The Department of Commerce, National Institute of Standards and Technology (NIST) and the National Telecommunications Information Administration (NTIA) have requested comment by April 29, 2013, on issues relating to the voluntary adoption of cybersecurity standards by owners and operators of critical infrastructure, such as utilities.
While the Notice of Inquiry (NOI) is focused on the development of a voluntary cybersecurity program and incentives for critical infrastructure companies to participate in the program, the Department of Commerce stated that it may also use the input it receives to develop a broader set of recommendations that apply to U.S. industry as a whole. The Department of Commerce has also suggested that there may be legal and economic incentives and consequences for companies, such as legal safe harbors to commercial entities that participate in the program, requirements for companies to join the program prior to receiving government financial guarantees or assistance in relevant sectors, and incentives that hold companies accountable for failure to meet standards of reasonable care that results in loss due to inadequate security measures. Given the program’s potential impact on the critical infrastructure industry, any company that owns or operates critical infrastructure should consider filing comments in this proceeding.
Below is a brief summary of the Executive Order that launched this latest cybersecurity initiative, as well as a brief summary of the NOI itself.
On February 12, 2013, President Obama signed Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which warned that “repeated cyber intrusions into America’s critical infrastructure demonstrate a need for improved cybersecurity.” The Executive Order establishes a policy of enhancing the security of the Nation’s critical infrastructure through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards. Among other things, the Executive Order implements the following steps:
The Department of Homeland Security (DHS) will use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in “catastrophic regional or national effects” on public health or safety, economic security, or national security;
NIST will develop a Cybersecurity Framework to address cyber risks; and
DHS, in coordination with sector-specific agencies, will develop the Critical Infrastructure Cybersecurity Program to promote the voluntary adoption of the NIST’s Cybersecurity Framework.
Notice of Inquiry
The Department of Commerce has been tasked with evaluating incentives to promote the voluntary participation by owners and operators of critical infrastructure in the DHS Critical Infrastructure Cybersecurity Program. The Department of Commerce will rely upon the comments it receives in response to the NOI to develop its recommendations on possible incentives for critical infrastructure owners, including the benefits and relative effectiveness of such incentives and whether these incentives would require federal legislation or can be provided under existing law.
The NOI seeks comment on a range of issues from all stakeholders, including:
How does your company assess the costs and benefits of enhancing cybersecurity?
What are the best ways to encourage businesses to make investments in cybersecurity that are appropriate for the risks they face?
How do businesses measure success and cost-effectiveness of their current cybersecurity programs?
Are there disincentives or barriers that inhibit cybersecurity investments?
For companies that are already subject to cybersecurity requirements, what is the cost of compliance and is it burdensome relative to other costs of doing business?
What efforts should be taken to promote the adoption of the Cybersecurity Framework?
What are the merits of providing legal safe harbors to commercial entities that participate in the Critical Infrastructure Cybersecurity Program?