NIST Hosts IoT Workshop, Kicks Off Botnet Roadmap, and Previews New Privacy Framework Effort
On July 11, 2018, the National Institute of Standards and Technology (NIST) hosted a workshop entitled Considerations for Managing IoT Cybersecurity and Privacy Risks Workshop. NIST’s Cybersecurity for Internet of Things (IoT) Program and Privacy Engineering Program are in the process of drafting guidance for the federal government regarding IoT risks, and this workshop will inform that initiative. Additionally, NIST, along with the National Telecommunications and Information Administration (NTIA), used the workshop to kick-off of the Botnet Report’s Roadmap process.
NIST’s IoT Guidance
The guidance that NIST is developing regarding managing IoT cybersecurity and privacy risks is intended to be limited in focus to federal agencies. However, NIST made clear at Wednesday’s workshop that it values perspectives from organizations outside of the federal government—including industry and academia—and that it hopes that entities in those sectors will use its guidance on a voluntary basis.
It is still unclear the exact form that the guidance will take; however, NIST indicated that it does not want to re-invent the wheel. It hopes to create a document that points readers to existing frameworks—highlighting how those frameworks apply in the IoT context—as opposed to creating a novel framework for IoT.
What is clear is that the guidance will continue NIST’s effort to integrate privacy and cybersecurity. At the workshop, NIST and participants discussed the similarities and differences between privacy and cybersecurity risk management—NIST acknowledged that the privacy risk management realm does not have the robust body of work that the cybersecurity realm has.
Much of the discussion revolved around whether and how to apply traditional IT security and privacy controls to IoT. There was debate on whether NIST should identify a baseline of controls. While this issue is far from settled, NIST wrapped up the day explaining that there cannot be a one-size-fits-all solution, and that instead, the answer will likely be something that applies vector-by-vector, capability-by-capability, or device-type-by-device-type. A true baseline that applies everywhere, NIST reported, would not be meaningful. However, it does believe that an environment-specific baseline for IoT is needed.
NIST will release a summary of the workshop soon. By the end of September, NIST hopes to release the first draft of its guidance for public comment. It anticipates another workshop will follow the release of the draft.
The Botnet Report Roadmap
NIST and NTIA described that the Botnet Report Roadmap will serve as a mechanism to manage the complex response to the complex botnet problem. Ultimately, the document will help to prioritize and sequence the next steps in the botnet effort. The agencies have started mapping out several multi-dimensional “Lines of Effort” that will make up the Roadmap. The Lines of Effort include non-IoT Lines of Effort (including enterprise and infrastructure) and IoT Lines of Effort (including home IoT, industrial IoT, federal IoT security baseline, adoption and sustainability, and international standardization).
Wednesday’s discussion kicked off the official Roadmap process, starting the 120-day clock to develop the initial Roadmap that will end on November 8, 2018. The two agencies indicated that we can expect a draft of the Roadmap in early Fall. Following the submission of the Roadmap to the White House, the agencies will track progress and intend to bring the botnet mitigation community together again two to three times. After the initial year of the Roadmap, a status report is due to the President regarding implementation.
New Privacy Framework
NIST indicated that it is planning to develop the privacy equivalent of the Cybersecurity Framework and will release a Request for Information or other notice regarding that new project. NIST noted that its IoT guidance for the federal government will be developed before the new privacy framework. In discussions with NIST officials, it has become clear that stakeholder engagement will be critical to shape the goals, structure, and details of this effort, which they expect to take a year or so. It is not yet clear whether they will base their efforts on prior privacy work, like NISTIR 8062, or what values they might seek to advance with this effort.