In the first part of our analysis of the NIST Cyber Security Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) we have seen that the Framework is more of a conceptual model of how to talk and think about cyber risk rather than a method to systematically and verifiably reduce such risk to agreed-upon levels.

This would be nothing bad per se if the NIST CSF hadn’t been sold as the government’s response to, in President Obama’s words, one of the most serious national security challenges we must confront. The CSF was not developed to protect a family-owned cookie factory against spam mail but systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters, also called the Critical Infrastructure.

Unfortunately, the national security aspect is completely lost in the concepts and suggestions of the NIST CSF. Determination of risk tolerance for, let us repeat, systems so vital that the incapacity or destruction of such systems would have a debilitating impact on security, national economic security, national public health or safety, can hardly be left to private sector companies factoring in their individual business needs and resources.

This points to a fundamental policy flaw in EO 13636. In essence, the executive order and the NIST CSF imply the idea that individual corporations would minimize their cyber risk in their best business interest, thereby at the same time minimizing cyber risk on a national scale. First, systemic risks in critical infrastructure at a national scale are emergent properties — the system is more than the sum of its parts, and a private company is not responsible for risk in emergent functions until told otherwise by a regulator. Second, the objective of risk management is not to minimize risk, it’s to minimize cost down to the point where certain risks are perceived so critical that they deserve investments in mitigation. More security (or less risk) is associated with more cost, prompting many business decision makers to lower cost by accepting higher risk. We always have to choose between security on one side and convenience, flexibility, and economy on the other side; we can’t have it both ways. The correlation is so strong and simple that we have stated it as Langner’s Law:

Insecure systems, architectures, designs and procedures are inherently more convenient, more flexible, and less expensive than secure ones.

If security was for free, we wouldn’t need risk management because all risks would be addressed. No prioritization of risk would be necessary, and neither would it be wise to “accept” even the smallest risk. The cost of mitigation sometimes tends to be the only cost that business decision makers see when it comes to cyber risk. Does the alleged savings in cost of consequence constitute a business case? Obiously not. If it did, business decision makers would have identified and addressed the issue long ago. Even if CEOs of corporate America may not know everything about cyber, they certainly know how to run a business. If the reduction of cyber risk would really be in the best interest of business owners, there would be no need for the government to provide unsolicited advice. The problem would have been solved already. This is the reason why we argued earlier in our paper Why cyber risk cannot simply be ‘managed’ away that change must be policy-driven rather than risk-driven.

Such policy doesn’t necessarily need to involve regulation. What it does require in the first place is a policy statement about what is expected from the private sector, and which criteria are applied to assess if such expectation is met or not. Both are neither in Executive Order 13636 nor in the NIST CSF. While their pure existence suggests that the government is unhappy with the cyber security posture of US critical infrastructure, it is left to guesswork to what extent that would be the case and how much the private sector is expected to act. But only with a clear idea on both topics could we develop good strategies to address the problem, and start an informed discussion on whether such strategies would best be incentivized or enforced by different policy means.

In the next part of this series we’ll take a closer look at the 98 subcategories in the NIST CSF.