House Holds Cyber Threat Hearing as NIST Begins Preliminary Work on Cybersecurity Framework

Panelists at a House hearing on Tuesday held to examine steps the federal government and private sector are taking to bolster the nation’s critical infrastructure security shed light on the extent and variety of possible cyberattacks and called for flexible solutions. The hearing was held days after the National Institute of Standards and Technology (NIST) released its initial analysis of hundreds of comments submitted in response to President Obama’s February 2013 cybersecurity executive order.

Regulatory and legislative efforts to secure the nation’s critical infrastructure have been stepped up in recent years as the volume of threats has increased. Last week, the Department of Homeland Security testified at the House Committee on Homeland Security that in 2012, it processed more than 68% more cyber-incidents involving federal agencies, critical infrastructure, and other select industrial entities than in 2011.

The House Committee on Energy and Commerce hearing on Monday titled, " Cyber Threats and Security Solutions," included a broad range of witnesses, including John McConnell and Ambassador James Woolsey, who are respectively the former directors of National Intelligence and Central Intelligence. In a short statement for the record, McConnell warned that the nation was at "strategic risk" from "cyber war" and "cyber terrorism," as well as "cyber economic espionage." He warned that "without needed cyber security legislation to frame and force full cooperation across the government and the private sector, we will not achieve the required level of cyber security capabilities to protect the nation of its interests."

What would be required at minimum to help thwart those threats is that the U.S. government should share information, even if sensitive or classified on the basis of national security, with the private sector in this new era of global cyber threats, McConnell said. He noted that a bill addressing this issue is being prepared by the House Permanent Select Committee on Intelligence.

Industry should also adopt higher cyber security standards, but lawmakers should incentivize the private sector to adopt and use these higher standards. Privacy concerns should also be immediately addressed by legislation that makes collection of information about U.S. citizens without appropriate authorization and oversight illegal, he said.

Executive Order a Step in the Right Direction

The president’s executive order "is an important step in the right direction," as Dr. Michael Papay, who is the chief information security officer at Northrop Grumman Information Systems, told the House committee, but its success would be determined by the effectiveness of the individual agencies’ efforts in implementing assigned responsibilities. "We must be mindful, however, that our nation’s cybersecurity cannot be fixed with one law or policy change. Effective cybersecurity policies should be risk- based and as adaptable as the threat itself, he said.

Energy facilities were increasingly becoming targets of "cyber bad actors," and the types of attacks they suffered ranged widely confirmed Dr. Phyllis Schneck, who serves as chief technology officer at Intel company McAfee Inc. "Attacks on energy companies can be subtler than seeking to destroy physical facilities; they can be targeted toward gaining sensitive IP (a type of cyber espionage), or they can be extortion (80% of power companies in Mexico, 60% in India say this is most common cyberthreat)."

Schneck warned, however, that regulation can be "overly specific" about a technology and could end up hindering companies than helping them. He recommended instead the adoption of a faster review process—possibly every year—and that regulations be outcome-based.

Industry and Government Already Cooperating

Representing the National Rural Electric Cooperative Association, Duane Highley, who is the president and CEO of the Arkansas Electric Cooperative Corp. pointed out that power sector entities that own or operate assets on the bulk electric system were already required to adhere to one or more the North American Electric Reliability Corp.’s (NERC’s) nine cybersecurity standards (known as Critical Infrastructure Protection [CIP] standards) and cybersecurity standards mandated by the Nuclear Regulatory Commission. Covered entities found in violation of the CIP standards could be subject to fines as high as one million dollars per day per violation, he noted.

But industry recognized, as many panelists had testified, that not every threat or vulnerability could be addressed in a standard, and that many utilities participate in the Electric Sector-Information Sharing and Analysis Center (ES-ISAC), which is operated by NERC. The ES-ISAC disseminates threat indicators and warnings through a secure NERC portal. It was key that NIST take account of this "innovative and cooperative" approach the power sector and the federal government were now pursuing as it formulated its framework, Highley said.

NIST Prepares A Cybersecurity Framework

Echoing panelist testimony from the Monday hearing, NIST’s 33-page paper released on May 16 titled "Initial Analysis of Cybersecurity Framework RFI Responses" shows that a majority (81%) of received responses advocate the use of risk-based approaches rather than compliance-based approaches. “The IT Security budget is a zero-sum game, every dollar spent on compliance is a dollar not spent on risk-management. Therefore, balancing the need to deploy risk-appropriate security controls against deploying those mandated by regulatory or contractual obligations is one of the greatest challenges to improving cybersecurity practices," writes one commenter. Several commenters also push for a framework that avoids duplicate standards, like those contained in NERC-CIP standards.

More than half of the responses received also address privacy and civil liberties issues. Privacy safeguards are vital to cybersecurity, another commenter says, adding that "protecting individual privacy keeps cybersecurity efforts focused on robust efforts to secure cyberspace." About 65% of the responses relate to impacts of the framework on global and international operations. Some respondents say the framework could become a global reference for cybersecurity policymaking and that international standards should be considered.

Meanwhile, nearly 36% of the responses concern framework flexibility. Many respondents advise against a "one-size-fits-all" approach for all circumstances, while others warn that a framework that is too flexible could fail to provide effective standards. Among several common points identified in the paper are concerns about the lack of useful threat intelligence and suggestions that government should educate industry participants about their roles in enhancing cybersecurity. Some respondents also point out that mission and system resiliency should be given extra attention.

President Obama’s "Improving Critical Infrastructure Cybersecurity" Executive Order, issued on Feb. 12, 2013, calls on NIST to work with industry to develop a voluntary framework to reduce cybersecurity risks to the nation’s critical infrastructure. NIST requested information on current risk management policies, existing standards and guidelines, and specific industry practices from stakeholders as a first step to drafting that framework. By the April deadline, it received about 243 responses. The responses outlined in the initial analysis are expected to be the basis of discussion at the second cybersecurity framework workshop scheduled later this month in Pennsylvania.

"The Executive Order requirement for the Framework to be developed within one year, with a preliminary Framework due within eight months, highlights this task’s urgency," NIST Director Patrick Gallagher told the House Committee on Energy and Commerce at a hearing on Monday.

Suvey: Voluntary Compliance is Lacking

A survey of 150 entities that own major parts of the bulk power system rolled out on Monday by Reps. Henry Waxman (D-Calif.) and Edward Markey (D-Mass.), meanwhile, suggests that though almost all utilities cited compliance with mandatory cybersecurity standards from the North American Electric Reliability Corp. (NERC) to protect against the Stuxnet worm, a majority had not reported compliance with voluntary standards.

Of the utilities that responded to the call for information from the lawmakers, 91% of investor-owned utilities (IOUs), 83% of municipally or cooperatively owned utilities, and 80% of federal entities reported compliance with mandatory Stuxnet standards, but only 21% of IOUs, 44% of municipally or cooperatively owned utilities, and 62.5% of federal entities reported compliance with voluntary ones.

Sources: POWERnews, NIST, House Committee on Energy and Commerce, Rep. Ed Markey

—Sonal Patel, Senior Writer (@POWERmagazine, @sonalcpatel)