Cybersecurity continues to be a hot topic around the world, particularly as governments develop policies to improve cybersecurity in critical infrastructure.  In the U.S., the White House released an Executive Order entitled Improving Critical Infrastructure Cybersecurity to drive a concerted effort across departments, agencies and industry to improve the posture of the nation’s critical infrastructures against cyber-attacks.

The Executive Order gave responsibility to the National Institute of Standards and Technology (NIST) to develop a cybersecurity framework (known as the Framework) aimed at helping manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties. Microsoft provided a response to NIST’s Request For Information (RFI) on this topic, which I’ve outlined below. Additionally, I had the privilege to participate in a panel discussion at the recent NIST Cybersecurity Framework Workshop at the Department of Commerce in Washington, DC, where I discussed our response.  You can view a video of the workshop here.

Our response addresses three areas of inquiry put forward in the NIST RFI:

  • Current risk management practices
  • Use of frameworks, standards, guidelines, and best practices
  • Specific industry practices. 

For each of these areas, our response focuses on foundational, lasting principles for the Framework, as well as recommendations for risk assessment and risk management processes that can be applied horizontally across sectors and vertically within critical infrastructure assets.  Consistent with the RFI’s statement that the Framework should provide for “ongoing consultation in order to address constantly evolving risks to critical infrastructure cybersecurity,” Microsoft is committed to working with our industry and government partners on a long-term basis to build a Framework that is rooted in international standards and best practices from the private and public sectors. 

The relationship between cybersecurity and critical infrastructure protection is well-acknowledged. In addition to an extensive series of studies concerning cybersecurity challenges in critical infrastructure, the United States government and others have developed a broad array of national-level plans and procedures to secure national assets.  However, a globally-accepted framework for critical infrastructure cybersecurity does not exist yet.  To address this gap, we believe that a properly-structured Framework holds great promise for enabling more effective assessment and management of cyber risks to critical infrastructure in the United States and abroad.

Microsoft View of the Key Aspects of Cyber Threats

Microsoft has a unique view of cyber threats, as each month we receive information on malicious software and cyberattacks from more than 600 million systems in more than 100 countries and regions.  In addition, we work closely with our government, enterprises, and consumer customers around the world to assess, manage and respond to risks.  From our experience, we have observed four key cyber threats worldwide: cybercrime, economic espionage, military espionage, and cyber conflict. These threats can have serious implications for critical infrastructures. Understanding the complex threat landscape and grappling with the persistent presence of cyber attackers is a challenging proposition. 

Understanding and Managing National Level Threats Focused on Infrastructure is Complex

In order to establish national cybersecurity priorities, there needs to be a clear understanding of the motivations and capabilities of those individuals posing threats, potential avenues for attack or exploitation, and the key assets, functions or information that could be targeted. This understanding needs to be complemented by assessments to understand the potential impact of cybersecurity events on critical infrastructure so that risks can be managed to reduce potential impact. 

Summary of Recommendations

Microsoft believes that the Framework should be based upon six foundational, lasting principles outlined below. A focus on these principles will establish the Framework’s relevance to critical assets and critical sectors.  We further recommend that NIST develop the Framework using a cohesive, principles-based strategy that is focused on risk assessment and risk management.  (We describe this structure in detail in our response. This type of strategy presents an optimal approach in the face of dynamic cyber threats and a rapidly evolving technology landscape.

Specifically, Microsoft recommends the following six foundational principles as the basis for the Framework:

  • Risk-based.  Assess risk through the prism of threat, vulnerability, and consequence, then manage risk through mitigations, controls, and similar measures.
  • Outcome-focused.  Focus on the desired end-state rather than prescribing the means to achieve it, and measure progress towards that end state.
  • Prioritized.  Adopt a graduated approach to criticality, recognizing that disruption or failure are not equal among critical assets or across critical sectors.
  • Practicable.  Optimize for adoption by the largest possible group of critical assets and implementation across the broadest range of critical sectors.
  • Respectful of privacy and civil liberties. Include protections for privacy and civil liberties based upon the Fair Information Practice Principles and other privacy and civil liberties policies, practices, and frameworks.
  • Globally relevant.  Integrate international standards to the maximum extent possible, keeping the goal of harmonization in mind wherever possible.

For the full RFI response, please visit the NIST website.

Paul Nicholas