Invited to speak at a workshop convened by the National Institute for Standards and Technology (NIST), Hogan Lovells partner and Future of Privacy Forum advisory board member Harriet Pearson yesterday commended NIST for its thoughtful efforts on the Framework, endorsed the consideration of privacy in cybersecurity efforts, and shared a strawperson privacy methodology for discussion with workshop participants.
The Significance of the Cybersecurity Framework
Experts and leaders across government and industry continue to voice alarm at the vulnerability of computerized systems and devices to a rising tide of threats from sources as varied as nation-state actors, cybercrime rings, and political movements. Cybersecurity risk ranks as a top national security and economic security concern and is increasingly featured as a topic for corporate boards and legislators.
The successful and widespread voluntary adoption of the Cybersecurity Framework, the development of which is mandated by Executive Order 13636 by mid-February 2014, is considered to be an important enabler of efforts to address risk in critical infrastructure and other industry sectors.
When finalized, the voluntary Framework will provide a common language and roadmap for owners and operators of critical infrastructure to address cybersecurity risk. As we have previously reported, it is likely that governments and early industry adopters will incent or even require others in industry to align with the Framework, setting in motion a virtuous circle of security improvements. Whether this happens depends, logically enough, on whether the Framework will be embraced as practical and useful.
In its request for comments on the recently-released Preliminary Cybersecurity Framework, NIST acknowledges as much, asking reviewers whether the Preliminary Framework would be “effective in helping to reduce cybersecurity risk to the Nation’s critical infrastructure” and whether, among other things, it would:
- Enable cost-effective implementation;
- Provide the right level of specificity and guidance for mitigating the impact of cybersecurity measures on privacy and civil liberties; and
- Express existing practices in a manner that allows for effective use.
Privacy, Civil Liberties, and the Cybersecurity Framework
These questions and others were discussed at the NIST workshop, with particular focus on the privacy and civil liberties draft methodology included in the Preliminary Framework. “Methodologies” on these topics are explicitly required by section 7(c) of the Executive Order, and the Preliminary Framework features a significant amount of new relevant text in the Framework Core as well as Appendix B of the document.
Speaking at the Workshop, and drawing insights from a series of informal dialogues on this topic recently convened by Hogan Lovells, Pearson offered recommendations to guide NIST’s work on the Framework, including the following:
- It is appropriate and important for privacy to be considered in the context of cybersecurity activities, and thus in the Cybersecurity Framework.
- To incent adoption of the Cybersecurity Framework, the privacy methodology should be clear and straightforward to adapt and implement.
- The privacy methodology should focus on the privacy issues directly and uniquely implicated by an organization’s cybersecurity measures or controls, since not all cybersecurity measures used by organizations have privacy implications.
- Like the rest of the Framework, the privacy methodology should reflect consensus privacy sector practices. Subsequent versions of the privacy methodology/Appendix B can address more complex issues as to which consensus does not yet exist.
- An organization’s implementation of measures or controls included in the privacy methodology should be able to be objectively determined.
- A methodology to protect civil liberties should pertain directly to governmental organizations in view of constitutional and legislative mandates applicable to government and the absence of industry consensus on how such issues directly apply to private sector practices.
These recommendations were the subject of discussion during workshop sessions dedicated to the privacy and civil liberties aspects of the Framework.
Outlook for the NIST Cybersecurity Framework
This week’s workshop was the fifth and final such workshop organized by NIST and attracted almost 500 participants.
Businesses with concerns about the broad scope and practicality of the proposed privacy and civil liberties aspects of the Framework have until December 13 to voice their perspective via the comments process. All indications are that NIST will receive substantial input on a wide range of topics including privacy as the business community, privacy advocates and others further develop their views and recommendations in the next month.