You remember them from school – the popular kids. Everyone wanted to be in their circle. Everyone wanted to be associated with them. If you were with the popular kids, you were cool.
Cybersecurity is the popular kid in Washington now. Legislators and regulators are wrangling to be in the popular kid’s aura, and what this means is that many different agencies are developing cybersecurity initiatives and tools. Is this a good thing? Perhaps. Is it confusing for manufacturers? Absolutely. As more agencies rush to set up cybersecurity programs, manufacturers are often left wondering which one applies to them.
Let’s start off with a “quick” rundown of interests:
Department of Homeland Security (DHS) – has been in the forefront of cybersecurity, as one would expect it to be, and it provides some very useful tools for the private sector to measure risk management such as:
- The United States Cyber Emergency Readiness Team, known as US-CERT responds to incidents; provides technical assistance to information system operators; and disseminates timely notifications regarding current and potential security threats and vulnerabilities.
- The Industrial Control Systems Cyber Emergency Readiness Team, known as ICS-CERT, does similar work as the US-CERT, but concentrates on industrial control systems.
- The National Cybersecurity and Communications Integration Center, better known as NCCIC (“N-kick”). Both ICS-CERT and US-CERT are a part of NCCIC which is a 24/7 operation whose mission is cyber situational awareness, incident response, and being the national nexus of cyber and communications integration for the federal government, intelligence community, and law enforcement. The NCCIC shares information among the public and private sectors to provide greater understanding of cybersecurity and communications situation awareness of vulnerabilities, intrusions, incidents, mitigation, and recovery actions.
Other institutions holding interests in cybersecurity include:
- The Department of Energy (DOE). While they don’t have a NCCIC, they have developed tools that the private sector can use to measure risk management as well as provide seminars and tabletop exercises to pull together both the private and public sectors in various cybersecurity treat scenarios.
- The National Institute of Standards and Technology (NIST) got a big boost from a 2013 presidential executive order. Part of the order required NIST to work with industry to develop a cybersecurity framework which resulted in the Framework for Improving Critical Infrastructure Cybersecurity. Many in the private industry believe this project was instrumental in bringing together various agencies (both federal and state) and the private sector. The framework has been used as a risk management tool by AFPM members.
And don’t forget the others: The FBI, US Coast Guard, Government Accounting Office, Department of Labor, Department of Defense, Department of Education, Department of Treasury and of course, Congress, all have an interest in cybersecurity.
It shouldn’t surprise you that everyone wants a part of cybersecurity. It’s new, dynamic, exciting, mysterious, cool – and everyone wants to be cool, right? However, redundancy is now a major issue. It is not uncommon for an agency to spend months developing a new risk management program or a proposed rule only to find out a similar one already exists at another agency. Asset owners are left with a menu of choices that rivals the size of a menu at a New Jersey diner. While choice is good, the asset owner is left wondering what will work best for them.
The popular kid, called cybersecurity, isn’t going anywhere. If the government wants to have an effective working relationship with private industry in the area of cybersecurity, it needs to realize that each agency cannot act alone. Communication with a consistent, complete message is necessary. The NIST framework is a very good example of this process.