Author: Joe Bird
In connection with the National Institute for Standards and Technology's ("NIST") issuance of the proposed Cybersecurity Framework, Bloomberg Media and Symantec co-hosted a symposium on cybersecurity in Washington, D.C. Internet security leader Symantec was a co-sponsor of the event. Comments regarding the proposed Framework were presented by government leaders at the highest levels, including National Security Agency (NSA) Director Keith Alexander, Deputy Assistant Secretary of the Treasury for Financial Institutions Katheryn Rosen, and the President’s cybersecurity czar, Michael Daniel. Industry trade group representatives who spoke included Financial Services Roundtable CEO Tim Pawlenty, vice president of risk management for the American Bankers Association, Doug Johnson, Information Technology Industry Council CEO Dean Garfield, and CEO of Internet Security Alliance, Larry Clinton.
The panelists discussed the process that had led to the framework as well as industry questions and concerns about it. The director of the NSA asserted that there is a critical need for Congressional action on how the NSA can share threat information with private industry to allow industry to protect itself from threats. For example, when a government agency finds a “bad packet,” under what circumstances can the agency pass that information on to industry in real time? The Snowden affair, though, has reduced the likelihood of Congressional action.
Financial industry representatives discussed the need for Congressional action to provide limitations of liability, exemptions from Freedom of Information Act requests, protocols for industry and government agencies sharing threat information, and government. Although there have been many distributed denial of service attacks recently in the United States, no U.S. financial institution has suffered large-scale data destruction like that of oil company Saudi Aramco in 2012 and South Korean banks in 2013. U.S. financial institutions believe such attacks are likely within United States in the future. Even so, financial institutions are much further along in implementing effective cybersecurity practices than other industry groups.
Telecom and internet industry leaders stated a need for uniform federal standards on personally identifiable information, citing different rules in 40 states.
Finally, some industry representatives expressed concern that industry’s failure to comply with the standards adopted in the framework would create legal liability. Thus, a company with an Internet presence needs to study the standards adopted to make sure it has complied with the framework’s security measures. No data system is impenetrable, so intrusion must be assumed and expected. A company will be judged by how it identifies, responds, and recovers to these attacks.
Click here to read The Federal Cybersecurity Framework Is Almost Here.