White House details initial ideas for industry cyber incentives

Wednesday - 8/7/2013, 6:28am EDT

The White House is reviewing eight recommendations to get industry to adopt the cybersecurity framework currently under development by the National Institute of Standards and Technology and the private sector.

The departments of Commerce, Homeland Security and Treasury submitted suggestions to the White House on what incentives the government can offer to induce critical infrastructure providers to use the cybersecurity framework to improve their systems and networks.

"The recommendations were developed in a relatively short time frame and with the understanding that the Cybersecurity Framework and Voluntary Program are still under development," wrote Michael Daniel, the White House cybersecurity coordinator, in a blog posted Tuesday. "Yet, they incorporate significant feedback from many of our stakeholders, including the critical infrastructure community, through the DHS-led existing public-private partnerships with critical infrastructure, and a Notice of Inquiry issued by the Commerce Department."

President Barack Obama called for the framework in his February 2013 executive order. NIST will complete the draft framework by October and finalize it by February.

NIST has held a series of listening sessions to gather feedback on the framework. The next one is scheduled for Sept. 11 in Dallas.

Additionally, the General Services Administration released a request for information to the public in May asking for comments or suggestions on which acquisition incentives would help get companies to adopt the cybersecurity framework.

Daniel wrote the three agencies came up with eight recommendations:

  • Cyber insurance: The government should work with the insurance industry to "build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market."

  • Grants: Over the next six months, agencies will develop weighted criteria to be used in federal grant applications.

  • Process preference: The government would put companies participating in the voluntary program on a priority list to deliver services, and provide technical assistance more quickly to critical infrastructure providers as needed. "As we work with the private sector over the next six months to develop the Voluntary Program, we will simultaneously identify and examine specific programs where this approach could be helpful."

  • Liability limitation: Agencies identified a range of areas where more information is necessary to determine if legislation to reduce liability on program participants may be necessary. These areas include reduced tort liability, limited indemnity, lower burdens of proof, or the creation of a federal legal privilege that preempts State disclosure requirements.

  • Streamline regulations: The goal would be to make compliance easier for program volunteers by, for instance, eliminating overlapping laws and regulations, enabling equivalent adoption across regulatory structures and reducing audit burdens.

  • Public recognition: DHS would come up with ways to highlight those companies implementing the framework.

  • Rate recovery for price regulated industries: The idea is to see if state and local regulators would consider letting utilities recovery money for cyber investments made to comply with the framework.

  • Cybersecurity research: Agencies would identify areas where commercial hardware and software are available to implement the framework and where the gaps exist. The government would emphasize those gaps in research and development opportunities.

"Over the next few months, agencies will examine these options in detail to determine which ones to adopt and how, based substantially on input from critical infrastructure stakeholders," Daniel wrote. "We believe that sharing the findings and our plans for continued work will promote transparency and sustain a public conversation about the recommendations. Publishing these agency reports is therefore an interim step and does not indicate the administration's final policy position on the recommended actions."

Larry Clinton, the president and CEO of the Internet Security Alliance, applauded the White House's release of the incentive suggestions.

Clinton said in a release that the incentives "will provide the sustainable fuel to power the engine of enhanced standards and practices being developed by NIST pursuant to the President's Executive Order."

RELATED STORIES:

White House issues cyber order giving NIST, DHS lead roles

NIST, industry begin journey to develop cyber framework