Incentives for Cybersecurity Framework Adoption Remain Uncertain
The Cybersecurity Act of 2013 (S-1353) passed the Senate Commerce Committee with broad industry support just prior to the August recess; the bill would authorize the National Institute of Standards and Technology (NIST) to focus on cybersecurity, including its ongoing work with industry to develop a voluntary cybersecurity framework (CD July 31 p1).
While the bill has support from industry, it does not include possible incentives to encourage industry adoption of the framework once the final version goes public -- and experts say they believe incentives that require action from Congress may not be available in the near future amid concerns about legislative gridlock (CD July 22 p10). The structure of incentives depends on the composition of the final version of the NIST framework, said Allan Friedman, research director at the Brookings Institution’s Center for Technology Innovation. But if some incentives aren’t available, there may be a self-motivated push for widespread adoption of the framework in some sectors in order to forestall future attempts to require adoption, he told us.
Uncertainty over the final structure of incentives for the framework’s adoption stems from the fact that “we don’t know what’s going to come out of the NIST process” yet, Friedman said. NIST will hold its final framework workshop Sept. 11-13 at the University of Texas at Dallas, and plans to release a preliminary version of the framework Oct. 10. President Barack Obama’s cybersecurity executive order, which tasked NIST with facilitating the framework’s development (CD Feb 14 p1), “directed the agency to be all things to all people,” which makes it difficult to strike the right balance on security standards, Friedman said.
The challenge with designing such standards is that NIST can mandate specific behaviors -- and be vulnerable to charges that the standards are too expensive to implement and not flexible enough -- or it can mandate risk assessment behavior, Friedman said. Mandating risk assessment behavior “can work if done well, but if it’s done poorly it will be ineffective,” he said. “You risk producing a voluntary Sarbanes-Oxley for information security wherein the intention is there to have every organization thoroughly understand their risk and come up with a mitigation approach, with some guidance for doing that. But in practice, it could turn out to be the Consultant and Auditor Full Employment Act.” The Sarbanes-Oxley Act sets requirements for which financial records a corporation must store and the duration such records must be stored; the Securities and Exchange Commission oversees compliance.
The White House is continuing to explore possible incentives in consultation with the departments of Commerce, Homeland Security and Treasury. The three agencies submitted reports to the White House Office of Management and Budget in June on the feasibility of possible incentives. DHS examined possible incentives from the viewpoint of its mission of creating security and fixing identified failures, but Commerce and Treasury focused more on business-oriented matters, Friedman said. Commerce examined possible incentives from the viewpoint of supporting American businesses, he said. Its recommendations will focus on preventing further regulation and giving American businesses the tools they need in order to function -- more information sharing, along with some standards and some circulation of best practices, Friedman said.
Treasury’s examination of incentives focused exclusively on what would best benefit the financial services industry, Friedman said. Monetary incentives are unlikely to “make a measurable blip” for financial institutions because they deal in such large amounts of money already, he said. Treasury instead looked at points in the decisionmaking process where small incentives “could make a difference,” and finding ways to adopt the framework without “extensively changing business practices,” Friedman said. The financial sector also appears to have the strongest inherent market incentive to adopt the framework because it has the “most immediate and evident exposure to cyber risk,” he said. The Financial Services Information Sharing and Analysis Center, which disseminates physical and cyberthreat information to the financial sector, is the “most successful ISAC in terms of enabling information sharing and enabling cooperation between market actors,” Friedman said.
Incentives are certainly “very important, but equally important has been industry participation to make sure the framework is something we can get on board with when it comes out,” said Danielle Coffey, Telecommunications Industry Association general counsel. “Incentives would be icing on the cake after the fact. I think industry would respond positively if they are crafted in a way that’s workable.” Coffey said TIA doesn’t have a preference for any one particular possible incentive, but noted that liability protections for information sharing and related to compliance with the framework would potentially be effective.
Market-based incentives -- particularly encouraging the insurance industry to reward adoption of the framework with reduced premiums -- are the best option, said Chad Sweet, CEO and co-founder of the Chertoff Group. New liability protections for companies that share incident information should also be in the mix where appropriate, he said. “We'd love to see potential [Support Anti-Terrorism by Fostering Effective Technologies] Act liability provisions for those innovating in the space,” Sweet said. “For those investing and adopting best practices, some types of consideration should be given to tax deductions and other types of economic incentives to reward good behavior."
The White House appears to be “holding off for the moment” on pushing for a strong regulatory response to cybersecurity concerns, with the voluntary framework being the administration’s response to its inability to get a more regulation-based cybersecurity agenda through the 112th Congress, Friedman said. The Obama administration and proponents of a regulatory approach may be looking ahead to the framework’s implementation so they can “keep an eye on how different market actors are responding and cooperating,” as they determine how they can improve things a year down the road, Friedman said. “If things fail, they can use that to support the need for further regulation,” he said. “Certain sectors are also going to be keeping an eye on this and say ‘it’s important for us to cooperate with NIST in this initiative because that in turn allows us to defend ourselves if this new voluntary structure isn’t working.” Some agencies already have the power to use the framework for regulatory purposes, Friedman said. “In the energy sector, for instance, it would be pretty easy to use existing regulatory authority to enforce those standards,” he said.