Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

White House Previews Potential Incentives for Voluntary Cyber Framework

By Kate M. Growley, CIPP/G, CIPP/US & Elizabeth Blumenfeld on September 11, 2013
Email this postTweet this postLike this postShare this post on LinkedIn

The executive cyber machine continues to hum along. Last month, the White House previewed possible “cyber incentives” that could coax private industry into following the cyber “best practices” that the government will promulgate in the not-too-distant future. The target audience is critical infrastructure: private companies that provide services so vital to the nation’s day-to-day function that the government feels obligated to ensure their resilience. Think standard utilities like water and electricity, cell phone and internet service, and banking.

Seven months ago, on February 12, 2013, President Obama signed Executive Order 13636, which called for a three-part approach to mitigating the cyber threats that the nation’s critical infrastructures face – information sharing, privacy, and cybersecurity practices. In an effort to promote the last of these three, the White House has been working with critical industry owners and operators to define a set of best practices that it will eventually consolidate into a “Cybersecurity Framework.” The Framework would become the standard for a “Voluntary Program” in which critical infrastructure companies participate. The hitch, however, is how to convince those private sector companies to actually join the Program.

Foreseeing this obstacle, the White House included a provision in the Executive Order that asked the Departments of Homeland Security, Treasury, and Commerce to brainstorm ways in which the government could encourage the private sector to voluntarily adopt the Cybersecurity Framework. The latest milestone came on August 6, 2013, when the White House announced what those Departments had recommended. Although the current Department proposals are not final by any stretch of the imagination, the White House deliberately relayed them to the public, trying to promote the public-private discourse on the subject.

Though not all are true “incentives,” suggestions include conditioning federal grants on adherence to the Cybersecurity Framework, allowing regulated utilities to recoup the costs of cyber investments, and highlighting areas where additional cybersecurity research is needed. Other items of particular interest include:

• Cybersecurity insurance. This has been a darling of various industry and lobbying groups for some time and may very well find its way into the final incentives. Whether the government becomes an independent insurer, or merely encourages the development of a private sector model, remains to be seen.

• Process preference. Although the White House insists that emergency aid will always be unconditional, other less urgent forms of assistance may become contingent upon adherence to the Framework.

• Liability limitation. Recent history on the Hill suggests that this will likely be the most controversial of the proposals. Some flavors include reduced tort liability, limited indemnity, federal preemption of certain state disclosure requirements, and higher burdens of proof. The DHS specifically drew attention to the possibility of expanded SAFETY Act liability protections.

• Streamlined regulations. This suggestion echoes many of the sentiments expressed by the government contracting industry – that the patchwork of cyber regulations needs to be clarified – as seen in comments submitted to the GSA and DOD regarding how to best incorporate cybersecurity standards into government procurement. (For those of you keeping track, we are still awaiting the final report.)

• Public recognition. Many argue that market forces can encourage private companies to independently adopt better cybersecurity measures, or to willingly join the government’s Voluntary Program. One push in this direction could be the government’s public acknowledgment of those who do so.

The end goal is a system in which both the government, private industry, and ultimately the users of critical infrastructure services will all come out winners – safer from cyber vulnerabilities. Recognizing the need for a few carrots is a good first step, and we will continue to monitor the White House’s progress towards the Cybersecurity Framework and Voluntary Program. Notably, the latest draft of the Cybersecurity Framework can be found here, with a final version due in February next year.

 

Photo of Kate M. Growley, CIPP/G, CIPP/US Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley (CIPP/US, CIPP/G) is a partner in the Washington, D.C. office of Crowell & Moring. She is a member of the Steering Committee for the firm’s Privacy & Cybersecurity Group, while working closely with the firm’s Government Contracts and Litigation Groups. …

Kate M. Growley (CIPP/US, CIPP/G) is a partner in the Washington, D.C. office of Crowell & Moring. She is a member of the Steering Committee for the firm’s Privacy & Cybersecurity Group, while working closely with the firm’s Government Contracts and Litigation Groups. Her practice covers a wide range of information security counseling and litigation engagements, including cybersecurity compliance, incident response, regulatory assessments and investigations, and disputes surrounding data breaches and trade secrets.

Read more about Kate M. Growley, CIPP/G, CIPP/USEmail
Show more Show less
  • Posted in:
    Administrative, Corporate Compliance
  • Blog:
    Government Contracts Legal Forum
  • Organization:
    Crowell & Moring LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • The FTI Award Journal
  • International Dispute Resolution
  • China Law Update Blog
  • Law of The Ledger
  • Antitrust Law Blog
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo