Incentives for Implementing Cybersecurity Framework

There has been a lot of focus in the press (even Dale Peterson got into discussing it on DigitalBond) about the White House announcement earlier this week about the incentives that are being considered by the Administration to encourage high-risk critical infrastructure organizations to implement the Cybersecurity Framework (which is still under development).

Most of those folks have been concentrating on the blog post from Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, over at the WhiteHouse.gov (and reposted at the DHS Blog site).

The decision making process is far from over on what incentives will actually be proposed (many will have to go to Congress for implementation) especially since the Framework still has so far to go (the next Workshop is going to be working on the next to final draft of the preliminary version of the Framework that will be published in October). What the Administration presented this week was the initial analysis of what incentives could be considered and a look at the strong and weak points of each of the major contenders.

The meat of the proposal was linked to in Michael’s blog post, but the links were not real obvious, and there were multiple links to go through in some cases to get to the actual information. So here is a full listing of the links to the documents that the President’s staff will be considering in developing the President’s plan to move the Cybersecurity Framework into full implementation.

• DHS Summary Report;

• DHS Supporting Analysis;

• Treasury Summary Report;

• Treasury Supporting Analysis;

• NTIA Summary Report; and

• NTIA Discussion.

Michael does a pretty good job summarizing the data. He breaks the incentives down into eight general categories:

• Cybersecurity Insurance;

• Grants;

• Liability Limitation;

• Streamline Regulations;

• Public Recognition;

• Rate Recovery for Price Regulated Industries;

• Cybersecurity Research.

I’ll take a little bit closer look at each of these in the coming weeks.

Comments on Incentives to Adopt Improved Cybersecurity Practices – 05-04-13

This is part of a continuing series of blog posts looking at the responses to a joint request for information (RFI) from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST) to support their development of incentives to adopt the improved cybersecurity practices being developed by the NIST as part of the Cybersecurity Framework mandated by the President’s executive order on cybersecurity (EO 13636). The previous posts in the series are listed below.

Comments on Incentives to Adopt Improved Cybersecurity Practices – 04-13-13

Comments on Incentives to Adopt Improved Cybersecurity Practices – 04-20-13

Comments on Incentives to Adopt Improved Cybersecurity Practices – 04-27-13

As expected there were a large number of comments left this week. The RFI called for a close on comments by April 29^th, but it is apparent that this was not a hard close date as the comments listed on the RFI site include comments submitted on May 3^rd. It will be interesting to see if additional comments are posted to the site next week.

There are now a total of 45 comments listed on the web site. They represent a broad cross section industry and public sector organizations with a heavy dose of electrical generation/transmission representation. There is only one chemical company listed (Monsanto; okay biochemical) and four organizations that represent, to some degree, chemical manufacturing interests. They are:

• U.S. Chamber of Commerce –

• American Gas Association –

• American Fuel & Petrochemical Manufacturers –

• Monsanto –

• American Petroleum Institute –

Incentives Not Necessary

The API reports that they do not think that incentives are really necessary. They claim that most oil and gas companies already take cybersecurity seriously because they recognize the threat to their businesses. They provide a listing of programs in which the industry is already participating. These include:

• API’s IT Security Subcommittee;

• Project LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity);

• DHS Cyber Information Sharing and Collaboration Program; and

• Oil and Natural Gas Sector Coordinating Councils Cybersecurity Working Group.

The AFPM echoes this point about self-interest noting that: “AFPM members operate multi-billion dollar facilities and are extremely motivated to protect their companies, even without government incentives.” (pg 2)

They also report that: “AFPM members are large businesses and have the benefit of employing security professionals who have knowledge of current cybersecurity risks and mitigations.” (pg 3).

Program Measures

Monsanto takes a slightly different look at incentives than most people would consider the term. They are looking more at programmatic features, including:

• Protection of sensitive information;

• Sharing of technical threat indicators and periodic briefings;

• Increased sponsorship of security clearances; and

• Clear scope and definition of “critical infrastructure”.

The AGA comments echo the comments about information sharing, noting that of the potential incentives mentioned in the RFI, the one that seems to be missing is “is liability protection for information sharing” (pg 1). They also note that: “The potential for releasing information through the Freedom of Information Act (FOI) is one of our major concerns.” (pg 2).

The Chamber of Commerce is concerned about the flexibility and responsiveness of any federal cybersecurity program, reporting that “any cybersecurity regime that industry believes would favor compliance and bureaucracy over creativity, speed, and innovation would almost certainly create a powerful disincentive (sic) to participation by critical infrastructure owners and operators” (pg 2).

Legislation

The Chamber makes it clear in their comment that they feel that cybersecurity legislation is required for an effective program. They emphasize that such legislation should address information sharing liability protections, establishing general liability protections for program participants, and extending the liability protections of the SAFETY Act.

Moving Forward

With the official comment period now closed, the Department of Commerce will now begin working on their report to the President on potential incentives that may be used to encourage voluntary participation in the Cybersecurity Framework currently under development. It really is a shame that the President’s EO set these two development programs working simultaneously. The incentives development program would probably be more effective if the actual Framework were already in existence so that particular incentives could be proposed for particular parts of the Framework.

