The National Institute of Standards and Technology released its cybersecurity framework as planned Wednesday, and AT&T's Randall Stephenson (chairman and CEO) put an exclamation point on the importance of the issue.
The goal had been to work with stakeholders, including ISPs and tech companies, to provide a voluntary approach to protecting critical infrastructure like telecommunications networks and power grids.
The framework's keys are a set of customizable steps and common language and mechanisms for stakeholders to determine their current protections and vulnerabilities and ways to assess and address them. NIST has described it as a way to turn best practices into common practices, which includes protecting privacy and civil liberties.
The framework was created at the discretion of the President last Feb. 12 after Congress failed to pass a cybersecurity bill.
NIST said the framework is a "living document" and it will continue to update it per industry feedback on implementation. AT&T's Randall Stephenson has already called it a very good piece of work and something anyone connecting to his network or providing equipment should be adopting, at a minimum.
NIST was already getting a lot of feedback Wednesday from a variety of sources, including cable operators. That response generally boiled down to support for the principles and a pledge to work collegially on cybersecurity.
“The cable industry appreciates the collaborative process between the National Institute of Standards and Technology and industry in the development of the Cybersecurity Framework," said National Cable & Telecommunications Association president James Assey. "Now that the final framework has been released, we will review the document and continue to work with the Department of Homeland Security and other relevant parties toward the further development of a Voluntary Program that will improve cybersecurity.”
AT&T applauded the release of the document and pointed out that its CEO, Randall Stephenson, was participating in a White House discussion Wednesday about cybersecurity in connection with the release of the standards.
Stephenson said during the discussion that he was enthusiastic about the framework because "Nobody has this thing [cybersecurity] licked. There is no such thing anymore as a private network," he said. "If you think [your network] is private and protected you are fooling yourself," he added, "pointing to all the Wi-Fi access points."
He said a network was no stronger than its weakest link. "The bad guys are impressive innovators," he said. "You're not going to stop them all...I don't think there is a company that can keep up."
While he called the framework a very good piece of work, he also said it represented the minimum level, the "ante" as it were. He also said he would expect anyone interconnecting with an AT&T network to be implementing the framework.
Stephenson said investing in cybersecurity is investing in the brand. He said AT&T was very vocal about the framework not being a cookie-cutter approach, something he pointed out that was reflected in the framework released Wednesday.
The executive summary made the point up front: "The Framework is not a one-size-fits-all approach to managing cybersecurity risk," NIST said.
Stephenson said that he could not emphasize enough that the framework has to not only allow for but incentivize innovation, which has to happen fast. "Bias toward standardization and regulation could be a boat anchor to the innovation that is required for us to stay ahead and win this battle," he said.
He said it was industry's responsibility to evangelize the threat that is out there. "The best incentive on cybersecurity is fear," he said. "It scares the living hell out of us." That extends to employees. Training and education are important, he said, but there needs to be a consquence for violating cybersecruity practices.