Jack Whitsitt Comments on the New NIPP

The coming year is going to be an interesting one for public/private partnerships and cybersecurity.  Aside from any new legislation proposed, and beyond regulatory focused activity, the new Executive Order (EO) cybersecurity framework (CSF) will be released by NIST in February and the new NIPP (National Infrastructure Protection Plan), written in response to a directive in last year’s EO, was released in late December.


Of these two, it is the NIPP that I’d like to focus on and encourage everyone to read. While there is little that is completely new – it is still beholden to underlying policy drivers such as PPD-21, which replaced HSPD-7 –  the language used in the new NIPP implies an evolutionary shift in collective thinking. (For example, the NIPP always says it will be tailored to be flexible, but it appears from the language to now better understand what that means in the real world.)
It seems like, some of the lessons from the EO and the Framework development process may have influenced the writing of this document. Or, perhaps, it’s just a growing culture shift independently evident in both processes.
From the start, it is a relief to see that the new language provides much clearer background and context language within the document itself.  Reading the previous one, you already had to understand it before it made any sense; there seems to have been some progress made here in the 2013 version.  The document also seems to shift focus from “protection” to “security/resilience” (although, Department of Homeland Security [DHS] leadership in some cases is still saying “protection” in verbal communications).  This shift is more in line with the types of activities government and industry must partner on to improve the overall quality of our security posture nationally.  “Protecting” our infrastructure is the *last* thing we need to focus on. Right now, it needs to be made ProtectABLE. Finally, and interestingly, the 2013 NIPP also feels like the old parent/child relationship that seemed to have been unintentionally embedded in the older documents has morphed into a more appropriate and helpful peer based relationship.


The most notable (and concrete) new addition is a “Call to Action” which consists of steps to be taken by NIPP-based public/private cybersecurity partnerships going forward.  These steps appear to be intended to directly support a series of mutually developed priorities/goals at national, regional, sector, and local levels that are also to be developed under the new NIPP.  The call to action steps are grouped into: Building Partnership, Innovating on Managing Risk, and Focusing on Outcomes.  I’m not sure how these will play out – it seems like a lot of work will be required to mesh these together into coordinated action – but it’s still good to see the attempted movement.
Further, despite earlier concerns otherwise from some corners, it does appear that the new NIPP will maintain support of existing public/private partnership mechanisms such as Sector Coordinating Councils (SCC), Government Coordinating Councils (GCC), Critical Infrastructure Protection Advisory Council (CIPAC), Information Sharing and Analysis Centers (ISAC). The ISACs are now included under the broader heading of Information Sharing Organizations [ISO]) as the primary partnership mechanisms.  Still, it is exceedingly good to see that these mechanisms will not be the *only* ways to partner.
There are a number of stakeholders who, up to this point, have not been part of this dialogue and it would be valuable if they found a way in.
The two that come immediately to mind are “The Public” and “Unaffiliated Security Subject Matter Experts (SME).” First, “The Public” is critical infrastructure – at least as customers of risk management – and currently, they have little voice here. Second, most smart hacker or security types, if they are involved at all, are filtered through the business and political realities of their parent organizations and their industry associations. It would be nice to find away to add those voices to the mix, if only to offer a reality check to things like the NIST CSF.


Moving beyond partnership and execution of its own plan, the 2013 NIPP also continues to aim for more integration with the various national preparedness frameworks already out there.  Although, as with any new Call to Action and Priority additions, it is unclear how this will play out beyond how it has in the past.  Still, the language is positive.
On a side note, and perhaps this is a misread, there also appears to be a positive shift away from focusing on silo’d endeavors like the identification and maintenance of asset inventories into a more holistic approach.  Whether or not that’s a good read or if it will be reflected in implementation remains to be seen.


One specific and unfortunate legacy item is the old “Risk Management” lifecycle. It’s been cosmetically “updated,” but it doesn’t really add much more insight into the process. At best, it is useful in providing headings for documents.  A further treatment of this gap is outside the scope of this particular review.


More serious than the Risk Management Lifecycle problem, however, is what appears to be a philosophical miss.  It is good that cyber and physical security should be more integrated. The change in tone and apparent improvement in flexibility is appreciated, and outcome goals are absolutely a minimum requirement for driving effective security initiatives. However, the new NIPP still doesn’t effectively deal with the overall immaturity of the cybersecurity discipline itself – particularly when compared to the physical space.  It feels like there is an assumption that someone knows the right answers and all we have to do is implement them, but that’s not true.  In fact, the entire problem space needs reframing away from how the security industry has defined it for us over the past 10 years into something with a business quality assurance baseline that is then supported by risk management.  The NIPP and related public/private partnership mechanisms could do with more methods for and focus on the definition of  successful cyber security paths forward to meeting collaborative outcome goals, rather than a focus on selecting and then implementing existing paths.
Jack Whitsitt Headshot_100x100Jack Whitsitt, EnergySec’s Principal TAC Analyst, brings a breadth of cyber security knowledge and thought leadership to any discussion. His early efforts, which have been cited in IEEE papers, thesis research, and other works included leading an open source development group in creating novel tools to respond to attacks, creating created new methods of correlating and visualizing large scale security information, and supporting large US government and civilian incident response teams looking at traditional IT networks. More recently, Whitsitt has been working in the areas of control systems (SCADA) security and national level risk management, partnership, and information sharing. In 2009 and 2010, he worked for Idaho National Lab as an early member of DHS’s national ICS-CERT team as a part of the DHS NCCIC responding to critical infrastructure incidents of national consequence. As former Federal employee, he supported TSA in its capacity as the Sector Specific Agency (SSA) for transportation (including pipeline) security. In this role, he facilitated a national initiative for transportation implementing a reasoning framework for guiding strategic national cyber security policy within the sector and to provide organizations with national-level insights into their own individual risk management efforts.

Tags: , , , , , ,

One Response to “Jack Whitsitt Comments on the New NIPP”

  1. Doug Finley
    February 7, 2014 at 5:16 pm #

    “Second, most smart hacker or security types, if they are involved at all, are filtered through the business and political realities of their parent organizations and their industry associations.”

    And therein lies a great problem. Recall the first draft release of the SANS 20 Critical Controls; number two was something like ” Inventory of Authorized and Unauthorized Software; Enforce A Whitelist”. When the powerful business interests became involved, primarily anti-virus vendors, the semi-colon and everything after it disappeared. An effective control was just neutered for selfish business reasons.

    I often see it lamented that ICS cyber-security lags far behind its enterprise counterparts, as if progressing to the level of Target, Nieman Marcus, ORNL (a really big deal, in context), or just about any other is all we need do. Nothing could be farther from the truth. ICS needs lock-down. Whitelisting, properly done, can solve many of the most pressing problems right now. It won’t solve all, because (1) not all are solvable; and, (2) not all can be solved simply by preventing the execution of all unauthorized software. Yet, 80% or more (my estimate) of the risk of successful cyber attack could be eliminated with the right kind of whitelisting (plus) application.

    The more we focus on a grand unified theory of cyber security, the less we do to take steps that can be taken today with minimal disruption, expense, and risk. My great fear is (1) too little that could be done will be done, leaving us far more exposed than we should be; and, (2) with government and business collusion driving the agenda, we will end up with the cyber-security equivalent of the ACA.

Leave a Reply