With
an increasing number of cyberattacks directed against the United States, the
need for a national comprehensive cybersecurity policy is critical. The extent of this effort has been the creation
of guidance by the federal government often without Congressional approval or
private sector mandates. Given the fact that
most of America’s critical infrastructure is in the hands of private entities,
this must change. Corporations have largely
pushed back against any cybersecurity mandates and without official legislation,
the “relationship between businesses and the government has been mostly all
carrot and no stick” (Ravindranath, 2015).
As
a result of this correlation, the federal government has become increasingly
proficient at utilizing the carrot. This
comes in the form of government entities such as the National Cybersecurity
Center of Excellence; an organization with the lofty goal of working with
businesses to improve their cybersecurity posture, often by helping them find
commercially available technology. Similarly,
the Commerce Department’s National Institute of Standards and Technology (NIST)
has spent the last few years churning out reams of policy papers advising best
practices for virtually every area of information technology. These policies are increasingly seen as
seminal works in the field of computer security with their guidance being
implemented by a growing number of private organizations alongside their public
counterparts.
One
of NIST’s most comprehensive and widely utilized guides, is 800-53 (Security
and Privacy Controls for Federal Information Systems and Organizations). In this 500 page publication, the Commerce
Department’s regulatory agency details a framework for designing an organizational
cyber policy.
The
publication goes further by discussing 17 security control categories and then
detailing over 250 individual security controls that organizations should objectively
consider implementing.
All
of this adds up to an impressive body of work that no one outside the federal
government is required to abide by. It
would appear however that some private entities see the benefit in adopting a
standard set of cybersecurity principles.
“Last
week, Department of Homeland Security’s cybersecurity and communications office’s
chief technology officer, Peter Fonash, said businesses need to be able to
exchange up-to-the-minute threat information with the government for instance. Dodson said her team is working to hand over
some projects to the private sector. For
instance, NIST’s Center for Excellence jump-started the Identity Management
Ecosystem Steering Group, which aims to combat fraudulent online identities,
beginning in 2012. Today, the group is
made up of commercial companies, including Microsoft and IBM. That group is meant to serve as a forum in
which members can discuss and implement better ways to conduct and verify
online credentials and transactions” (Ravindranath, 2015).
References
NIST.
(2013). Security and Privacy Controls for Federal Information Systems and
Organizations. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Ravindranath,
M. (2015). Nextgov. NIST official:
Businesses need to take more responsibility for cybersecurity. Retrieved from http://www.nextgov.com/cybersecurity/2015/05/nist-official-businesses-need-take-responsibility-their-own-cybersecurity/113332/
