This post was written by Timothy J. Nagle.
On Tuesday, the White House cybersecurity coordinator posted a blog on the White House website describing incentives that may be made available to private sector “owners and operators.” The blog reviews the purpose of the Executive Order (information sharing, privacy and adoption of cybersecurity practices) that was issued earlier this year and the resulting NIST Cybersecurity Framework process, but it is also noteworthy for two reasons. It focuses on systems that run elements of the national infrastructure “…such as the electric grid, our drinking water, our trains, and other transportation.” This underscores the shifting cybersecurity focus from telecommunications and financial services to other infrastructure sectors. The second interesting element is the list of incentives under consideration. Among the eight listed, the most promising and consequential include the engagement of the insurance industry to build underwriting practices (implicitly based on the Framework), limitation on liability for companies that implement the Framework, and “public recognition” for program participants. Of most interest to the Energy industry and other utilities is the suggested incentive that “…regulatory agencies that set utility rates should consider allowing utilities recovery for cybersecurity investments related to complying with the Framework and participation in the Program.”
The “Voluntary Program” mentioned in the blog is described on the NIST Cybersecurity Framework website as the final stage in the implementation after a draft Framework for stakeholder review followed by a workshop in September, the release of a draft for public comment and issuance of the final Framework document early next year. The most recent update from NIST described the current status of the work and included the concept of Framework Implementation Levels which were introduced in the July outline. The elements of the Framework are consistently described as prioritized, flexible, repeatable, cost-effective, and risk-based. NIST and other government participants stress that the participation of the private sector is essential, that the resulting standards must be consistent with current industry practice, and that they not conflict with existing regulation or create new rules.
This was underscored by the Director of NIST in testimony to the Senate Commerce Committee at a hearing held on July 25, 2013 entitled “The Partnership Between NIST and the Private Sector: Improving Cybersecurity.” A week after the hearing, the Committee approved the Cybersecurity Act of 2013. This bill essentially codifies the role the President assigned to NIST in the executive order; i.e. to facilitate and support the development of voluntary, industry-led standards and best practices on an ongoing basis to reduce cyber risks to critical infrastructure. The bill also contains provisions for research and development, education and workforce development in cybersecurity. The bill explicitly does not confer any new regulatory authority. Another aspect that is missing from the bill is cyber threat information sharing which raises privacy and liability concerns and has frustrated prior attempts to pass cyber legislation. The bill is supported by most industry organizations including the National Association of Manufacturers and energy and financial services industry trade associations.
It would appear the White House, the Congress and much of the private sector have come to recognize NIST as an honest broker in the cybersecurity standards development process. This is a positive development and will most likely lead to a Framework that reflects current practice but will be sufficiently flexible to accommodate future technologies and threats. The real area of contention will be around implementation, adoption and obligations that may result.