{"id":651,"date":"2017-11-03T14:07:16","date_gmt":"2017-11-03T14:07:16","guid":{"rendered":"https:\/\/securitycurve.com\/?p=651"},"modified":"2017-11-03T14:07:16","modified_gmt":"2017-11-03T14:07:16","slug":"building-cybersecurity-savvy-lawmakers","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=651","title":{"rendered":"Building cybersecurity savvy lawmakers"},"content":{"rendered":"<p>So this morning, I came across <a href=\"https:\/\/www.meritalk.com\/articles\/senator-questions-validity-of-nist-cybersecurity-framework\/\">this article.<\/a>\u00a0It describes a call to action, given by\u00a0Sen. Sheldon Whitehouse (D-R.I) at the FCW (Federal Computing Week) &#8220;Big Issues Conference&#8221;, about the NIST Cybersecurity Framework (CSF).\u00a0 In general, it makes me feel better about the world that the sentiments in it are being expressed &#8211; and that this lawmaker considers it a &#8220;big issue&#8221;.\u00a0 I care about security.\u00a0 It&#8217;s refreshing that lawmakers do too.<\/p>\n<p>However, &#8220;caring about it,&#8221; while absolutely a fantastic starting point, is not &#8211; as a practical measure &#8211; good enough.\u00a0 The second step is doing something about it.\u00a0 And it&#8217;s here where I start to have criticisms.\u00a0\u00a0Before I get into this in detail, I want to STRESS HEAVILY that I&#8217;m not calling any of this out to slam any particular political point of view&#8230;\u00a0 I also honestly happen to think that this lawmaker is most likely coming from a good place. So let me start with reiterating &#8220;props to him&#8221; for caring about the topic generally &#8212; and further &#8220;attaboys&#8221; for paying attention more specifically to the CSF and, by extension, the regulatory and security considerations for civilian agencies.<\/p>\n<p>All that said, I do think there is &#8220;room to grow&#8221; in the specifics &#8211; and I level that criticism at all parties in this discussion.\u00a0 I think, if you unpack this discussion, it illustrates why it is incumbent on us, as an industry, to better inform lawmakers about security issues.<\/p>\n<p>Here&#8217;s what I mean.\u00a0 From the article:<\/p>\n<blockquote><p>\u201cThe NIST Framework has never been adequately validated,\u201d Whitehouse said at FCW\u2019s Big Issues Conference on Nov. 1.<\/p>\n<p>Whitehouse said that he wonders whether agencies have accepted the NIST Framework because it\u2019s effective or because \u201ccompliance demands so little effort.\u201d Whitehouse said that the framework needs to be tested.<\/p>\n<p>One way to test the framework would be to assign a white hat hacking team to attempt to breach a system that\u2019s compliant with the framework.<\/p><\/blockquote>\n<p>There are two things going on here that I have criticisms about.\u00a0 The first is the use of &#8220;compliance&#8221; to describe the CSF.\u00a0 Yes, it is true that federal agencies have a regulatory obligation to use the CSF to manage cybersecurity risk (that&#8217;s per the <a href=\"https:\/\/www.whitehouse.gov\/the-press-office\/2017\/05\/11\/presidential-executive-order-strengthening-cybersecurity-federal\">May executive order<\/a>.)\u00a0 For reference, it says:\u00a0<em>&#8220;Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency&#8217;s cybersecurity risk.&#8221;<\/em><\/p>\n<p>So the answer to why agencies accepted it?\u00a0 It&#8217;s because they are required to.<\/p>\n<p>However, there&#8217;s more going on here.\u00a0 These same agencies have <span style=\"text-decoration: underline;\">also<\/span> been required to use the NIST Risk Management Framework (RMF) for nigh on the past decade (since 2010 to be precise about it.)\u00a0 The CSF and the RMF are not the same thing.\u00a0 If there&#8217;s a problem in the federal government &#8211; specifically civilian agencies &#8211; with risk management (spoiler alert: there is), the issue isn&#8217;t the CSF.\u00a0 It&#8217;s instead with compliance efforts more generally.\u00a0 Maybe it&#8217;s that the RMF describes a risk management model that is at a level of sophistication beyond what most organizations are ready to meet (&#8220;in spirit&#8221; anyway) without significant work and investment &#8212; work they can&#8217;t don&#8217;t have time\/staff to put in and investment they&#8217;re not getting.\u00a0 Or maybe it&#8217;s that risk management is difficult to get right and pretty much nobody is doing it well as it is.\u00a0 Or maybe it&#8217;s something else.\u00a0 But the core issue &#8211; and there absolutely is one &#8211; isn&#8217;t the fault of the CSF.<\/p>\n<p>Then there&#8217;s the question of &#8220;compliance&#8221; with it in the first place.\u00a0 If you <a href=\"https:\/\/www.nist.gov\/cyberframework\">read the CSF<\/a>, you&#8217;ll notice it&#8217;s not about compliance. Like not even a little bit.\u00a0 From the framework:<\/p>\n<blockquote><p>Building from those standards, guidelines, and practices, the Framework provides a common taxonomy and mechanism for organizations to: 1) Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the target state; 5) Communicate among internal and external stakeholders about cybersecurity risk. The Framework complements, and does not replace, an organization\u2019s risk management process and cybersecurity program<\/p><\/blockquote>\n<p>What exactly would &#8220;compliance&#8221; with that look like?