Jack Whitsitt (@sintixerr), in a series of TWEETS®, has taken objection to my characterization of the NIST draft and revised draft Cybersecurity Framework as being written by NIST. He makes the very justified claim that NIST crafted their draft from input received from industry, both in the RFI process and the two previous Framework Workshops.
I don’t know how much of the draft was influenced by that process and how much came from the considerable expertise that NIST brings to the table in-house. I’m not sure that it really makes much difference. NIST has done a yeoman’s job of consulting with industry and they are to be commended for the effort.
At the end of the day, the Cybersecurity Framework will be a political document just as any standards document is a political document. Conflicting view points, objectives and agendas have to be resolved and that will only come about through a political give and take.
This weekend celebrated another document that was prepared by a committee and a study of that process is well worth reviewing. A committee of three prepared the Declaration of Independence just over 237 years ago based upon the weeks of vocal debate in Philadelphia and across the Colonies. In the end it was one man who was most directly responsible for most of the words. Minor changes were made by the committee and the congress of rebels tweaked them some more before John Hancock affixed his signature as the first of many who pledged their lives, their fortunes and their sacred honor.
The Cybersecurity Framework will not be as earth shaking as the Declaration, but it will come from a similar process. Many people, in public and behind the scenes, will have input into the document. But only a limited number of people, probably no more than three (my guess based upon lots of committee work over the years), will be responsible for 95% of the words in the document. That doesn’t detract from the hundreds of people and organizations that provided input into the document.
I objected to what I see as political interference in causing NIST to revise their draft in less than a week and before there was any public input or discussion of the document. Jack claims (probably with at least some personal insight) that there have been private communications from the potentially regulated community to the NIST staff that may have been (he is careful not to state that they definitely were) the reasons for the change.
I would be surprised if these types of communication were not taking place, especially since NIST has publicly invited such input. I gave the NIST staff credit for understanding that, while such communications could be valuable, allowing such input to change a draft document before the Workshop next week would make the Workshop look like window dressing. Such changes from the community need to be discussed in a public forum to avoid the charges of favoritism and cronyism that will inevitably follow.
Now I wasn’t there; I have no tapes of conversations, or any Deep Throat source. I just have years of experience watching political processes of all sorts. The only source of power with the influence over NIST that could cause them to appear to corrupt their process would be the President. NO, Obama did not make the call or probably even ask someone to make a call. A political operative in the White House Staff heard complaints from politically connected constituents about the expansion of the Framework to cover ‘cyber risk’ in general and not just ‘cybersecurity risk’ and responded with a politely worded edict, er a ‘suggestion’, to a political appointee at NIST to pull back the reins and get the Framework back on its narrowly focused track.
Obama’s Cybersecurity Framework
Now, let’s make it clear; President Obama owns the Cybersecurity Framework. It is his Executive Order that mandates its creation, sets out its limits and provides the authority to make it happen. He dissed Congress for inaction and made the bold move. He is the one that directed that funds be moved around to support the development process. And, he is the one that will receive the blame if the Framework crashes and burns. So he certainly has the right to have his input considered, even followed slavishly.
But, the President has made a big political point of this project being completed with the active participation of the regulated community. That is more than just his populous background speaking. He needs the political cover as insurance against a failure of the process. This is brand new ground on an ever changing landscape. If a cybersecurity incident causes significant loss of life or financial collapse within the next two years, he doesn’t want to be the person wholly responsible. If the Framework is unworkable he needs to be able to point at others in the process as at least the co-authors of the document.
All of which means that he needs to let the process he crafted work in the manner he directed. He needs to allow industry the opportunity to fail. If there is something that he really objects to, as the owner he needs to make his wishes clear and public. But, he needs to remember, every time he does so he gives industry that much more relief from blame and accepts more blame for himself. It is a dangerous ground upon which to walk; that’s why we pay him the big bucks and provide the showy benefits. He is after all, The President.