This is part of a continuing series of blog posts looking at
the responses to a
joint request for information (RFI) from the National Telecommunications
and Information Administration (NTIA) and the National Institute of Standards
and Technology (NIST) to support their development of incentives to adopt the
improved cybersecurity practices being developed by the NIST as part of the
Cybersecurity Framework mandated by the President’s executive order on
cybersecurity (EO 13636).
The previous posts in the series are listed below.
As expected there were a large number of comments left this
week. The RFI
called for a close on comments by April 29th, but it is apparent
that this was not a hard close date as the comments listed on the RFI site
include comments submitted on May 3rd. It will be interesting to see
if additional comments are posted to the site next week.
There are now a total of 45 comments listed on the web site.
They represent a broad cross section industry and public sector organizations
with a heavy dose of electrical generation/transmission representation. There
is only one chemical company listed (Monsanto; okay biochemical) and four
organizations that represent, to some degree, chemical manufacturing interests.
They are:
• Monsanto
–
Incentives Not Necessary
The API reports that they do not think that incentives are
really necessary. They claim that most oil and gas companies already take
cybersecurity seriously because they recognize the threat to their businesses.
They provide a listing of programs in which the industry is already participating.
These include:
• API’s IT Security Subcommittee;
• Project LOGIIC (Linking the Oil
and Gas Industry to Improve Cybersecurity);
• DHS Cyber Information Sharing and
Collaboration Program; and
• Oil and Natural Gas Sector
Coordinating Councils Cybersecurity Working Group.
The AFPM echoes this point about self-interest noting that: “AFPM
members operate multi-billion dollar facilities and are extremely motivated to
protect their companies, even without government incentives.” (pg 2)
They also report that: “AFPM
members are large businesses and have the benefit of employing security
professionals who have knowledge of current cybersecurity risks and
mitigations.” (pg 3).
Program Measures
Monsanto takes a slightly different look at incentives than
most people would consider the term. They are looking more at programmatic features,
including:
• Protection of sensitive
information;
• Sharing of technical threat
indicators and periodic briefings;
• Increased sponsorship of security
clearances; and
• Clear scope and definition of
“critical infrastructure”.
The AGA comments echo the comments about information
sharing, noting that of the potential incentives mentioned in the RFI, the one
that seems to be missing is “is liability protection for information sharing”
(pg 1). They also note that: “The potential for releasing information through
the Freedom of Information Act (FOI) is one of our major concerns.” (pg 2).
The Chamber of Commerce is concerned about the flexibility
and responsiveness of any federal cybersecurity program, reporting that “any
cybersecurity regime that industry believes would favor compliance and bureaucracy
over creativity, speed, and innovation would almost certainly create a powerful
disincentive (sic) to
participation by critical infrastructure owners and operators” (pg 2).
Legislation
The Chamber makes it clear in their comment that they feel
that cybersecurity legislation is required for an effective program. They emphasize
that such legislation should address information sharing liability protections,
establishing general liability protections for program participants, and
extending the liability protections of the SAFETY Act.
Moving Forward
With the official comment period now closed, the Department
of Commerce will now begin working on their report to the President on
potential incentives that may be used to encourage voluntary participation in
the Cybersecurity Framework currently under development. It really is a shame
that the President’s EO set these two development programs working
simultaneously. The incentives development program would probably be more
effective if the actual Framework were already in existence so that particular
incentives could be proposed for particular parts of the Framework.
Posts
No comments:
Post a Comment