers on the increasingly complicated legislative and regulatory policies related to cybersecurity. Founding members of the Coalition include Arbor Networks, Cisco, Intel, Microsoft, Oracle, Rapid7, and Symantec.

The goal of the DDoS threat profile “is to ensure the strategic and operational discipline needed to protect and respond to DDoS threats is comprehensively addressed by applying the appropriate recommendations and best practices outlined in the Cybersecurity Framework.”

Taking a step back, the National Institute of Standards and Technology (NIST) was tasked by President Obama, via Executive Order, to develop “a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way.” President Trump then issued an Executive Order instructing federal agencies to implement the NIST Cybersecurity Framework.

Ed Amoroso, proprietor of TAG Cyber, a training, advisory and consulting firm, thinks the focus of the NIST Cybersecurity Framework needs to change, but that ultimately, it should be the sole cybersecurity compliance standard in the U.S. In an open letter to the new president on cybersecurity, the first agenda item was:

Direct that the NIST Framework shall be the only acceptable cyber security compliance standard in the United States. We have too many compliance frameworks and this diverts the attention of our nation’s cyber defenders from security operations to administrative paperwork. Demand that compliance be done properly, but that it be done only once using the NIST framework.

Who wouldn’t welcome simplicity in return for greater accountability in cybersecurity? In a world of kinetic threats and complex defenses, simplicity is progress. Is a single standard a silver bullet? Of course not. See PCI, for example. But I think this approach represents pragmatic, common sense progress.  When things seem like they can’t get worse, they usually get better.

Imagine for a moment a world where…. 

  • The next Equifax would get evaluated against a common, standard set of best practice criteria.
  • Their level of culpability would be proportional to their level of preparedness.
  • NIST become the scorecard against which they are measured. A cyber Consumer Reports.

Imagine for a moment a world where….

  • This was all part of a plan for national cybersecurity awareness.
  • This was taught like civics once was, part of being a good citizen in a connected world.

Imagine for a moment a world where…. 

  • All smart phones/connected devices came with age appropriate cyber education required before using the device?
  • Banks, brokers gave discounts to customers who take regular security training? More informed customers do fewer dumb things leading to fewer claims, losses, etc etc.
  • Businesses made cyber understanding part of the interview process?

Pipe dream? Maybe. Leaning on NIST as THE Framework is a step in the right direction at a time when it often feels like we’re wandering lost in the wilderness.