Comments on Incentives to Adopt Improved Cybersecurity Practices – 04-27-13

This is part of a continuing series of blog posts looking at the responses to a joint request for information (RFI) from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST) to support their development of incentives to adopt the improved cybersecurity practices being developed by the NIST as part of the Cybersecurity Framework mandated by the President’s executive order on cybersecurity (EO 13636). The previous posts in the series are listed below.

Comments on Incentives to Adopt Improved Cybersecurity Practices – 04-13-13

Comments on Incentives to Adopt Improved Cybersecurity Practices – 04-20-13

With Monday being the deadline for filing comments on the RFI there are only four new comments posted on the NTIA site. The comments are from:

• Sasha Romanosky;

• Honeywell International Inc;

• Utilities Telecom Council; and

• DCS Corp

Cybersecurity Insurance

The comments from both DCS Corp and Romanosky address the issue of using insurance as part of the incentives package. Romanosky provides a detailed discussion of both the theoretical basis for cybersecurity insurance and how it could be used to incentivize increased cybersecurity protections. The DCS Corp comments focus on how meeting the standards of the Cybersecurity Framework could lessen the cost of such insurance. The Honeywell comments also briefly favorably address using cybersecurity insurance as tool to encourage voluntary framework compliance.

Utility Compliance

The comments from Utilities Telecom Council, not unexpectedly, focus on cybersecurity incentives from a utility perspective. It includes a brief discussion of tax incentives that could be applied to the situation. More importantly, though, it makes the case for centralizing and combining cybersecurity regulations to reduce the regulatory burden of trying to comply with multiple regulatory agencies.

Framework then Incentives

 The Honeywell comments make another important point; it is difficult to talk about incentives to implement the Cybersecurity Framework without knowing what requirements may be included in the Framework. The comments then go on to reiterate comments that we have been hearing associated with CISPA; corporations need immunity from civil suits for sharing cybersecurity information with the government and acting in good faith on government supplied threat information, as well as immunity from anti-trust actions for cooperating and coordinating cybersecurity activities with other companies.

One Day Left

With only a single day left for submitting timely comments, it will be interesting to see how many additional comments will be submitted. So far, there has been no discussion about incentives for control system security incentives for either owner/operators or system vendors. It has been an extremely abbreviated comment period, but that was necessitated by the short time frame the President set forth in the cybersecurity EO.

Comments on Incentives to Adopt Improved Cybersecurity Practices – 04-20-13

This is part of a continuing series of blog posts looking at the responses to a joint request for information (RFI) from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST) to support their development of incentives to adopt the improved cybersecurity practices being developed by the NIST as part of the Cybersecurity Framework mandated by the President’s executive order on cybersecurity (EO 13636). The previous post in the series is listed below.

Comments on Incentives to Adopt Improved Cybersecurity Practices – 04-13-13

This week there were only two responses to the RFI. They came from a lawyer, Gary Fresen, and from the Advanced Cyber Security Center (ACSC).

Private Sector Information Sharing Centers

 The ACSC response proposes the establishment of four regional private sector entities to provide a forum for the discussion and dissemination of cybersecurity information including threat and response information. It notes that these regional information sharing centers would be patterned on their organization which has successfully set up a forum in the Boston area for this type of information sharing with weekly meetings allowing face to face exchanges.

Privileged Communications

Mr. Fresen proposes setting up a new class of privileged communications that would allow for the internal collection and analysis of cybersecurity information in critical infrastructure organizations and the privileged sharing of that information with the appropriate ISACs and CERTSs. The detailed proposal includes legislative language for the establishment of that new class of privileged communications.

Moving Forward

As I noted in my post about the RFI the short deadline for this RFI is necessitated by the time constraints set forth in the Executive Order. It may be disappointing to see only a total of three comments submitted to date, it usually takes at least a month for corporate type responses to these RFI. With only nine-days left in the comment period, I suspect that we will be seeing a number of comments coming in the next week.

Comments on Incentives To Adopt Improved Cybersecurity Practices – 04-13-13

There have been a number of Federal agencies in the last couple of weeks that have asked for public comments on a wide variety of security related measures that are being covered in this blog. One that hasn’t drawn much in the way of response is the NIST/NTIA request for comments on potential incentives that can be used by the Federal government to encourage the adoption of improved cybersecurity practices outlined in the still to be developed Cybersecurity Framework. To date only one comment has been received and the closing date is just over two weeks away.

The one comment posted on the NTIA web site comes from Brian Rich and deals with the protections provided by the Protected Critical Infrastructure Information Program (PCII). While Brian is correct in that this program does provide for protection from certain disclosure requirements, there are some technical loopholes {including a specific statement that needs to be included in the disclosure document to claim PCII protections, 6 CFR §29.5(a)(3) } that need to be carefully understood by anyone desiring to claim PCII protections.

Cybersecurity Incentives – Notice of Inquiry

Today the National Institute of Standards and Technology (NIST) and the National Telecommunications and Information Administration (NTIA) co-published a notice of inquiry in the Federal Register (78 FR 18954-18955) looking for information to support the development of incentives to adopt the improved cybersecurity practices to be developed by NIST as part of the President’s Cybersecurity Executive Order (EO 13636).

