A major business group representing all critical infrastructure sectors — including energy, telecom and financial services — is rallying behind an industry-led, voluntary approach to cybersecurity that industry believes is threatened by tighter government controls.
Industry’s goal is to promote the 2014 framework of cybersecurity standards as the basis of the nation’s strategy in cyberspace. This is the centerpiece of a planned, high-profile business initiative in support of a nonregulatory approach to cybersecurity.
“Our primary interest is to ensure the framework remains a foundational mindset for [government and industry] stakeholders and that we provide input that’s helpful for the next administration,” said Robert Mayer, vice president of the U.S. Telecom Association and co-chairman of the Multi-Association Framework Development Initiative.
The initiative, known as MAFDI, is co-chaired by Information Technology Industry Council Vice President John Miller and includes 32 U.S.-based trade associations.
The group met last week and heard from senior Commerce Department official Clete Johnson.
Johnson, a former star defensive back at Harvard, used a football analogy in describing the cybersecurity framework as “a playbook, not a checklist,” according to Mayer.
But regulatory agencies are increasingly viewing it as the latter, according to business representatives.
“We’re definitely seeing far more regulatory drift that is counter to the intent and essence of the framework,” said Larry Clinton, president and CEO of the Internet Security Alliance and a member of the MAFDI group.
“We’re seeing more of that from independent federal agencies and in the states,” Clinton said, and even at places like the Pentagon. “It’s a real problem.”
Industry just recently has witnessed a 30-40 percent increase in what Clinton refers to as “compliance costs” related to various government mandates on cybersecurity, he said.
“There is a real increase in regulatory burden built around uses of a framework that wasn’t intended to be regulatory,” Clinton said.
The framework was built in a collaborative government-industry process begun in 2013 and directed by the National Institute of Standards and Technology. One of the key buy-ins for industry, when asked to participate in that process, was that they would be constructing a voluntary tool that companies could adjust to their own cybersecurity needs.
Now, however, a variety of agencies are taking the elements of the NIST framework and telling companies they must implement them.
Clinton called for greater leadership “from the White House on down” to explain throughout government “in clearer and more forceful language what this framework is.”
“An uncoordinated, run-amok process is going to undermine the very good work that went into the framework,” he warned. “If the framework ends up as a Trojan Horse, it could kill the partnership model.”
For its part, the MAFDI group is eager to see the Commerce Department “play a central role in promoting the framework,” Mayer said.
And, MAFDI wants the new presidential Commission on Enhancing National Cybersecurity to embrace the NIST framework as a foundation of the U.S. cybersecurity strategy.
“We’d like to see that reflected in the recommendations for the next administration” that the commission is due to produce in December, he said. The commission met last week in New York City.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
