Incentivizing the Cybersecurity FrameworkGetting Industry to Adopt the Recommended Best Practices
You'd think that preventing damage caused by cyber-attacks would be incentive enough to get organizations to voluntarily adopt cybersecurity best practices.
But when President Obama proposed the cybersecurity framework a year ago, he knew that some critical infrastructure operators would need additional incentives to voluntarily adopt a proper IT security program (see Obama Issues Cybersecurity Executive Order). That's why in his executive order that led to the issuance of the cybersecurity framework last week, the president called on the departments of Commerce, Homeland Security and Treasury to suggest incentives and analyze their benefits and relative effectiveness (see NIST Releases Cybersecurity Framework).
Incentives, in cybersecurity framework parlance, encompass a wide range of offerings or conditions that promote adoption of the framework. Incentives could include technical and public policy measures that improve cybersecurity without creating barriers to innovation, economic growth and the free flow of information.
The voluntary cybersecurity framework, as issued last week, did not include any incentives. But as Adam Sedgewick, the National Institute of Standards and Technology official shepherding the framework points out, the framework is living, evolving document with future renditions to incorporate a series of incentives (see On Deck: The Cybersecurity Framework).
White House Cybersecurity Coordinator Michael Daniel says more details about potential incentives will be shared in the coming months as the administration solicits feedback.
Yet, a senior administration official speaking on background contends, the best driver for adoption and use of the framework ultimately will be the marketplace. "Don't get me wrong, I think the government-based incentives are really important for us to pursue," the official says. "But at the end of the day, it's the market that's got to drive the business case for the cybersecurity framework. The federal government is going to do its best to make the costs of using the framework lower, and the benefits of the framework higher. But it's the market that's going to ultimately make this work."
Speaking last week just after the publication of the cybersecurity framework, Ari Schwartz, White House director of cybersecurity privacy, civil liberties and policy, picked up on that theme: "Incentives will help and that's the reason we're spending a lot of time on it. But because of great support we've had from industry, [incentives are] proving not to be as essential as some commentators have said they would be."
Commerce, DHS and Treasury issued their recommendations on incentives last spring, and White House Cybersecurity Coordinator Michael Daniel offered his analysis in August (see Cybersecurity Framework: Making It Work).
What's on the table so far, based on the departments' recommendations:
- Cyber-Insurance: The insurance industry and government should jointly develop underwriting practices to promote the adoption of risk-reducing measures and risk-based pricing and foster a competitive cyber-insurance market. "We've been engaged in very serious discussions with the various insurance companies to talk about what's needed to actually get a cyber-insurance market really thriving," a senior administration official says.
- Grants: Agencies are considering whether to require adoption of the framework as a condition for federal critical infrastructure grants.
- Technical help: Adoption of the framework could be a secondary criteria for determining which critical infrastructure opererators receive technical assistance from the government. "The primary criteria for technical assistance would always remain the criticality of the infrastructure, but for non-emergency situations, technical assistance could be seen as an additional benefit that could help to drive adoption," Daniel says.
- Liability limits: Under consideration are laws to reduce tort liability, limit indemnity and require higher burdens of proof.
- Streamline regulations: Agencies will consider eliminating overlaps among existing laws and regulations and reducing audit burdens.
- Public recognition: DHS officials are considering an optional public recognition for organizations, and their vendors, who voluntarily adopt the framework.
- Rate recovery for price-regulated industries: Also under consideration is allowing utilities to recover, through higher rates, cybersecurity investments related to complying with the framework and participation in the program. "It is important that the federal government and the states speak with one voice on cybersecurity and support the recovery of the costs of protecting critical infrastructure and information against the perpetrators of cyber-attacks," says Joseph Rigby, chief executive of Pepco Holding, an energy distribution company. "We expect these expenses to continue to rise as standards evolve and new threats arise."
- Cybersecurity research: Government agencies will identify whether any necessary technologies to implement the framework are not yet available in the market. Agencies will then recommend research and development to develop those technologies.
Getting Congressional Help
"As these plans develop," the senior administration official says, "they'll be shared publicly over the next few months and will include details on how to get engaged in the process."
Some incentives might require congressional approval, but getting lawmakers to agree on anything could prove problematic in a divisive Congress. "It's no surprise that legislation doesn't move very fast through Congress right now," the senior administration official says, "so I don't think that we are hinging our strategy in this space on congressional action, but we'll get back there when we think it's necessary."