¶ Intro / Opening
I have to go Chain , chain food .
I'll thank you . Ladies and gentlemen , welcome to another episode of Privacy , please . I'm your host , cameron Ivy , alongside my other host , t'chcape Gums . We don't do co-hosts anymore , we're just hosts . You know what You're just hosts . I just made that up . Right now we're going to fly with it .
That's how it works , though , Like if you just it said it is now true , it is a statement .
Yeah , I don't want to tire saying co-hosts , because you know we're one and the same .
No one says co-parent . Does anyone say co-parent ? I guess they do .
I don't like it either . Yeah , if you're gonna . So either you say it as an adjective or a verb . Right like , but as a noun co-parent as a noun doesn't work .
You just , you just call them parents
¶ NIST Cybersecurity Framework 2.0 Update
Like this is , this is my mom and my co-parent , and I'm sorry , I meant dad . Dad looks down at you like what did you ? Just , I'm well , how are you sir ?
Good man Got some . You know , life life continues to go .
It does , it does .
We uh Sun continues to shine and yeah , you know .
Comes up another day .
NIST security framework continues to change . It does , and we have questions it does it does .
That is today's topic . 200th episode yes .
There's a button for that . If you want me to use it , use the button . I gotta go live with it , though . Oh , it won't . It won't , let me go live with it . No , that's all right . All right , so okay .
Post production . That's what post productions are . For those of you that have listened to the show long enough know what we mean when we say post production . Oh yeah , we really start 200th episodes . So that happened this week . There's the button Big times .
Also also just as significant in in the security framework , security and privacy world , nist released version 2.0 of the cybersecurity framework , nist cybersecurity framework 2.0 . It's been a long time coming . It's been many , many years into making there's been a lot of comments . I mean the way the entire process works is they .
They solicit comments from the industry , from experts . There are no shortage of experts that are also already engaged in working on this project in particular , both inside and out , so it's very much a collective effort . Nist , of course , is a government entity . It is . It is funded and backed by the US government .
Well , they say here , it's now added as the sixth the government function which emphasizes the cybersecurity is a major source of enterprise risk and a consideration for senior leadership .
And so that is the significant update to the 2.0 framework . So , for those of you who just don't have the NIST cybersecurity framework memorized , it encompassed five sections prior to this update Identify , protect , detect , respond , recover as it pertains to your environment , infrastructure , data , etc .
Identify the things that require protection , protect them , apply detective measures such that you know , when , not doing anything , when naughty things are happening , respond to any naughty things that are happening and recover from any naughty things that may have happened .
So the the the additional , the update to the NIST cybersecurity framework is governed , but they didn't add it as another step or another wedge . They added it as an overlay across all of those other components , which I think is good . I think that sends the right message , namely that govern isn't somehow distinct from detection , protection , responding , etc .
But that governance is an activity that must occur throughout the entire life cycle of protection . I'll call it the life cycle of protection .
I like that Coin it . Coin it Trademark , that's mine .
There it is . That's how it works , isn't it now , I guess ?
I mean , you heard it here , that's how it works now . So questions from this . Obviously , I know the one that jumped up in your mind is well , isn't there a security framework opposite of this or , I'm sorry , a privacy framework ? Apologies , yeah , but why is that separate ?
And it has been for some time . So NIST also has a privacy framework . It is currently in version , I think , 1.1. , but 1.0 was released back in January of 2020 . It is a privacy framework and we've talked a lot about why .
We've always felt that there's a lot of overlap between the two , but not really certain that they should be that wholly distinct from each other . And in this update of the NIST Cybersecurity Framework 2.0 , I find myself questioning even further why NIST chooses to keep cybersecurity as a distinct framework from the privacy framework .
Now , for what it's worth , nist actually addresses this right up front In the 2.0 , in the updated cybersecurity framework , right on page 12 , it does explicitly state the following . I'm going to read this verbatim Privacy risk While cybersecurity and privacy are independent disciplines , their objectives overlap in certain circumstances , as illustrated in Figure 6 .
Figure 6 is a Venn diagram and on the left it's cybersecurity risk , which are associated with cybersecurity incidents arising from loss of confidentiality , integrity or availability , and the right side of this Venn diagram is privacy risk associated with privacy events arising from data processing , and in the middle of that are cybersecurity-related privacy events .
