The Government Has Invested in Incentives to Protect Your Organization From Cyber Terror—Are You Taking Advantage?
With new headlines almost every day on cyberattacks increasing in frequency and scope, when will the government be concerned enough to take real action?
The federal government is doing a great deal more than you think. The cyber terrorism threat to the economy and infrastructure of the United States is so significant that it is difficult to comprehend. The highest reaches of the U.S. government understand and acknowledge this, even though their concern may not be obvious. To begin with, it is important to remember that among the many freedoms we enjoy, one is to be left alone. The government can’t really tell a private company what to do and how to protect their business from cyber terror. So, what can the government do?
By Executive Order in 2013, President Obama directed the National Institute of Standards and Technology (NIST) to create a new cyber standard and develop a comprehensive plan to protect the national economy from cyber terror. Directives such as this usually wind up on the dust heap of interesting ideas, but in this case, the opposite happened. NIST set about to bring in not just agency staffers and government rule makers; they sought advice and counsel from academia, business, government agencies and the public at large. NIST was so successful that they involved over 3,000 participants in the development of the NIST Cyber Security Framework (NIST CSF). This was a herculean effort to make the very best offering possible, free from industry, government and academic prejudices. The first official NIST CSF standard was published on February 12, 2014, recommending businesses adopt and adapt it to individual business needs and risks.
A realization hit home for NIST in their CSF development process. All of the time, money and effort in committing most resources to perimeter and intrusion detection technologies is not a winning strategy, because about 80% of all major breaches are a result of human error. In answer to those realities, the NIST CSF seeks to ensure that the right people, processes, and policies are deployed, supporting not only a secure perimeter, but a cyber-conscious culture where internal operations and third-party risks are managed carefully.
The NIST CSF is upgraded and changed on a continual basis, still with the open participation of several thousand interested parties. This atypical process will assure the NIST CSF continues to morph into the most meaningful and accurate standard of cyber resilience best practices. Not only are most states following the example of the Feds, a recent report shows support for its adoption growing in Japan and the rest of Asia.
May 11th marked the government’s next chapter in cyber maturity. By executive order, President Trump directed all federal agencies adopt the NIST CSF standard, and that they perform and deliver a risk assessment report and plans for improvements to the Office of Management and Budget. Further, agency heads are to be held directly accountable for implementation and maintenance of these standards. This extraordinary order forced two things to happen: (1) by holding the agency heads responsible, there is a strong probability the process will actually go forward; and (2) by engaging the full U.S. government, and because the federal government has the largest computer complex in the world, the NIST CSF will become the most widely used standard for cyber maturity and resilience.
This broad application of the NIST CSF will create the most significant repository of standardized internal risk information for future research on cyber threats and best practices for policies, processes and personnel risks. Organizations are likely in formation to begin fostering advanced research into effective cyber resiliency to protect the economy from cyberattacks.
Perhaps the federal government’s most significant incentive for focusing attention and resources to cyber risk mitigation is the application of the SAFETY Act to limit the liability of businesses that use the NIST CSF. At this time, only three companies offer products and technologies that include the protections offered under the Safety Act. The use of a SAFETY Act “Designated Technology,” such as Cybernance, for implementing the NIST CSF assessment provides multiple levels of protection to companies and their officers and directors from third party actions in the event of a breach or cyber terror, up to and including full immunity from suit:
- Protection #1: National Standard– Cybernance allows for assessment on and monitoring of 400 controls based on the gold standard NIST Cyber Security Framework, and enables company leadership to review organizational progress in board meetings.
- Protection #2: DHS-Vetted Technology– Using a DHS-approved internal control system like Cybernance for managing cyber risk provides a strong legal defense against a suit alleging negligence. It is a challenging process that can take as long as a year before being approved for the SAFETY Act designation.
- Protection #3: Liability Protection– Using a SAFETY Act designated platform prior to a declared cyberterrorism event, the board and executives are fully protected against liability, since the liability passes to Cybernance.
The U.S. government’s actions have created an unprecedented set of protections to the economy of the country. By executive order, the government has led the creation of the most significant Cyber Security Framework available in the industry. By another executive order, the NIST CSF has become the most respected cyber standard in the world, continually improving and maturing through the NIST working groups. Lastly, and most importantly of all, the creation of the SAFETY Act provides the highest levels of protection from liability for any company and its officers and directors. The solution to this mess is really that simple.