The systems that run our nation’s critical infrastructure such as the electric grid, our drinking water, our trains, and other transportation are increasingly networked. As with any networked system, these systems are potentially vulnerable to a wide range of threats, and protecting this critical infrastructure from cyber threats is among our highest security priorities. That is why, earlier this year, the President signed an Executive Order designed to increase the level of core capabilities for our critical infrastructure to manage cyber risk. The Order does this by focusing on three key areas: information sharing, privacy, and adoption of cybersecurity practices.
To promote cybersecurity practices and develop these core capabilities, we are working with critical infrastructure owners and operators to create a Cybersecurity Framework – a set of core practices to develop capabilities to manage cybersecurity risk. These are the known practices that many firms already do, in part or across the enterprise and across a wide range of sectors. The draft Framework will be complete in October. After a final Framework is released in February 2014, we will create a Voluntary Program to help encourage critical infrastructure companies to adopt the Framework.
While this effort is underway, work on how to incentivize companies to join a Program is also under consideration. While the set of core practices have been known for years, barriers to adoption exist, such as the challenge of clearly identifying the benefits of making certain cybersecurity investments. As directed in the EO, the Departments of Homeland Security, Commerce, and Treasury have identified potential incentives and provided their recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs.
Over the next few months, agencies will examine these options in detail to determine which ones to adopt and how, based substantially on input from critical infrastructure stakeholders. We believe that sharing the findings and our plans for continued work will promote transparency and sustain a public conversation about the recommendations. Publishing these agency reports is therefore an interim step and does not indicate the Administration’s final policy position on the recommend actions.
The recommendations were developed in a relatively short time frame and with the understanding that the Cybersecurity Framework and Voluntary Program are still under development. Yet, they incorporate significant feedback from many of our stakeholders, including the critical infrastructure community, through the DHS-led existing public-private partnerships with critical infrastructure, and a Notice of Inquiry issued by the Commerce Department. Although each agency prepared separate reports, these reports are complementary. Taken as a whole, the reports point to eight areas where the agencies recommend action to establish incentives to support voluntary adoption of the Cybersecurity Framework.
Some of the recommended incentives can be put in place quickly under existing authorities after the Voluntary Program is established. Others would require legislative action and additional maturation of the Cybersecurity Framework and Voluntary Program, along with further analysis and dialogue between the Administration, Congress, and private sector stakeholders. We are currently working with the appropriate agencies to prioritize each incentive area and move forward.
These areas include:
Cybersecurity Insurance — Agencies suggested that the insurance industry be engaged when developing the standards, procedures, and other measures that comprise the Framework and the Program. The goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market. The Commerce Department’s National Institute of Standards and Technology is taking steps to engage the insurance industry in further discussion on the Framework. This process should continue as the Framework is developed and the Voluntary Program is created.
Grants — Agencies suggested leveraging federal grant programs. Agencies suggest incentivizing the adoption of the Framework and participation in the Voluntary Program as a condition or as one of the weighted criteria for federal critical infrastructure grants. Over the next six months, agencies will develop such criteria for consideration.
Process Preference — Agencies offered suggestions on a range of government programs in which participating in the Voluntary Program could be a consideration in expediting existing government service delivery. For example, the government sometimes provides technical assistance to critical infrastructure. Outside of incident response situations, the government could use Framework adoption and participation in the Voluntary Program as secondary criteria for prioritizing who receives that technical assistance. The primary criteria for technical assistance would always remain the criticality of the infrastructure, but for non-emergency situations, technical assistance could be seen as an additional benefit that could help to drive adoption. Agencies currently have the authority to act in these areas without further legislation. As we work with the private sector over the next six months to develop the Voluntary Program, we will simultaneously identify and examine specific programs where this approach could be helpful
Liability Limitation — Agencies pointed to a range of areas where more information is necessary to determine if legislation to reduce liability on Program participants may appropriately encourage a broader range of critical infrastructure companies to implement the Framework. These areas include reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a Federal legal privilege that preempts State disclosure requirements. As the Framework is developed, agencies will continue to gather information about the specific areas identified in the reports related to liability limitation.
Streamline Regulations — Agencies will continue to ensure that the Framework and the Voluntary Program interact in an effective manner with existing regulatory structures. As the Framework and Voluntary Program are developed, agencies will recommend other areas that could help make compliance easier, for example: eliminating overlaps among existing laws and regulation, enabling equivalent adoption across regulatory structures, and reducing audit burdens.
Public Recognition — Agencies suggested further exploration on whether optional public recognition for participants in the Program and their vendors would be an effective means to incentivize participation. DHS will work with the critical infrastructure community to consider areas for optional public recognition as they work together to develop the Voluntary Program.
Rate Recovery for Price Regulated Industries — Agencies recommended further dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for cybersecurity investments related to complying with the Framework and participation in the Program.
Cybersecurity Research — Once the Framework is complete, agencies recommended identifying areas where commercial solutions are available to implement the Framework and gaps where those solutions do not yet exist. The government can then emphasize research and development to meet the most pressing cybersecurity challenges where commercial solutions are not currently available.
While these reports do not yet represent a final Administration policy, they do offer an initial examination of how the critical infrastructure community could be incentivized to adopt the Cybersecurity Framework as envisioned in the Executive Order. We will be making more information on these efforts available as the Framework and Program are completed.