The federal government is planning to offer critical infrastructure companies incentives to join a voluntary program designed to improve cybersecurity.
The incentives are an outgrowth of the Executive Order on cybersecurity that President Obama signed earlier this year. According to the White House, the order focuses on information sharing, privacy and the adoption of cybersecurity best practices, and in keeping with those principles the government is working with critical infrastructure owners to create a Cybersecurity Framework.
“After a final Framework is released in February 2014, we will create a Voluntary Program to help encourage critical infrastructure companies to adopt the Framework,” blogged Michael Daniel, special assistant to the President and Cybersecurity Coordinator. “As directed in the EO [executive order], the Departments of Homeland Security, Commerce, and Treasury have identified potential incentives and provided their recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs.”
“Over the next few months, agencies will examine these options in detail to determine which ones to adopt and how, based substantially on input from critical infrastructure stakeholders,” he wrote.
These incentives include making participating in the voluntary program a condition of the weighted criteria for federal critical infrastructure grants. Other incentives include considering participating in the program as secondary criteria for providing companies with technical assistance and providing greater liability protection for companies participating in the program that are attacked.
“The efforts to develop a Cybersecurity Framework called for by the president’s Executive Order are extremely important to upgrading the cybersecurity of our critical infrastructure,” said Mike Brown, vice president and general manager of federal business for EMC’s RSA security division. “In order to make those efforts more effective, the administration’s identification of incentives to help foster adoption of the voluntary program could provide some impetus to the framework’s adoption. Some of the more effective incentives still require legislative actions from Congress.”
David Pack, director of LogRhythm Labs, has been involved in the authoring of the Cybersecurity Framework. Incentivizing adoption of the framework is a good idea, he said, although not all of the incentives are likely to be implemented and some may be more effective than others.
“There is still a lot of work to do before the framework will be complete,” he said. “[The National Institute of Standards and Technology] NIST must consolidate all of the work that was done by the hundreds of attendees of the 3rd workshop, where the framework content was developed. There will be a 4th workshop in September to prepare the results, and the preliminary framework will be published for public comment in October. Finally after a few months of public comment and additional updates/edits, the framework’s final version will be published by NIST.”
