Senate Committee: Does NIST cyber framework go far enough?
Members of the Senate Commerce Committee challenged a panel of public and private experts Wednesday on whether the National Institute of Standards and Technology’s cybersecurity framework does enough to protect the nation’s critical assets and infrastructure.
While the panel was complimentary of the groundwork NIST has laid, a number of Democrats pressed on whether more needs to be done in the wake of growing attacks, like those on Sony Pictures and Target.
“I believe there needs to be greater government direction, legislative involvement, for the moment,” added Sen. Richard Blumenthal, D-Conn.
Sen. Bill Nelson, D-Fla., the committee’s ranking member, said while he approves of NIST’s work, he is troubled by the lack of information detailing how many companies have adopted the guidelines the framework sets forth. Nelson pushed Ann Beauchesne, vice president of the U.S. Chamber of Commerce’s National Security and Emergency Preparedness Department, to detail how the framework is being used.
“How can you say that everything’s working, as you testified?” Nelson asked Beauchesne after she said that the framework’s rollout and development have been a success.
Beauchesne told Nelson she didn’t have an exact number of companies who used it, but she said each one she’s talked to is “highly interested” in the framework, given the incentive in protecting their customers’ and their own information.
The framework was created after President Barack Obama’s Executive Order 13636 — Improving Critical Infrastructure Cybersecurity — directed NIST to work with the private sector, which owns and operates more than 85 percent of the nation’s critical infrastructure, to develop a voluntary set of guidelines and best practices for reducing cyber risks.
“Voluntary” was a key word during Wednesday’s hearing, as private sector witnesses cautioned against any sort of regulatory framework.
Jeff England, chief financial officer of Wyoming-based telecom company Silver Star Communications, told the committee the framework allowed the company to create a better cybersecurity profile.
“It forced us to communicate at all levels within the organization at a level that had not previously existed before,” England said.
He went on to suggest that any sort of regulation would actually be a detriment to the practices the framework sets forth, creating a “minimum-standard environment” that would lead IT teams to a “checklist approach.”
“A checklist approach is undesirable in this space,” England said. “A minimum set of standards puts perpetrators on alert to where they should be focusing their attention.”
The regulatory approach that England fears could be coming from one of the committee’s members: Nelson introduced a bill that would require companies to notify customers and the government of a data breach no later than 30 days after discovery and would task the Federal Trade Commission to come up with a nationwide standard for data security. The bill comes as President Barack Obama made cybersecurity one of the key tenets of his State of the Union address last month.
While Nelson said he appreciated England’s company’s diligence, he’s more worried about the national security implications of a rise in high-profile attacks.
“If a saboteur came and blew up an electric plant here, that would be an attack upon America,” Nelson said. “Well, a cyber attack can do the same thing. It’s coming whether it’s in the form of an electric plant or a business grid or a water system. Whatever is going to try to inject economic pain and terror into the American people, those attacks are upon us right now, and sooner or later they are going to be successful. It’s not a question of if, it’s a question of when is it going to be successful?”