So let me go on to read Cybersecurity risk management is essential for addressing privacy risk related to the loss of confidentiality , integrity and availability of individuals' data . For example , data breaches could lead to identity theft . However , privacy risk can also arise by means that are unrelated to cybersecurity incidents . So there's the smoke and gut .
That sentence is the reason why the NIST body still sees privacy as a separate framework Because , quote , privacy risk can also arise by means that are unrelated to cybersecurity events . I am further confounded , confused and maybe even a little grumpy about that statement .
Cybersecurity framework includes physical protections to things like data centers , so it obviously acknowledges that you can have an impact to confidentiality , integrity , availability that are not really the cybersecurity that are . Simply , someone walked into a data center and removed a hard drive , there was a natural disaster and a location is offline .
Those are not cybersecurity incidents , but yet we cover them under the cybersecurity framework . Yes , they are not distinct . There are other frameworks that talk explicitly
¶ Intersection of Privacy and Security Frameworks
about disaster recovery , so , no , I'm not attempting to conflate those things either . What I'm failing to understand here is we know that you cannot have privacy without security . It is not a thing .
You can , indeed , have security without privacy , but you cannot have privacy without security , and so I'm very much failing to understand why these two are separate , especially if you added the ring of governance to include governance as one of the key pillars .
Well , maybe that's a question we'll ask NIST when we tag them .
I need an answer . I'm just curious how we arose to that decision . The document clearly does point out why it thinks that with that anecdotal blur . But I think part of the problem with both privacy and security is that as long as we continue to treat them as these distinct practices , we're going to end up with the outcomes we have .
Here's a really good example of that . We treat ransomware as largely a confidentiality risk , namely data loss . Now , those of us following along at home would have remembered that the Verizon Databrige Investigation Report from last year 2023 , very accurately points out that availability is the number one impact of ransomware . It crossed the threshold Two years ago .
Data loss was , no longer is the case . Availability is the number one impact . Where am I going with this ? Cybersecurity is still treating ransomware incorrectly . If the impact is availability , then encrypting your data doesn't protect against availability attacks , because if I re-encrypt the data , you've also lost access to it .
You know why this is a problem Because we keep separating CIA confidential integrity and availability across this line of security and privacy . This Venn diagram should be one circle , One circle . The cybersecurity framework and the privacy framework I do not , do not genuinely think , should continue to exist as two distinct entities .
Yeah , now is this . It says that the 2.0 version now applies to all audiences , industry sectors and organizations , instead of just critical infrastructure owners . I didn't know that .
I think that's a great update . So a lot of times , nist documents are published with an intended audience of critical infrastructure owners , both public and private , and that can be everything , of course , from banks to other government entities . There are government banks , so yeah , nonetheless public and private sector , but largely critical infrastructure .
I really do appreciate that this has expanded itself to include all verticals , because everyone suffers from cybersecurity incidents these days . Everyone does . If you now acknowledge that the cybersecurity framework covers all entities , not just critical infrastructure , you've also just included all of the entities that are responsible for individuals data .
So to add on to that game , the framework added emerging threats rooted to artificial intelligence and quantum computing too . What does this mean ?
I'm hopeful that it means that we now have a framework that others can use when thinking about threats against artificial intelligence and quantum computing .
Or I should say , on the second , the inverse of that , how quantum computing can affect what we already do today and the threats that will emerge from successful quantum computing , the primary risk there , of course , being a privacy one right .
Like everyone's worried that quantum computers will lead to the ability to decrypt information that is currently otherwise very well protected . A privacy issue , a privacy issue .
There's no secure network period . Right , you can't . I mean , there's no way to get around , like , even if you have a VPN , you mean that assumption of compromise that I love to go back to .
Yeah , yeah , I think it's . It is mostly a foregone conclusion with many security folks that the assumption of compromise is the best way to treat your networks . I say most security people because not everyone is adopted a zero trust mentality , much less the framework , another framework put forth by this zero trust right .
Reauthenticate all the things , right Like nothing should get . There should be no implicit or inherent trust throughout the systems and the network . One should assume that compromise can and or does already exist , and so you should compartmentalize and check those things . That assumption of compromise is , I think , very alive and well in this part of the conversation .
