To print this article, all you need is to be registered or login on Mondaq.com.
NIST has revised the
draft cybersecurity framework that it released in August. What
it published today is a "
preliminary cybersecurity framework." After comments, a
final framework will be released in February.
I've
been very critical of the draft released in August. NIST
clearly worked to address the criticisms.
The result is a mixed bag, but the document is still a net loss
for security.
What's improved? First, in an effort to introduce
flexibility into the document, NIST deleted all the
"should" language from the privacy standards.
Second, it added a paragraph that asserts the
"flexibility" that organizations have to implement the
privacy provisions:
Appendix B contains a methodology to
protect privacy and civil liberties for a cybersecurity program as
required under the Executive Order. Organizations may already have
processes for addressing privacy risks such as a process for
conducting privacy impact assessments. The privacy methodology is
designed to complement such processes by highlighting privacy
considerations and risks that organizations should be aware of when
using cybersecurity measures or controls. As organizations review
and select relevant categories from the Framework Core, they should
review the corresponding category section in the privacy
methodology. These considerations provide organizations with
flexibility in determining how to manage privacy risk.
Third, NIST responded to my concern that the
"governance" section of the appendix would smuggle into
the rules governing private companies all of the fair information
practice principles, or FIPPs, that govern federal agencies. NIST
narrowed the scope of the governance section by tying it to the
actual PII being used for cybersecurity. See the bold language
below.
Old version: Organizations should
identify policies and procedures that address privacy or PII
management practices. Organizations should assess whether or under
which circumstances such policies and procedures : [followed by a
list of FIPPs, many with dubious relationship to
cybersecurity]
New version: Identify policies and
procedures that address privacy or PII management practices
for the PII identified under the Assets category. In
connection with the organization's cybersecurity
procedures, assess whether or under which circumstances
such policies and procedures: [followed by the same list]
That's a substantial improvement.
What's wrong with the new version? Well, the first change,
dropping the "should"s, is well-intended but largely
cosmetic. In fact, it arguably makes the rules harsher, not more
flexible. That's because, instead of telling companies what
they "should" do to protect privacy, the appendix now
just commands them to do those things. You can see that in the
example above. Also in this one:
Old version: "When performing
forensics, organizations should only retain PII that is relevant to
the investigation."
New version: "When performing
forensics, only retain PII or communications content that is
necessary to the investigation."
(As an aside, note the other change in the new version, which is
pretty clearly the result of privacy groups' comments. It tells
companies to protect communications content, not just PII. But that
change is only needed if the companies are sharing content that
can't be traced to a person. So it seems to mean that companies
who share information about spam should minimize the amount of spam
they quote when trying to tell other companies which messages to
block. That's dumb. More broadly, why should such a mandate be
added to a standard that insists that it's about PII?)
That brings me to
my biggest concern. Despite NIST's claim that it has left
companies lots of flexibility, you can't really find
flexibility in the language of the privacy appendix. So I continue
to fear that the net result of the package will be to impose a
"privacy tax" on cybersecurity, adding to the cost of
security measures by tying those measures to expensive privacy
obligations whose value is unproven. For example:
Old: "When voluntarily sharing
information about cybersecurity incidents, organizations should
ensure that only PII that is relevant to the incidents is
disclosed."
New: "When voluntarily sharing
information about cybersecurity incidents, limit disclosure of PII
or communications content to that which is necessary to describe or
mitigate the incident"
The new language is slightly less demanding, but it still calls
on companies that share information about malware and intrusions to
make determinations about which information is
"necessary" to describe or mitigate the incident. If the
company guesses wrong about a couple of bits of information, and
someone later decides that those bits weren't strictly
necessary to mitigate the incident, then the standard has been
violated and liability is much more likely. At a minimum, lawyers
have to review every category of data that is being shared and
write rules for when it is necessary and when it isn't. It
takes heroic ignorance to believe that a requirement like that
won't reduce the sharing that's already occurring, even
among private enterprises.
Finally, NIST took a further step that has heightened
my concern that this appendix is going to impose the FIPPs on the
entire US private sector. That's because the only
"reference" standard offered by NIST to explain and
implement the appendix is a document that is plainly written for
government agencies trying to implement federal privacy standards.
In the absence of any other reference, the pressure will be great
to follow the government rules.
So, to return to the example above, suppose you're a company
that wants to implement privacy-compliant information sharing. You
consult the "reference" standard, and here's what
you're told:
MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION
Control: The organization:
a. Identifies the minimum personally
identifiable information (PII) elements that are relevant and
necessary to accomplish the legally authorized purpose of
collection;
b. Limits the collection and
retention of PII to the minimum elements identified for the
purposes described in the notice and for which the individual has
provided consent; and
c. Conducts an initial evaluation of
PII holdings and establishes and follows a schedule for regularly
reviewing those holdings [Assignment: organization-defined
frequency, at least annually] to ensure that only PII identified in
the notice is collected and retained, and that the PII continues to
be necessary to accomplish the legally authorized purpose.
Supplemental Guidance: Organizations
take appropriate steps to ensure that the collection of PII is
consistent with a purpose authorized by law or regulation. The
minimum set of PII elements required to support a specific
organization business process may be a subset of the PII the
organization is authorized to collect. Program officials consult
with the Senior Agency Official for Privacy (SAOP)/Chief Privacy
Officer (CPO) and legal counsel to identify the minimum PII
elements required by the information system or activity to
accomplish the legally authorized purpose.
Organizations can further reduce
their privacy and security risks by also reducing their inventory
of PII, where appropriate. OMB Memorandum 07-16 requires
organizations to conduct both an initial review and subsequent
reviews of their holdings of all PII and ensure, to the maximum
extent practicable, that such holdings are accurate, relevant,
timely, and complete. Organizations are also directed by OMB to
reduce their holdings to the minimum necessary for the proper
performance of a documented organizational business purpose. OMB
Memorandum 07-16 requires organizations to develop and publicize,
either through a notice in the Federal Register oron their
websites, a schedule for periodic reviews of their holdings to
supplement the initial review. Organizations coordinate with their
federal records officers to ensure that reductions in
organizational holdings of PII are consistent with NARA retention
schedules. By performing periodic evaluations, organizations reduce
risk, ensure that they are collecting onlythe data specified in the
notice, and ensure that the data collected is still relevant and
necessary for the purpose(s) specified in the notice. Related
controls: AP-1, AP-2, AR-4, IP-1, SE-1, SI-12, TR- 1.
Control Enhancements:
(1) MINIMIZATION OF PERSONALLY
IDENTIFIABLE INFORMATION | LOCATE / REMOVE / REDACT / ANONYMIZE
PII
The organization, where
feasible and within the limits of technology, locates and
removes/redacts specified PII and/or uses anonymization and
de-identification techniques to permit use of the retained
information while reducing its sensitivity and reducing the risk
resulting from disclosure.
Supplemental Guidance: NIST Special
Publication 800-122 provides guidance on anonymization.
None of this is good for quick and easy cybersecurity
information sharing. It seems to suggest that each sharing company
has to evaluate its cybersecurity data and minimize, perhaps even
anonymize, the data it keeps and to get rid of anything it
isn't sure it needs. The data will have to be scrubbed for
accuracy and completeness. To make that decision, the guidance
creates a committee that includes not just the lawyers but top
officials and a privacy officer, further clogging and
bureaucratizing what should be an instantaneous exchange of threat
data. This raises the cost of information sharing, which is what
you do only if you want less of something.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.