In February, President Obama signed an Executive Order that put into motion a number of initiatives aimed at improving the cybersecurity posture of the “critical infrastructure” of the United States. Among the Order’s most significant provisions is Section 7, which directs the Commerce Department via its National Institute of Standards and Technology (NIST) to develop a voluntary Cybersecurity Framework for reducing cyber risks to critical infrastructure. The Framework must be technology neutral and include “standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risk.”
NIST is already well on its way to developing the Framework, which is expected to be widely influential. On July 1, NIST published a draft outline of the Framework, and NIST aims to publish a Draft Preliminary Cybersecurity Framework for stakeholder review and input in late August. In September, NIST will hold its fourth and final Framework workshop, which will focus on the August draft and other topics to be announced. NIST expects to publish the Preliminary Framework for formal public comment on October 10. Under the Executive Order, the Final Framework must be published by February 2014.
On July 30, the Senate Committee on Commerce, Science and Transportation unanimously approved the Cybersecurity Act of 2013, which would codify NIST’s role in developing the Cybersecurity Framework. The bill’s directives to NIST largely track the language contained in the Executive Order, and the bill further emphasizes that NIST should “coordinate closely and continuously” with the private sector in developing the Framework.
The Cybersecurity Act of 2013 has bipartisan support, being written by Senators Rockefeller (D-WV) and Thune (R-SD). And it has received support from business associations. The U.S. Chamber of Commerce, which has opposed cybersecurity legislation establishing regulatory-based cybersecurity standards (including the Cybersecurity Act of 2012, also introduced by Sen. Rockefeller), has endorsed the Commerce Committee’s bill. The Chamber wrote that the “bill takes smart and practical steps” in authorizing NIST to collaborate with industry in developing the Framework. “[P]ublic-private collaboration is essential to successfully countering highly adaptive cybersecurity threats,” noted the Chamber, and the Chamber welcomed the bill’s narrowly tailored industry focus. The Software & Information Industry Association has also endorsed the legislation.
The bill does not include measures relating to information-sharing programs, which have been generally viewed by industry and key policy makers as important elements of cybersecurity legislation. Recent revelations regarding the National Security Agency’s data-gathering operations will make it more challenging to draft acceptable privacy and civil liberties protections into such information-sharing legislation. Nor does the bill include measures relating to new Securities and Exchange Commission disclosure requirements, despite significant attention to these topics by Sen. Rockefeller. In response to Sen. Rockefeller’s request earlier this year, however, SEC Chair Mary Jo White noted that her staff is conducting an internal review of whether additional or new cybersecurity disclosure guidance is needed.
Meanwhile, the White House is working on ways to incentivize industry to adopt the Framework. On August 6, the White House released “Incentives to Support Adoption of the Cybersecurity Framework,” which summarizes eight incentive areas identified by the Departments of Homeland Security, Commerce and Treasury:
- Cybersecurity Insurance: Collaborate with the insurance industry to “build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.”
- Grants: Adoption of the Framework should be a condition or weighted criterion for receiving federal critical infrastructure grants.
- Process Preference: Prioritize delivering technical assistance to operators of critical infrastructure based in part on whether those operators have adopted the Framework. Although, adoption of the Framework would not factor in to the prioritization of assistance delivered in incident response situations.
- Liability Limitation: Agencies will consider whether reduced tort liability, limited indemnity, higher burdens of proof or the creation of a federal legal privilege preempting state disclosure requirements will encourage industry to adopt the Framework.
- Streamline Regulations: Agencies will work to streamline compliance obligations by, among other things, eliminating overlaps between the Framework and existing laws and regulations and allowing for equivalent adoption of the Framework across regulatory structures.
- Public Recognition: Consider whether giving the option to those who adopt the Framework to receive public recognition would incentivize participation.
- Rate Recovery for Price Regulated Industries: Consider whether the regulatory agencies that set utility rates should allow utilities to recover cybersecurity investments related to Framework adoption.
- Cybersecurity Research: Agencies recommend identifying where new solutions are needed to implement the Framework and supporting research and development to fill those gaps.
Because the Cybersecurity Act of 2013 codifies what the White House and agencies are already working to implement and because the bill has bipartisan support and the endorsement of business groups, the legislation has a reasonable chance of becoming law. With the draft Framework coming in a little more than a month, now is a good time for organizations of all types to consider the implications of these new cybersecurity standards.