Thanks to a directive from President Barak Obama, NIST has released its Preliminary Cybersecurity Framework for critical infrastructure. Like most security frameworks it is fatally flawed. The framework is poisoned with Risk Management thinking, a nebulous concept borrowed from the world of finance and actuarial tables that simply does not work for cyber security.
The problem with frameworks in general is that they are so removed from actually defining what has to be done to solve a problem. The problem with critical infrastructure, which includes oil and gas pipelines, the power grid, and city utilities, is that they are poorly protected against network and computer attacks. Is publishing a turgid high-level framework going to address that problem? Will a nuclear power plant that perfectly adopts the framework be resilient to cyber attack? Are there explicit controls that can be tested to determine if the framework is in place? Sadly, no to all of the above.
Sometime in the late ‘90s, Risk Management started to infiltrate the thinking of corporate IT security functions, probably because audit departments and outside consultants such as PwC (where I worked in the past) had to convert a problem into language that CEOs and boards would understand. And there is nothing a consultant loves more than a framework for defining its expensive engagements.
Nassim Taleb, stock trader turned scholar and best selling author, has disrupted thinking about Risk Management in financial systems. His main thesis is that Risk Management fails to predict and even makes one more vulnerable to what he dubs Black Swan events, and in terms of critical infrastructure is often referred to as a Digital Pearl Harbor.
IT security Risk Management can be summarized briefly:
1. Identify all asets
2. Rank business value of each asset
3. Discover all vulnerabilities
4. Reduce the risk to an acceptable value by patching and deploying defenses around the most critical assets.
And here are the problems with IT security Risk Management
1. It is impossible to identify all assets. Even if a gas transport company could identify every PC, smart phone, tablet, router, switch, server, pump, controller, document, person, and pipe, under its control, those would change on the same day that the survey was complete.
2. It is impossible to rank the value of each asset. Commercial enterprises, as opposed to government entities, are constantly optimizing the make up of their assets. Those that are not critical to the businesses are eliminated outsourced or upgraded. Since it is impossible to know an adversary’s aims it is impossible to know which asset will be important to them.
3. It is impossible to determine all vulnerabilities. Even if it were possible to scan and test every digital device in an organization that exercise would only reveal known vulnerabilities. Every system has yet to be discovered vulnerabilities. These are the vulnerabilities that sophisticated attackers, the ones that are going to target critical infrastructure, are going to exploit.
4. Trying to combine three impossible tasks to manage risk is impossible. You will never get to the point where you can say “our risk was X and we have reduced it by Y%.”
How can NIST’s Cybersecurity Framework be improved? By a change in thinking away from fictional Risk Management and towards real world Threat Response. Look at one statement from the Framework that comes so close to getting it right:
“Due to the increasing pressures from external threats, organizations responsible for critical infrastructure need to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk.”
If only this statement read:
“Due to the increasing pressures from external threats, organizations responsible for critical infrastructure need to have a consistent and iterative approach to identifying, assessing, and responding to threats.”
Cybersecurity should borrow from national security if it is to be effective. National security is not based on Risk Management. It is based on threat response. The President does not get briefed by the DNI every morning on the nation’s critical assets, vulnerabilities, and risk metrics. He gets briefed on the activities of rogue nations, terrorist organizations and the latest military moves made by the Taliban in Afghanistan and Pakistan. He may then task the intelligence agencies to gather more information and build a picture of the threat actors’ capabilities and intent before determining to deploy counter forces.
When the NIST Cybersecurity Framework is completed it will, at best, become shelfware. At worst, Congress will eventually create a law requiring critical infrastructure operators to implement the Framework. Thanks to strong lobbying on the part of the regulated, the law will provide funding for implementation of the Framework, funding that will fill the pockets of audit firms and consultants. At the end of the day the risk of a debilitating cyber attack will have been reduced by exactly zero.