The US government's cybersecurity efforts are getting "squishy." And this is a good thing.
This week Fordham University hosted a panel discussion to increase awareness of and review the progress of the President's Critical Infrastructure Framework. Panelists included Samara Moore, director for cybersecurity critical infrastructure protection for the White House National Security Staff; Jenny Menna, director of stakeholder engagement and cyber infrastructure resilience for the Department of Homeland Security; and Jon Boyens, senior advisor of information security for NIST.
Unlike many of the government's efforts in the past, this framework is not a checklist. Moore said very clearly that they are not aimed at 100% security, but rather on managing risk. They are focused on outcomes, not how to achieve outcomes. Also, the framework is not a recipe for new compliance woes.
"The aim is not to expand regulation," said Moore. The goal is to harmonize with existing regulations, issued by both government and private entities, instead of creating new ones.
Use of the framework is also largely voluntary. While the CISOs of the nation's critical infrastructure -- and the ecosystem of organizations that support the critical infrastructure -- are encouraged to share threat intelligence with the federal security agencies, it is not a quid pro quo system. You can receive some of the government agencies' tactical threat intelligence even if you don't tell them a thing.
So the government is behaving more like a good neighbor than a taskmaster or a bean-counter. That's nice if you're a CISO who wants to spend your security budget on, you know, security, as opposed to arduous compliance efforts. However, it does make it harder to measure success.
The panelists explained that developing an effective way of measuring success is an ongoing effort, but in the meantime they're assessing the framework on soft grounds. Is the market beginning to make procurement decisions based upon a company's adherence to recommendations made in the framework? Are more organizations sharing threat information with the government or with one another?
Moore acknowledges that this is "squishy," but she stressed that they want only meaningful measurements, not another dashboard of numbers for the sake of numbers.
Personally I find this approach refreshing. What do you think? Without teeth or numbers will this effort be purely academic? Have you begun to share threat intelligence with your partners or the government? Let us know in the comments below.