Feb 12, 2014 - 2:00pm

Cybersecurity Framework: A Good Start, But More Work Ahead

Vice President, Cybersecurity Policy Cyber, Intelligence, and Security Division U.S. Chamber of Commerce

Today, the White House released version 1.0 of the much-anticipated Cybersecurity Framework, capably developed over the past year by the National Institute of Standards and Technology (NIST) and the private sector. It’s rather constructive that the presidential order of last February on cybersecurity gave NIST the task of coordinating an environment where standards and security specialists identify existing cybersecurity best practices and guidance throughout industry sectors and promote their implementation.

Throughout this yearlong process, NIST has treated the business community as a genuine partner and tackled a tough assignment in ways that should serve as a model for other agencies and departments.

While NIST’s contribution to the framework is noteworthy, more work is needed by policymakers and lawmakers to help businesses protect their systems and assets against sophisticated and nefarious actors, including organized criminal gangs and groups carrying out state-sponsored attacks. Here are some top areas of focus:

Information sharing: The executive order rightly elevates the importance of exchanging information between the public and private sectors and calls on government officials to produce timely reports on cyber threats to specific targets, such as critical infrastructure. This is a positive development, but most would agree that government-to-business sharing is still a work in progress. The framework will be fundamentally incomplete without the enactment of information-sharing legislation that is backed by industry. We need policies that foster public-private partnerships—unencumbered by legal and regulatory penalties—so that individuals can experiment freely and quickly to counter evolving threats to U.S. companies.

Harmonization over regulation: The administration officials have “heard a clear call on harmonization” regarding the regulatory aspects of the framework. But regulatory agencies and departments still haven’t reported to the White House (owing to the government shutdown) on the “sufficiency” of existing cybersecurity regulations. Instead of setting requirements that will be outpaced by the latest threats, government officials should assure companies that the framework will remain collaborative, flexible, and innovative over the long haul. Business and government will overcome cybersecurity incidents by quickly adapting and learning from each other, not by punishing the victims.

Dollars and cents: Using the framework could be quite expensive for small and midsize businesses, and several of the proposed incentives for encouraging its adoption aren’t ready for prime time.

Deterrence: Policymakers need to focus more intently on giving businesses and government the tools they need to increase costs of malicious cyber activity. Hacking U.S. businesses should not come without penalties on bad actors. The United States needs to thoughtfully shift the costs associated with advanced cyberattacks in ways that are timely, legal, and proportionate relative to the risks and threats. Businesses should have a menu of legal options at their disposal, sending a credible message that cyberattacks on industry will not be tolerated.

NIST and industry experts produced a smart framework that cybersecurity stakeholders can take pride in. This tool provides a common language around information security and risk management activities. Government and business entities need to leverage it to strengthen collective security and resilience and make ongoing improvements.




More Articles On: 

About the Author

About the Author

Matthew Eggers Headshot 2019
Vice President, Cybersecurity Policy Cyber, Intelligence, and Security Division U.S. Chamber of Commerce

​Matthew J. Eggers is vice president of cybersecurity policy in the Cyber, Intelligence, and Security division at the U.S. Chamber of Commerce.