Business lobbying groups are pushing back on plans by federal scientists to add third-party measurement of cybersecurity to a voluntary framework designed to help private companies improve its defenses against hackers, cybercriminals and online spies.
A draft proposed revision of the National Institute of Standards and Technology’s Cybersecurity Framework, to be known as version 1.1, includes a new section on “measuring and demonstrating cybersecurity.” But public comments filed by business groups voice concern about what metrics should be used for measurement and how public that demonstration ought to be.
“Measuring state and trends over time, internally, through external audit, and through conformity assessment, enables an organization to understand and convey meaningful risk information to dependents, partners, and customers,” reads the introduction to the proposed new section.
One of the complaints about the framework — which is generally recognized as a useful tool for companies looking to improve their online security — is that there are no ways to measure its implementation. Organizations trying to implement the framework don’t really have any way to tell whether they’re doing it right. On the other hand, there’s little consensus among experts about what measurements should be used to grade a company’s cybersecurity. “Metrics are being vigorously debated in cyber policy circles,” states the U.S. Chamber of Commerce, in its comments on the new draft.
The Internet Security Alliance — a trade association that represents cybersecurity, defense, aerospace and research companies, and has members from the retail, banking and insurance industries as well — said in its comments that the NIST draft “itself acknowledges the difficulty” of developing metrics. Especially because the draft proposes measuring it through business outcomes.
“There are a large number and variety of contributing factors to a given business objective,” acknowledges the draft, “The effect of cybersecurity outcomes on a business objective may often be unclear.”
As an example, the NIST authors give a bank increasing sign-up for its online services by improving security through offering two-factor identification. But the draft admits that any increase in sign-up might be due to a host of different factors, including successful marketing strategies.
In the end, the ISA comments state, the new section “asks the impossible of already over-burdened cybersecurity organizations, and that is to quantify their effect on the success of business objectives” in the company as a whole.
Another area of concern is the extent to which the proposed measurements might be made available to regulators and the public.
The U.S. Chamber says in its comments that it actively “supports businesses using data to understand the status of their organizations’ information security programs.”
But it adds these data should be “held closely by a business and shared only protectively with trusted third parties.”
The concern is, explain the ISA comments, that such measurements or audits “may open the door to mandatory or quasi-mandatory compliance regimes,” as regulators make them part of rules or even guidance.
The Chamber adds that “industry actors should never be compelled formally or informally to disclose metrics to third parties. Businesses may want to restrict sensitive information to certain recipients. Analysts, investors, security researchers, and regulators should not be given metrics unless the business agrees to publicly disclose them.”
The new section on measurement is also criticized by McAfee and Intel, in their comments, where they argue that the measurements challenges are so severe they might stop some companies using the framework altogether.
The current wording, they say, “requires all organizations using the measurement aspects of the framework to design their own measurement system. This is a very difficult task even for mature cybersecurity programs, and the challenges of meeting this requirement could easily dissuade organizations from utilizing the framework altogether.”
The two companies also join a growing chorus calling for a new section in the framework on vulnerability disclosure, to help companies set up a process whereby security researchers, white hat hackers and others can confidentially report cybersecurity vulnerabilities they might find.
“There is a common misconception that vulnerability disclosure processes are only for [IT] product vendors,” the comments state. Yet, “Vulnerabilities exist not just in products but potentially in an organization’s deployed infrastructure as well. It is important to provide a known channel for entities outside the organization to report issues in a private and structured way.”
The calls echoes one in comments from a much larger cybersecurity coalition, including companies like Bugcrowd, HackerOne, Rapid7, Symantec and Tenable; and digital advocacy groups and think tanks including the Center for Democracy and Technology, the Electronic Frontier Foundation, and New America’s Open Technology Institute, among others.
“Processes for receiving, reviewing, and responding to vulnerability disclosures should be considered a basic, and relatively easily achievable, component of modern cybersecurity plans,” the comments read.
The comment period closed Monday, and NIST spokeswoman Jennifer Huergo said roughly 140 sets of comments had been received in total. Only 10 are posted on the website so far, but she said the remainder would be posted by the end of next week.
NIST will convene a workshop at its Gaithersburg, Maryland, headquarters May 15-16, to discuss the new draft, and hopes to have version 1.1 of the framework finalized by the end of the year.