This is part of a continuing series of blog posts looking at the responses to a joint request for information (RFI) from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST) to support their development of incentives to adopt the improved cybersecurity practices being developed by the NIST as part of the Cybersecurity Framework mandated by the President’s executive order on cybersecurity (EO 13636). The previous posts in the series are listed below.
With Monday being the deadline for filing comments on the RFI there are only four new comments posted on the NTIA site. The comments are from:
• Utilities Telecom Council; and
• DCS Corp
The comments from both DCS Corp and Romanosky address the issue of using insurance as part of the incentives package. Romanosky provides a detailed discussion of both the theoretical basis for cybersecurity insurance and how it could be used to incentivize increased cybersecurity protections. The DCS Corp comments focus on how meeting the standards of the Cybersecurity Framework could lessen the cost of such insurance. The Honeywell comments also briefly favorably address using cybersecurity insurance as tool to encourage voluntary framework compliance.
The comments from Utilities Telecom Council, not unexpectedly, focus on cybersecurity incentives from a utility perspective. It includes a brief discussion of tax incentives that could be applied to the situation. More importantly, though, it makes the case for centralizing and combining cybersecurity regulations to reduce the regulatory burden of trying to comply with multiple regulatory agencies.
Framework then Incentives
The Honeywell comments make another important point; it is difficult to talk about incentives to implement the Cybersecurity Framework without knowing what requirements may be included in the Framework. The comments then go on to reiterate comments that we have been hearing associated with CISPA; corporations need immunity from civil suits for sharing cybersecurity information with the government and acting in good faith on government supplied threat information, as well as immunity from anti-trust actions for cooperating and coordinating cybersecurity activities with other companies.
One Day Left
With only a single day left for submitting timely comments, it will be interesting to see how many additional comments will be submitted. So far, there has been no discussion about incentives for control system security incentives for either owner/operators or system vendors. It has been an extremely abbreviated comment period, but that was necessitated by the short time frame the President set forth in the cybersecurity EO.