Threat Research Blog

Are NIST’s Cybersecurity Standards Driving Digital Security Policy?

In late October, National Institute of Standards and Technology (NIST) released a cybersecurity framework in response to the Presidential Executive Order on cybersecurity. But what happens next? Policymakers, legislators, and pundits have taken an even greater interest in the safety of our systems and the targeted attackers who use and abuse them. So will Congress step in and develop

MIRcon Panel Session on Digital Policy
MIRcon Panel Session on Digital Security Policy

legislation? Without Congress, will action take place? A panel of experts came together at MIRcon® 2013 to discuss the evolution of digital security policy.

Moderated by Pondera International CEO and Founder Kristen Verderame, the panel included Josh Alexander, Professional Staff Member with the Senate Select Committee on Intelligence, Tom Cocoran, Senior Policy Advisor for the House Permanent Select Committee on Intelligence, Stewart Baker, Partner with StepToe & Johnson, and Paul Rozenweig, Founder of Redbranch Consulting.

Tom Cocoran seemed optimistic that legislation on information sharing was possible. He admitted two pieces of legislation already passed in the House had stalled in the Senate, but felt it was just a matter of time before there were results. To this end, Alexander assured everyone the Senate is still hard at work and looking for ways to work around the challenges presented by privacy issues after the Snowden affair.

So with legislation on the slow track, will the NIST standards move us forward to a more secure world, or are other factors more important?

The NIST standards offer four actionable areas: protect, detect, resolve, and analyze, with sub-layers offering further opportunity to refine cybersecurity protections. For example, detecting would also require continuous monitoring.

For Stewart Baker, the NIST standards are important, but incentives to motivate better cybersecurity policies and procedures will be just as significant, because, as Rosenweig pointed out, there's no prescriptive, or opt in element to the NIST standards. For Baker, measures such as preferential tax rates and insurance rate reductions will be the carrots needed to up the level of cybersecurity engagement. However, even without the additional incentives, Baker's optimistic that the NIST standards may be an "offer we are unable to refuse." Only time will tell.