The National Institute of Standards and Technology released an update to the Framework for Improving Critical Infrastructure Cybersecurity this spring, the group’s first such update. Rep. James R. Langevin, D-R.I., is co-founder and co-chair of the Congressional Cybersecurity Caucus and a senior member of both the House Committee on Armed Services and the House Committee on Homeland Security.
PBN: Why is it important for different sectors, such as academia and businesses, to partner on cybersecurity defense?
LANGEVIN: Cybersecurity is a challenge that everyone faces. Computers and other information technology are pervasive in every sector of the economy … no one has a monopoly on cybersecurity talent or techniques. That’s one reason it’s been so important for the National Institute for Standards and Technology to bring together a broad set of stakeholders to develop its cybersecurity guidelines.
In updating the Cybersecurity Framework, NIST consulted with experts from business, academia and government to develop guidelines that draw upon the unique experiences of people in each of these fields and ensure that the guidelines are applicable to any organization.
PBN: What has changed most since the Framework for Improving Critical Infrastructure Cybersecurity was first created?
LANGEVIN: NIST published a major update to the Cybersecurity Framework. … The new version improves some of the original technical guidelines and better explains how to manage supply-chain cyber risks. The Russian NotPetya attack, for instance, while originally targeted in Ukraine, has cost U.S. corporations [such as] Merck and FedEx hundreds of millions of dollars and was enabled by a supply-chain vulnerability.
Every business should think about how it works with its vendors and service providers and whether sensitive data may be inadvertently exposed. One of the biggest changes, though, is that NIST has made the Framework easier to use. An organization using the revised Framework will have more information to select the levels of cybersecurity it wishes to implement and to self-assess its progress in reaching those levels.
NIST has also worked to provide more resources to make the Framework immediately relevant to small and medium businesses, which often do not have dedicated risk managers. Beyond the content of the Framework, a lot has changed with respect to awareness and adoption since it was first published in 2014. The word has gotten out.
PBN: In a press release recently, you said: “Cybersecurity is not just a technical issue, and an understanding of the economics of controls is essential if we expect companies to adopt them voluntarily.” Can you elaborate?
LANGEVIN: Of course, technology is at the core of cybersecurity. In a broader sense, however, cybersecurity is just part of risk management. Businesses generally excel at assessing competitive and market-driven risks, [such as] the risk that a disruptive technology will reduce demand for their product or service.
Unfortunately, we still lack the ability to describe cybersecurity risks in similar business terms. The NIST Cybersecurity Framework describes steps organizations can take to reduce their risk, but that guidance needs to be coupled with better cost-benefit information to help executives – and board members – prioritize cybersecurity investments.
PBN: What do you think is most generally misunderstood about the topic of cybersecurity?
LANGEVIN: There are, unfortunately, some who believe they have nothing to worry about because no malicious cyber actor has a reason to target them. Conversely, there are doomsayers who insist that no amount of cybersecurity will protect you from a determined adversary. The reality is somewhere in between.
There are basic defensive steps – often called “cyber hygiene” – that we should all take to improve our cybersecurity. Using unique passwords – or even better, a password manager, keeping software up to date with patches, maintaining offline backups of valuable data and scrutinizing links in emails or texts before clicking on them are a few examples. Everyone should realize that they’re a target. But they should also feel empowered to take steps to protect themselves.
PBN: What more needs to be done?
LANGEVIN: One thing I hear over and over again is that we need to strengthen our cybersecurity workforce, because the demand for cyber skills in every sector is staggering. That’s why I’ve been proud to introduce and co-sponsor several bills to expand cybersecurity scholarships, apprenticeships and training. I also believe we need a national standard for notifying consumers when their private data has been breached, which is what my Personal Data Notification and Protection Act would provide.
Susan Shalhoub is a PBN contributing writer.