Why NIST’s privacy framework could help security efforts

Written by

Although many people, even some cybersecurity practitioners, tend to conflate data security and data privacy as one and the same, privacy experts see them as two different, often contradictory, yet frequently overlapping objectives.

“We look at it as a Venn diagram,” Naomi Lefkovitz, privacy engineering program head at the National Institute of Standards and Technology (NIST), said during a plenary session here at NIST’s Cybersecurity Risk Management conference.

Lefkovitz is spearheading NIST’s initiative to create a Privacy Framework, along the lines of NIST’s successful Cybersecurity Framework, which could help pave the way toward the development of trustworthy information systems that protect privacy. From the Venn diagram perspective, the protection of individual privacy cannot be achieved by merely securing personally identifiable information (PII) because security risks arise from unauthorized system behavior while privacy risks arise as a byproduct of authorized PII. The area where security concerns overlap privacy concerns is the only area where true PII privacy currently occurs.

Privacy risk management is “understanding what the relationship is between privacy and cybersecurity and when they differ and what that means for privacy risk management,” Lefkovitz said. The goal of NIST’s Privacy Framework development is to take privacy risk management and integrate it into cybersecurity risk management to make it easier for cybersecurity professionals to incorporate privacy risk management into their efforts.

To get the ball rolling on the Privacy Framework, NIST held a kick-off workshop in Austin, Texas on Oct. 16 where “we heard clearly that organizations would like to use both the Cybersecurity Framework and the Privacy Framework,” Lefkovitz said. “We consistently heard an interest in interoperability” between the two.

One of the objectives of the Privacy Framework is to help organizations demonstrate, to themselves and to interested parties, including regulators, what “kind of privacy protections they have and whether they are meeting their objectives, whether they be legal or business” objectives.

Over the coming year, NIST will issue framework drafts for feedback, hold a series of workshops and briefings and engage in other activities to better define what’s needed to manage privacy risk. One of those additional activities is the possible launch of a privacy engineering collaboration space on GitHub where stakeholders “can come and see tools, put in tools,” Lefkovitz said.

“Privacy is so much more than protecting PII,” Jamie Danker, formerly of DHS and the U.S. Government Accountability Office and now Director of Privacy at Easy Dynamics Corp., said during a session on how to integrate privacy into NIST’s Cybersecurity Risk Management Framework. “There are all kinds of concerns for individuals as their data is held throughout the data cycle.”

Information systems should be designed to collect the minimum amount of data that can be placed at risk, Celeste Dade-Vinson, Senior Official for Privacy at the U.S. National Institutes of Health (NIH) said.

But, “a security engineer may not be thinking about the minimum amount of data necessary” when building a system’s defenses, Elizabeth Koran, Senior Policy Analyst at the Department of Health and Human Services said.

Aside from the frequent conflation of security and privacy, implementing privacy into cybersecurity risk management faces a number of barriers across organizations. For one thing, consistent stakeholder communications around the issues are difficult. “Our agency consists of 27 institutes and centers and everyone wants to do their own things 27 different ways,” NIH’s Dade-Vinson said. Yet another challenge is that privacy, unlike other aspects of system integrity, is not continuously monitored, so problems are hard to detect.

One big barrier that privacy advocates face within organizations, whether it be the federal government or private industry, is that while funds are made available for cybersecurity, privacy efforts typically go unfunded.

“We don’t have our own budget. We’re still being funded by our friends in security,” Koran said. “If you have a budget in privacy, that’s amazing,” Dade-Vinson echoed.