The National Institute of Standards and Technology (NIST) and the White House continue efforts to improve private sector security and increase sharing of information about potential cybersecurity threats. Most recently, the NIST released its Update on Cybersecurity Framework in December of last year, updating NIST’s Cybersecurity Framework of February 2014, and the White House released draft legislation that would provide private sector entities with greater protections and resources when sharing threat information.
The NIST Update presents commentary from the private sector concerning use of the Cybersecurity Framework. Comments ranged from the difficulties and uncertainty of using the Framework as a benchmarking tool (and possible regulatory consequences) to a more practical consideration of how NIST may be able to help entities better use the Framework.
Specific concerns were noted regarding:
- the “high-risk area” of authentication solutions;
- streamlining “indicator sharing,” including through solutions to overcome legal barriers;
- supply chain assessments;
- the state of the cybersecurity workforce; and
- privacy and civil liberty issues arising in connection with information sharing.
The Update does not attempt to specifically address all of these concerns, and states that no new version of the Framework should be expected at least within the next year. However, the Update does indicate that NIST will continue to support the development of resources to help organizations address their concerns.
The White House has renewed its push for Congress to take action on the significant cybersecurity issues that have become increasingly apparent in the past year. Part of this effort includes draft legislation designed to allow for better information sharing between private entities and the federal government. This draft legislation includes measures to promote and facilitate private-sector sharing of cybersecurity threats with each other through “private information sharing and analysis organizations” (standards for which are to be set by a collection of federal agencies) and also with law enforcement and government agencies. The legislation would include liability protection for information shared with the National Cybersecurity and Communications Integration Center or with private information sharing and analysis organizations.
The White House’s proposed legislation (like the Update on Cybersecurity Framework) recognizes the importance of privacy and civil liberties issues relating to information sharing. Federal departments and agencies would be required to develop guidelines for the appropriate limitation, destruction, anonymization and safeguarding of information that could identify specific individuals.
The White House has also proposed amending the federal Racketeer Influenced and Corrupt Organizations Act and the federal Computer Fraud and Abuse Act to better address and provide redress for cyber-crimes.
With these and other initiatives, the Executive Branch continues to take the lead in the cybersecurity area in the absence of Congressional action. The developments will have significant practical implications for private entities, which are increasingly expected to take part in national efforts to protect sensitive information.