Business and conservatives have been worried all year about the cybersecurity standards framework that NIST (the National Institute of Standards and Technology) is drafting. An executive order issued early this year, after cybersecurity legislation stalled on the Hill, told NIST to assemble a set of standards to address cyber risks. Once they're adopted, the order says, other agencies will encourage private companies, especially those running critical infrastructure, to use the standards. Regulatory agencies are expected to establish requirements based on the standards. And it is widely expected that the standards will drive negligence liability in the wake of a breach, since the courts are always glad to find government-endorsed definitions of “reasonable” security measures.
Now that NIST has released a discussion draft of its preliminary framework, business's worries are looking a bit overblown. And they're distracting from a much more serious threat buried in the NIST draft – the stealth imposition of a European-style privacy regime on the U.S. private sector.
Why? Let's look at the draft. (I would ordinarily link to the NIST webpage, which posted the framework weeks ago, but the administration's passive-aggressive shutdown strategy means that NIST took its website off line – very likely at greater cost than leaving it up. Luckily, Lawfare again proves itself the indispensable Blog of Record by preserving a copy of the framework here.)
The cybersecurity standards that everyone has been worried about turn out to be more taxonomic than prescriptive. You won't find a “shall” or a “should” anywhere in the appendix that sets out the framework. Instead, the framework is procedural to its core. The cybersecurity mission is divided into five steps: identify your network assets, put protections in place, detect breaches of your protective measures, respond to the breaches you detect, and finally recover and learn from the breaches. The five steps are in fact a loop, rather like painting the Golden Gate bridge: Paint until you reach the end, then start again from the beginning, incorporating any lessons you learned along the way.
That doesn't guarantee a good paint job – lazy painters can still skip spots, work too slowly, or use cheap, unsuitable paint -- but it does describe how a conscientious painter might do his job. The framework, in short, depends on the motivation and good judgment of the painter.
To be fair, the framework tries to give a bit of content to the Five Steps by defining each of them more precisely and by adding two additional layers of detail below each step. Thus, Detection is broken into three categories – screening for anomalies and events, continuously monitoring processes, and setting up detection processes to make sure breaches aren't ignored. And each of these subcategories is itself divided into four to eight subcategories. Thus, Continuous Monitoring includes subcategories like “perform network monitoring” in response to the detection of a breach. All in all, there are nearly a hundred subcategories in the draft framework.
The framework then drills down one more layer, identifying actual industry standards that correspond to each of the subcategories. At this point, you might think that the framework has identified several hundred tasks relevant to cybersecurity. In fact, though, the framework crossreferences the same five or six standards in every one of the nearly 100 subcategories it identifies.
So the NIST framework is certainly open to criticism. It offers less choice to industry than first appears. The framework may point to a hundred roads, but they all lead to the same five places. And when you get to one of those places, there's no certainty that you're safe. The framework tells industry only what boxes should be checked, not how carefully the job should be done. In a way it's a shiftless painter's best friend. And, perhaps, a good painter's worst enemy, since just skipping a box could lead to tort liability.
Still, the framework largely avoids substantive mandates, and its structure rebuts any suggestion that the subcategories are really requirements by providing several different standards that offer several different ways of interpreting each subcategory. I'm not personally convinced that this is a good thing, given the shiftless painter problem, but business groups that feared substantive mandates may be mollified.
If so, they'll be missing the real danger in this document. Because, while business has been concentrating its fire on the risk of cybersecurity regulation, it looks as though enthusiasts for sweeping privacy regulation of industry have stolen a march on everyone. I'll cover that risk in a second post.