Two weeks ago, I attended the DHS “Critical Infrastructure Cyber Community Voluntary Program” (CCubedVP) Energy-specific road show event in Houston, TX. In October, I participated in a similar but more regionally themed event in San Diego. At both events I was disappointed at the attendance, but Houston was, in particular, a bit jarring.
Out of maybe 30-40 people in the room, only a few were actual asset owners and there was very little of the advertised “energy” focus that had been my primary reason for attending. For example, a panel billed as focusing on “Small & Medium Utilities” contained representation from a very large defense contractor (BAE), a 24 million customer regional operator (ERCOT), and a large industry association (INGAA) – but no small and medium utilities. Similarly, an “Information Sharing in the Electric Sector” panel contained no electric representation.
I’m not sure what was going on – the event was in Houston, a hub of energy and electricity – and it should have been more well-attended and the speakers more pertinent. If nothing else, EnergySec was in the audience and we could have participated.
So what’s happening? I haven’t been participating enough in the CCubedVP program enough to know, but I can speculate.
First, while I’m a fan of the program and think it’s a good vehicle for collaboration, pulling it off has got to be difficult for DHS. They had little direct say (that I’m aware of) in the content of the NIST Framework and were left, by the executive order, to try and field whatever came out of that process. If you’re not familiar with it, CCubedVP is the DHS program tasked by the EO with:
Assisting “The enhancement of critical infrastructure cybersecurity and to encourage the adoption of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (the Framework)”.
More broadly, the CCubedVP program’s website says that:
The C³ Voluntary Program helps sectors and organizations that want to use the Framework by connecting them to existing cyber risk management capabilities provided by DHS, other U.S. Government organizations, and the private sector. At the time of launch, available resources will primarily consist of DHS programs, which will grow to include cross sector, industry, and state and local resources.
On its face, this should be an easy win; it looks like DHS is trying to make good on fixing something industry has very publicly criticized the government about for years: The need to reduce the multitude of confusing public/private cybersecurity interfaces.
I can get behind this. I am behind this. But there’s a catch.
We have no framework for doing risk management or collaboration. We have not defined the cybersecurity problem space anywhere – certainly not with any authority or broad socialization. One of the huge misses, in my opinion, of the NIST Framework was its focus on single-organization information security tactics. That topic is, no doubt, very important, but it wasn’t really where we – as an industry, sector, nation, culture, or world – were having problems.
Information Security has been progressing fairly steadily and successfully for decades now. It’s an established industry with established best practices.
What has been missing is the broader context. How do we make information security work for us, sustainably, collaboratively across organizations, to strategically reduce organizational and environmental risks stemming from Internet-connected information and control systems? We don’t know, and we haven’t really made a concerted effort yet to find out. We have programs – most recently the CCubedVP program – but no common frame of reference. There is no discipline of “cybersecurity,” only a grab bag of efforts that are loosely related to the more formalized discipline of information security.
When the executive order came out, I really hoped that the NIST Framework would end up helping us to answer the “cybersecurity” question and help provide a context for us all to effectively move forward together. Instead, it re-stated answers to the “Information Security” problem space and, while having that standardized set of building blocks to work with is valuable, it leaves us stranded in the larger problem space just where we were.
I’ve said before that I think the NIST Framework is, for what it is, an effective flag, but it’s not enough and the empty seats and panel misses at the CCubedVP event are clear evidence of this.
Of course, industry is always free to move this particular ball forward themselves if they want. I hope they do.
It looks like the Cybersecurity Framework Forum (http://cyber.securityframework.org) might be a place to take a stab at this. Even there, there isn’t a lot of content yet on this topic, and we’re going to try and help out with that by posting some our own content there.
In any case, wish the DHS folks well when you see them; I think they have a tough job ahead. (It’s also worth noting here that I have not been extensively involved in this part of the process and my view into it might have missed some important perspectives that lay further beneath the water.)