Hmm , should zero trust be a separate framework than CSF ? Now that we're talking about it , I I understand the differences between what they are intended to to do and describe . One is implicitly just about infrastructure and the other is a much larger component of that . Yeah , I'll just continue to be grumpy about the privacy and security .
Look , maybe it's because that's what we do here . This is , this show is rooted in privacy and security . Not security , not privacy , but privacy and security , for a reason . What we really dig into here is where that intersection of those two things live , and I think there's .
We will continue to see failures and be able to protect ourselves , even against ransomware , when the number one threat is availability . The number one threat posed by ransomware is availability and we keep treating it like a confidentiality problem . Fail when we keep treating privacy as something separate and distinct and the cybersecurity necessity fail .
In your opinion , what kind of challenges do you think organizations , especially like smaller firms , might face when implementing a framework like the 2.0 ? Do you have any concerns there ?
Really it's not . It's not a lot of small organizations won't be audited against it . I think it is difficult for many small organizations to implement the cybersecurity framework . I think what's important for those folks is to be able to have access to a service provider that can assist .
Having in-house expertise to cover off on these critical things is going to be difficult . The framework , however , the place to start , if you are a smaller entity , is with the identify right , like . You need to understand your risk . What are your risks ? You need to know what they are . If you are small , you need to know what they are .
That being said , when you are small , the answer is also somewhat fairly easy . It's everything . You can't really absorb the blow of a ransomware impact . If you get hit with ransomware , even a 50,000 or five ransom can really , really really impact your business . It can shut through your doors . We have watched it happen .
Arguably , for some of those folks , for a lot of small folks , the place to start is at protect . It's at protect and then measure the gap between what you have . But you can arguably get closer to protecting air quotes , everything when you are small . Just run to that . If for no other reason , then the risk of being impacted by something like ransomware .
I'm just going to use that because it's the highest ROI attackers have these days and it's not going anywhere . But if the risk of ransomware putting you out of business is real , then I might argue you should fast forward right to protect .
Anything beyond AI and quantum computing that NIS should consider already . Well , I guess , on top of combining the privacy framework , is there anything that you can think of from your perspective on something they should be looking already at implementing for the next phase ?
of the future . I'm out here armchair quarter backing but for the record , I did submit some of this feedback during an open call for feedback , so none of what I'm saying here is new . At the moment .
It has been a very long time that we 200 episodes counting at this point that we've been talking about that intersection of security and privacy , of just how intertwined they are . I went through the thing and I submitted that feedback . I don't think I have anything else that's really salient to call out here . I want to give credit where credit's due .
This update is amazing . This update is incredible . I'm excited to watch folks adopt this in the real world . I'm hopeful that it's also an opportunity for some of those organizations that had not gotten to maturity and maybe they take this opportunity to get to maturity now on 2.0 . This is kick butt . This is absolutely kick butt . I think we have worked it .
I think we have . I know we have worked it , I know we have . Well , yeah to that point wake up people . Wake up .
If you haven't done anything yet , you might want to jump on it Now's a good time .
Now's a good time . Now's a good time because it's live .
It's not just a draft . It happened , it's real , it's real .
There's a lot of good things in this . Yeah , absolutely . I think one of the most yeah , one of the best parts about it , too , is it introduces organizational context . It's at the top of the governance chart . An organizational context is a thing that's been missing from a lot of cybersecurity practice . A lot of cybersecurity practice .
It is the thing that is missing from a lot of privacy practice . That lack of organizational context is what leads to such exposures .
Well , give us your thoughts , people , listeners . If you have any insights or questions , please shoot them our way , unless I disagree with them .
in which case , yeah , bring those too .
Gabe wants it . He's just saying that he doesn't want it , but please send them , add him , add him . It's okay , he probably won't even read it . He tries to stay off the socials , so you can email him here at that's GABR . Yeah , yeah , yeah . Well , gabe , good stuff .
Love to see this and we'll stay on alert for any other new changes in anything with the privacy framework , if there's any . But we will at NIST and see if somebody will respond to us on that or maybe we'll bring them on the show . Yeah , right on , cool , thanks for coming this week and we'll see you guys next week .
And let's , gabe , you had anything , let's go , all right , see you later .