The executive cyber machine continues to hum along. Last month, the White House previewed possible “cyber incentives” that could coax private industry into following the cyber “best practices” that the government will promulgate in the not-too-distant future. The target audience is critical infrastructure: private companies that provide services so vital to the nation’s day-to-day function that the government feels obligated to ensure their resilience. Think standard utilities like water and electricity, cell phone and internet service, and banking.
Seven months ago, on February 12, 2013, President Obama signed Executive Order 13636, which called for a three-part approach to mitigating the cyber threats that the nation’s critical infrastructures face – information sharing, privacy, and cybersecurity practices. In an effort to promote the last of these three, the White House has been working with critical industry owners and operators to define a set of best practices that it will eventually consolidate into a “Cybersecurity Framework.” The Framework would become the standard for a “Voluntary Program” in which critical infrastructure companies participate. The hitch, however, is how to convince those private sector companies to actually join the Program.
Foreseeing this obstacle, the White House included a provision in the Executive Order that asked the Departments of Homeland Security, Treasury, and Commerce to brainstorm ways in which the government could encourage the private sector to voluntarily adopt the Cybersecurity Framework. The latest milestone came on August 6, 2013, when the White House announced what those Departments had recommended. Although the current Department proposals are not final by any stretch of the imagination, the White House deliberately relayed them to the public, trying to promote the public-private discourse on the subject.
Though not all are true “incentives,” suggestions include conditioning federal grants on adherence to the Cybersecurity Framework, allowing regulated utilities to recoup the costs of cyber investments, and highlighting areas where additional cybersecurity research is needed. Other items of particular interest include:
• Cybersecurity insurance. This has been a darling of various industry and lobbying groups for some time and may very well find its way into the final incentives. Whether the government becomes an independent insurer, or merely encourages the development of a private sector model, remains to be seen.
• Process preference. Although the White House insists that emergency aid will always be unconditional, other less urgent forms of assistance may become contingent upon adherence to the Framework.
• Liability limitation. Recent history on the Hill suggests that this will likely be the most controversial of the proposals. Some flavors include reduced tort liability, limited indemnity, federal preemption of certain state disclosure requirements, and higher burdens of proof. The DHS specifically drew attention to the possibility of expanded SAFETY Act liability protections.
• Streamlined regulations. This suggestion echoes many of the sentiments expressed by the government contracting industry – that the patchwork of cyber regulations needs to be clarified – as seen in comments submitted to the GSA and DOD regarding how to best incorporate cybersecurity standards into government procurement. (For those of you keeping track, we are still awaiting the final report.)
• Public recognition. Many argue that market forces can encourage private companies to independently adopt better cybersecurity measures, or to willingly join the government’s Voluntary Program. One push in this direction could be the government’s public acknowledgment of those who do so.
The end goal is a system in which both the government, private industry, and ultimately the users of critical infrastructure services will all come out winners – safer from cyber vulnerabilities. Recognizing the need for a few carrots is a good first step, and we will continue to monitor the White House’s progress towards the Cybersecurity Framework and Voluntary Program. Notably, the latest draft of the Cybersecurity Framework can be found here, with a final version due in February next year.