According to the notice summary the inquiry is designed to support the Department of Commerce’s incentives effort in three ways:

• Analysis of the benefits and relative effectiveness of such incentive;

• Whether the incentives would require legislation or can be provided under existing law, and

• Whether the incentives could be applied to US industry as a whole.

The Department asked a similar set of questions in 2010 (75 FR 44216) and plans to incorporate the results of that request into their report to the President which will be submitted no later than June 12^th, 2013. In this inquiry NIST/NTIA would like respondents to the earlier request to comment on whether or not their earlier comments are still applicable.

The notice also provides a lengthy list of questions to which it would like all interested parties to respond. Those responses may be sent to NTIA (cyberincentives@ntia.doc.gov) and must be received by April 29^th, 2013. The short response time is necessitated by the deadline for having a report to the President. Comments will be made available on the Internet Policy Task Force web page. 

Analysis of S 3414 – Voluntary Cybersecurity Program

This is part of an ongoing in-depth review of the provisions of S 3414, the Cybersecurity Act of 2012, that will be of interest to the control systems community. The earlier posts in the series were:

Analysis of S 3414 – National Cybersecurity Council

Analysis of S 3414 – Critical Cyber Infrastructure

Analysis of S 3414 – Voluntary Cybersecurity Practices

NOTE: The GPO now has a copy of this bill available.

As anyone that has been reading the various news stories about S 3414 already probably knows, the heart of the difference between this bill and S 2151, at least for critical infrastructure cybersecurity, is that the program is voluntary. That, along with the incentives to encourage voluntary participation, is addressed in §104.

The Voluntary Program

The National Cybersecurity Council, within one year of the passage of this bill, is required {§104(a)(1)} to establish the Voluntary Cybersecurity Program for Critical Infrastructure. While this is to be specifically designed for designated critical cyber infrastructure, the bill also requires {§104(a)(2)(B)} the establishment of criteria for owners of other facilities to apply for certification under the Program.

Any owner operator applying for certification under the Program will “select and implement cybersecurity measures of their choosing that satisfy the outcome-based cybersecurity practices established under section 103” {§104(a)(3)(A)}. At that point the owner will have one of two options to establish the adequacy of their cybersecurity measures {§104(a)(3)(B)}:

• Certify in writing and under penalty of perjury to the Council that the owner has developed and effectively implemented cybersecurity measures; or

• Submit to the Council an assessment verifying that the owner has developed and effectively implemented cybersecurity measures.

While the first option should be cheaper in the short run, paying someone to conduct the assessment may avoid the problem ‘under penalty of perjury’ might pose if there is a subsequent successful attack on the system.

To ensure that assessments are conducted by reputable and properly skilled professionals, the Council will “enter into agreements with qualified third party private entities, to conduct assessments that use reliable, repeatable, performance-based evaluations and metrics to assess whether an owner certified under subsection (a)(3)(B)(ii) is in compliance with all applicable cybersecurity practices” {§104(b)(1)}.

In either case, when the Council is notified that the owner has an adequate cybersecurity program implemented, it is required {§104(a)(4)}to certify that owner.

Checking Security

While the Council is required to accept either the owner’s self-certification or the third-party assessment, the bill does provide that in the event that Council becomes aware (either through  actual knowledge or a reasonable suspicion) “that the certified owner is not in compliance with the cybersecurity practices or any other risk-based factors as identified by the Council” {§104(b)(3)}, the Council may conduct its own assessment of those security practices.

Once again, though, since there is no authorization for a Council Staff or any specific funding for the Council, any such assessment will have to be done for the Council by some other entity. It does not appear, however, that the wording in this section doesn’t appear to authorize the use of another entity.

Incentives for Participation

Since participation in the Voluntary Cybersecurity Program for Critical Infrastructure is mainly voluntary, the crafters knew that they had to offer some sort of incentives to encourage the participation of as many of the identified critical cyber infrastructure entities as possible. The incentives provided in this bill include {§104(c)}:

• Limitations on civil liability;

• Expedited security clearance process;

• Prioritized technical assistance;

• Provision of cyber threat information;

• Public recognition; and

• Procurement preference.

Much has been made in the press about the civil liability protections provided in this bill. There are, as one would expect, a number of different specifications, limitations and exceptions to that protection. A number of common lawyer type phrases have been added to this paragraph {§104(c)(1)} to limit the applicability of the ‘protections’; they include ‘punitive damages’, ‘substantial compliance’, ‘harm directly caused by’ and ‘additional or intervening acts or omissions’. Still, in the event of a significant attack, the limited protections could be significant.

The other benefits will provide some level of incentive, but it is not clear that they would be enough to justify the costs of the cybersecurity measures that will likely be required. The one possible exception is the last incentive, a Federal procurement preference. Unfortunately, the bill doesn’t actually provide this incentive; it just requires {§104(c)(6)} that a study be conducted about the potential use of such a preference. There is no time limit on conducting the study nor is there any provision for implementing the incentive if the study results are encouraging.