In 2011 and 2012, Congress unsuccessfully tried to pass comprehensive cybersecurity legislation aimed at protecting the United States from a “digital Pearl Harbor” that would disrupt American infrastructure such as banks, power systems, water treatment plants, trains and aviation systems.
During February 2013, President Barack Obama issued the Improving Critical Infrastructure Cybersecurity Executive Order, announcing a public-private partnership between the federal government and owners of “critical infrastructure” to create a “Cybersecurity Framework” (the Framework). The Framework will establish best practices to protect critical infrastructure from computer attacks. The government agencies involved include the Departments of Homeland Security (DHS), Treasury and Commerce and Commerce’s National Institute of Standards and Technology (NIST).
To develop the Framework, NIST has issued a request for information, has conducted three workshops and has scheduled a fourth workshop for September 11-13, 2013. A discussion draft of the Framework was issued on August 28, that proposes five core functions around which the Framework could be built: Identify, Protect, Detect, Respond and Recover. A preliminary draft of the Framework should be published during October 2013 before the final version is issued in February 2014.
Creation of a “Cybersecurity Framework” has practical implications for companies, even if they are not part of the nation’s “critical infrastructure,” a term that DHS will define through rulemaking. First, the Framework could establish a standard of care against which companies will be judged when cybersecurity breaches occur. Second, businesses receiving federal government contracts or grants may find their agreements will incorporate portions of the Framework. Third, the Framework may allow businesses to conduct due diligence, either internally or externally, to determine the strength of a company’s cyber-defenses. Insurance companies also may use the Framework as an underwriting baseline for cybersecurity insurance. Fourth, the Framework may guide the efforts of the Securities and Exchange Commission (SEC), which is considering whether to require publicly traded companies to provide more information regarding cyber-risks. For more information on the SEC's efforts, CLICK HERE.
In addition, on August 6, 2013, the White House suggested “a Voluntary Program to help encourage critical infrastructure companies to adopt the Framework” once the Framework is finalized. The proposed Voluntary Program would include incentives that are designed to overcome barriers to adoption. Suggested incentives include: cybersecurity insurance underwriting standards; issuing federal grants for implementation of the Framework; limitations of liability for companies that adhere to the Framework; and a “process preference” through which the federal government may provide companies who participate in the Voluntary Program a priority when government technical assistance is requested. The proposed incentives are being developed over six months. While some incentives may be voluntary, others will require rulemaking by agencies or legislative action by Congress. For more information on the incentives, CLICK HERE.
The Commerce Department has called for further study regarding the proposed adoption of liability limitations, noting that the Department is “not aware of any tort claims against critical infrastructure providers for loss resulting from a cyber attack." For more information, see page 14 of the document Discussion of Recommendations to the President on Incentives for Critical Infrastructure Owners and Operators to Join a Voluntary Cybersecurity Program.
Companies should closely track the development of the Cybersecurity Framework as part of their cybersecurity compliance process to better protect their intellectual property, customer data and company information. For more information, please contact Jackson Moore.