Throughout 2014, stories of major data breaches and hacking incidents have dominated the mainstream media. Customers of major corporations like Target, Home Depot, JPMorgan Chase, Bank of America and Neiman Marcus have been the targets of malware, phishing schemes and other malicious acts of cyber crime within the past year. As a result, hackers have gained access to private information pertaining to tens of millions of financial accounts. Here at IPWatchdog, we’ve provided some coverage of this growing threat to the technological infrastructures of companies and organizations all over the world.
Instances of cyber crime have been rising and the associated costs have exploded. Cyber crime has increased 10.4 percent this year over totals posted during 2013 according to the Ponemon Institute, an independent data protection research firm. By far, the United States bears the greatest brunt of the cost of cyber crime; American businesses lost a total of $12.69 billion so far this year as a result of computer crime.. Exact financial costs for each organization affected are tough to tally, but a PricewaterhouseCoopers study found that the average monetary loss among companies that could report financial statistics was about $415,000 per organization. Two-thirds of the companies surveyed weren’t able to estimate their losses in clear financial terms. Worldwide, cyber crime costs about $445 billion to the global economy every year, a figure that represents about one percent of annual income all over the globe. Again, it’s difficult to determine the exact financial cost of cyber crimes, and other estimates have varied as widely as just over $100 billion to about $1 trillion.
In this current tenor of the global discussion on cybersecurity, multiple U.S. governmental agencies are joining with academic institutions and industry leaders to develop more proactive measures of handling and responding to cybersecurity risks. On Friday, November 14th, the U.S. Patent and Trademark Office hosted the nation’s first Cybersecurity Partnership meeting at the USPTO’s Silicon Valley office in Menlo Park, CA. A full day of events brought together officials from the PTO, the National Institute of Standards and Technology (NIST) and a variety of other stakeholders in cybersecurity development to talk about ongoing efforts to strengthen the cybersecurity response of American businesses and governmental agencies to the growing threat of computer crime. We were able to catch some of the day’s proceedings through a webcast provided by the PTO.
The NIST Cybersecurity Framework
In his welcoming remarks, San Jose State University President Mohammed K. Qayoumi, stated the need for the United States to attain superiority in cybersecurity in no uncertain terms. “2,000 years ago, the Romans had a strong ability to…command land transportation, and they were a great empire that lasted for centuries,” Qayoumi said. The British Empire’s ability to control the world’s waterways, and America’s post-World War II dominance of the air, were also cited as reasons why those countries rose to power. “Today, in the digital revolution, we have a similar issue with cybersecurity. Whoever controls that role and can be masterful at it, that is the nation that will really have major influence globally.”
As Qayoumi went on to state, intellectual property is one of the great strengths of the American economy, but IP is one of the areas most at risk through cyber crime. To address this, the White House issued Executive Order 13636 in February 2014, titled Improving Critical Infrastructure Cybersecurity, which discusses the responsibility of the U.S. government to increase the volume, timeliness and quality of cybersecurity information shared with the nation’s private sector. The executive order directed NIST to take a lead agency role in developing a Cybersecurity Framework designed to establish a voluntary set of standards for aligning policy, business and technological approaches to address cyber risks within organizations.
In February of this year, NIST published what it views as the first complete version of a working Cybersecurity Framework which is effective for the widest range of industries and organizations as possible. The Framework for Improving Critical Infrastructure Cybersecurity, first released by NIST on February 12th, focuses on business drivers that affect cybersecurity needs and gives organizations a tool for considering the whole of their data security needs and take proactive approaches to protecting their customers and themselves.
The NIST framework is comprised of three components. The Framework Core provides a matrix of cyber risk categories allowing a company to define their cybersecurity needs across a spectrum of cybersecurity functions: Identify, Protect, Detect, Respond and Recover. The core is designed to create an operational culture for addressing cybersecurity risks which are both dynamic and industry specific. The Framework Implementation Tiers gives organizations a means for self-assessment of how a company or agency is handling cybersecurity risks. The tiers, which range from Partial to Adaptive, do not represent maturity levels and although companies are encouraged to progress towards Adaptive, the framework states that they should only do so when changes would reduce cybersecurity risks while being cost-effective. The Framework Profile is intended to enable businesses to compare their current cybersecurity practices to best practices in their sectors, helping them identify threats they may not be considering in their risk management plans.
Cybersecurity Partnership Meeting at USPTO’s Silicon Valley Offices
As NIST outreach manager Kevin Stine explained at the start of his comments at the Cybersecurity Partnership Meeting, NIST is uniquely situated to affect cybersecurity development as a non-regulatory agency involved in the development of industrial standards. “Our mission puts us at the intersection of policy and technology,” Stine said. “We’re non-regulatory, but our decisions inform policy decisions.” The agency has already been operating a Computer Security Division for years to develop programs that promote security in information systems.
At the meeting, Stine reported that there were sixteen industry sectors to which the Cybersecurity Framework is applicable, including financial services, energy, healthcare, waterways treatment and information technology. The framework was developed to help organizations of any size determine their current cybersecurity risks as well as methods for mitigating those risks based on industry best practices. “[The framework] had to be a tool with a little something for everybody, big and small,” Stine said. “It had to be a tool helping organizations talk up and down from senior leadership to employee levels.”
Importantly, the framework is not intended to be an all-inclusive checklist and Stine noted that NIST views the current version of the framework to be a living document that could change based on the experience that company’s report in implementing the framework. “It’s a framework, not a prescription,” Stine said. He would also go on to state that it was still far too early to consider whether or not NIST would definitely make substantial changes to the framework in the future.
In responses to questions asked of Stine after his comments, he reported that a high level of interest in utilizing the framework had been coming from state-level governmental agencies. Virginia and Maryland specifically were discussed as two states that have been pursuing ways of implementing the framework. Many of the states responding to NIST about the framework have indicated that they were interested in providing better cybersecurity for agencies as well as using the framework to determine regulatory needs.
Business also stand to gain through implementation of the Cybersecurity Framework. As one business owner indicated during the Q&A session, companies offering cloud-based services often fight the consumer perception that their information won’t be safe. Proactive implementation of the framework could help an organization signal to potential clients or business partners that they’re following the best practices for cybersecurity within their industry.
The PTO and Cybersecurity Patents
Also speaking at the Cybersecurity Partnership Meeting was Nestor Ramirez, one of the directors of the USPTO’s Technology Center 2400 (TC2400). TC2400 is the technology center providing patent application examination for computer networks, multiplex communication, video distribution and security. According to Ramirez, there are just over 200 patent examiners who are dedicated to handling patent applications in the field of information security and cryptography.
Ramirez’s comments were enlightening on the state of cybersecurity development both within the United States and across the globe. During 2013, there were a total of 7,577 patent applications filed with the USPTO in the field of cybersecurity. The vast majority of these patent applications are coming from the United States, with the most filings coming from the states of California, New York and Texas. The top five companies filing patents within this field were IBM, Symantec, Google, Microsoft and Samsung. Although the USPTO is not directly involved in the development of the NIST Cybersecurity Framework, they do see a role in supporting the purpose of the framework by ensuring that high quality patents in the field of cybersecurity are issued in a timely fashion, and the technology center is considering initiatives to increase the speed of patent application examinations.
The publication of cybersecurity standards and organization methods of developing better responses to threats will likely increase both levels of cybersecurity innovation and the ability of businesses to protect their most sensitive pieces of data. As Stine urged in his remarks, federal agencies like NIST can be the “convener” of programs like the Cybersecurity Framework, but industry needs to take ownership of the framework for it to become truly effective in suppressing cyber risks.