\u00a0 That they use the common taxonomy?\u00a0 That they communicate or prioritize?\u00a0 The short version is that it&#8217;s hard to imagine because it&#8217;s not written in such a way that it&#8217;s <em>about compliance<\/em> in the first place: it&#8217;s not intended to be (per feedback from the community at large) and, as an artifact, it isn&#8217;t written that way.\u00a0 SP800-53 is arguably about compliance.\u00a0 The RMF is (arguably in concept but for sure in terms of how it&#8217;s used) about compliance.\u00a0 The CSF?\u00a0 It&#8217;s about something else.\u00a0 The fact that we have made it be used the way it is belies a misunderstanding (I think) of what the document is for.\u00a0 A discussion about how best to use it that way is like me arguing with my neighbor about the best way to use a bottle of shampoo as a hedge trimmer.\u00a0 The whole conversation is flawed from the start.\u00a0 Should we choose to pursue the discussion to it&#8217;s logical conclusion, we might wind up with some compromise that lets you (with significant expenditure of effort) trim hedges, but wouldn&#8217;t asking a landscaper the right way to do it be a whole lot more productive?<\/p>\n<p>The second thing is the utility of drawing a line between a pentest and efficacy of the framework. If you want to do pentests of federal agencies, I&#8217;m all over that.\u00a0 However, what you&#8217;re testing, should you do so, isn&#8217;t the utility (or lack of it) of the CSF.\u00a0 There are two reasons for that.\u00a0 One is that you could find numerous examples of places that use it that have terrible security &#8211; and examples of places that don&#8217;t that have great security.\u00a0 The same is true of PCI &#8211; or HIPAA &#8211; or the ten commandments.\u00a0 When I was a QSA (PCI DSS assessor), we used to joke that &#8220;the difference between a compliant or non-compliant environment is how hard you look&#8221;.\u00a0 The same is true here.\u00a0 The second is that the measuring instrument proposed (pentesting) doesn&#8217;t measure what you want to test (risk management practices.)\u00a0 If you want to test patch management efficacy, application hardening practices, incident response capability, or any number of other things, a pentest could be a great way to do that.\u00a0 Risk management?\u00a0 Not so much.\u00a0 I will assume you know already why that is (since it would take me another thousand words to argue why this is true), so will allow it to stand on it&#8217;s own.\u00a0 But trust me, it&#8217;s not a great instrument for that.<\/p>\n<p>I could go on and pick at other things about the call to action, but I feel like I&#8217;ve made my point.\u00a0 The underlying current is that the executive branch and the legislative branch are having a detailed discussion about something that neither of them fully understands.\u00a0 Mandating the use of the CSF and RMF (simultaneously) for risk management isn&#8217;t addressing the root cause people are concerned about.\u00a0 Mandating the use of the CSF at all misunderstands what it is for.\u00a0 Setting up pentests to validate their utility also doesn&#8217;t solve for what&#8217;s wrong.<\/p>\n<p>How do you address these things?\u00a0 The first step is caring about the topic.\u00a0 We&#8217;re there.\u00a0 The second step is having an informed, no-bullshit discussion about it.\u00a0 We&#8217;re close to being &#8220;bullshit free&#8221; I think &#8211; or at least we&#8217;re farther along than we were.\u00a0 That&#8217;s good.\u00a0 Where we need work is on &#8220;informed&#8221;.\u00a0 We&#8217;re nowhere near &#8220;informed&#8221; yet.\u00a0 How do we get informed?\u00a0 We, as an industry, need subject matter representation at the table for these discussions.\u00a0 And I DO NOT mean more people who also don&#8217;t know anything about the topic &#8212; but yet say they are &#8220;experts&#8221; <a href=\"https:\/\/securitycurve.com\/dunning-kruger-marketing-and-why-intentability\/\">because of the Dunning-Kruger effect<\/a>.\u00a0 I mean people who really get it.\u00a0 I could list dozens of examples (Ron Ross, Ed Felten, Susan Landau, Gene Spafford) and I&#8217;m sure you could too.\u00a0 We as an industry need to put them forward &#8212; and politicians need to listen to them.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So this morning, I came across this article.\u00a0It describes a call to action, given by\u00a0Sen. Sheldon Whitehouse (D-R.I) at the FCW (Federal Computing Week) &#8220;Big Issues Conference&#8221;, about the NIST Cybersecurity Framework (CSF).\u00a0 In general, it makes me feel better about the world that the sentiments in it are being expressed &#8211; and that this [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[29,84],"class_list":["post-651","post","type-post","status-publish","format-standard","hentry","category-security","tag-csf","tag-nist"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/651","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=651"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/651\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=651"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=651"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=651"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}