In February, President Obama signed an Executive Order designed to increase the level of core capabilities to manage cyber-risk to the systems that run the nation’s critical infrastructure, such as the electric grid, drinking water systems, trains and other transportation and so on. The creation of the Cybersecurity Framework, spearheaded by NIST, is a key part of the effort. Michael Daniel, special assistant to the president and the cybersecurity coordinator for the White House, explained in a blog that the government is aware that barriers to adoption exist. For instance, there is a challenge of clearly identifying the benefits of making certain cybersecurity investments. To help ease or balance out that financial burden, the White House is exploring some carrots for program participants.
A series of reports and recommendations from various agencies, including the Department of Homeland Security and the Commerce Department, have been consolidated into eight areas for potential incentives. Some can be implemented quickly, but some would require legislative action and further analysis and dialogue between the administration, Congress and private sector stakeholders. All of them are merely ideas at this point, but some industry-watchers point out that the White House is on the right track.
"I think incentivizing adoption of the framework is a good idea...Although not all of the incentives are likely to be implemented, and some might be more effective than others, some of the proposals can indeed be quantified, and will help infosec personnel build the case for the CxO-level folks to allocate funding to implement the new voluntary framework,” said David Pack, director of LogRhythmLabs, in an email to Infosecurity.
In terms of specifics, agencies for instance suggested that the insurance industry be engaged to build underwriting practices that promote the adoption of cyber-risk-reducing measures and risk-based pricing, to foster a competitive cyber-insurance market.
Agencies also recommended making adoption of the Framework a condition or a weighted criterion for federal critical infrastructure grants, or giving program participants the ability to expedite existing government service delivery.
“For example, the government sometimes provides technical assistance to critical infrastructure,” Daniel said. “Outside of incident response situations, the government could use Framework adoption and participation in the voluntary program as secondary criteria for prioritizing who receives that technical assistance. The primary criteria for technical assistance would always remain the criticality of the infrastructure, but for non-emergency situations, technical assistance could be seen as an additional benefit that could help to drive adoption.”
Another suggestion is to use legislation to reduce liability on program participants, to encourage a broader range of critical infrastructure companies to implement the Framework. These areas include reduced tort liability, limited indemnity, higher burdens of proof or the creation of a federal legal privilege that preempts state disclosure requirements.
Agencies also recommended further dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for Framework-related cybersecurity investments; further exploration on whether optional public recognition for participants in the program and their vendors would be an effective means to incentivize participation; and further exploration of areas that could help make compliance easier, like eliminating overlaps among existing laws and regulation, enabling equivalent adoption across regulatory structures and reducing audit burdens.
“While these reports do not yet represent a final administration policy, they do offer an initial examination of how the critical infrastructure community could be incentivized to adopt the Cybersecurity Framework as envisioned in the Executive Order,” Daniel said. “We will be making more information on these efforts available as the Framework and program are completed.”
These are all, it should be stressed, preliminary brainstorming concepts. "There is still a lot of work to do before the framework will be complete,” Pack added.
To wit, NIST must consolidate all of the work that was done by the hundreds of attendees of the third workshop, where the framework content was developed. Then, there will be a fourth workshop in September to prepare the results, and the preliminary framework will be published for public comment in October. Finally after a few months of public comment and additional updates and edits, the framework’s final version will be published by NIST.