TechWeb

Infrastructure Cybersecurity: Carrots And Sticks

Oct 07, 2013 (10:10 AM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=240162354


Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
Industry leaders and federal policy makers have been in discussions for years on how to better protect the nation's critical, privately held infrastructure from cybersecurity attacks. But for a number of reasons, including pushback on liability issues, comprehensive legislation has been stalled in Congress and is unlikely to get attention anytime soon. That leaves an executive order issued by President Obama aimed at improving critical infrastructure the only game in town for the foreseeable future.

A key part of the executive order, known as E.O. 13636, calls for setting up a voluntary cybersecurity framework that can be adopted by companies. The National Institute of Standards and Technology (NIST) is responsible for working on the framework, while the Department of Homeland Security (DHS) has overall responsibility for developing a set of incentives to get critical infrastructure owners and operators to participate.

Among the incentives being discussed are tax credits, revenue recovery, insurance bundles and liability protections, but in most cases, that will require new legislation. Because of the rancor on Capitol Hill, the chances appear slim for any legislation to be passed in the next six months -- when the final framework is due to be issued. The framework promises to take into account many of the practices and concerns industry has to offer. But because the president's executive order offers no immediate promise of liability protections from lawsuits relating to cyber attacks, businesses leaders are antsy about participating.

[ Federal officials say government shutdown is an invitation to hackers. Read more at Shutdown Heightens Cybersecurity Risks, Feds Warn. ]

Nevertheless, those following NIST's efforts surrounding the executive order see headway in talks with industry. And existing legislation could give private sector firms a way to protect themselves using the executive order, according to legal experts.

Many of the proposed incentives have already been discussed with industry leaders at NIST workshops held around the country, according to Jason Wool, an attorney at the law firm Venable, which specializes in cybersecurity issues relating to energy and regulatory sectors.

The most promising of the NIST suggestions focused on remediation and liability limitation, Wool said during a Sept. 25 forum seminar on the cybersecurity framework.

There was generally strong consensus in the NIST workshops with private industry for government to collaborate with the insurance industry, Wool said. The advantage of this approach is that private industry gets to drive the process. But the challenge is that both industry and government are unsure about how to go about launching such an undertaking. If it can be carried off, it would provide a baseline for risk management of cyber threats, but he cautioned that cybersecurity insurance is still in its infancy, noting that there is a lack of case data with which to build a baseline.

The other incentive is liability limitation, which has been heavily discussed in all of the NIST workshops. But at the moment, all of the groups reported that liability limitation for cyber attacks should continue to be studied and recommended that no procedures be implemented before more data is available. Wool explained that legislation could create legal safe harbors for firms, but he noted that there is a good possibility that any cybersecurity legislation will be postponed until next year.

Cybersecurity Incentives for the private sector, and how they might be structured, also remain unclear. A major question with incentives is whether market-based incentives, such as insurance for cyber attacks, will be enough to get firms to participate. Wool said that the DHS recently recommended bundling liability limitations together with legal rules. However, he added that the downside to this approach is that it would require legislation.

Owners of critical infrastructure may be liable under existing legislation if an attack causes financial or physical damage, Wool said. One example is that cyberattacks on infrastructure, such as the Stuxnet attacks on Iranian nuclear fuel processing machinery, can cause physical damage. "We know that cyberattacks can affect the real world," Wool said. Attacks have the potential to disrupt business operations, which can lead a variety of lawsuits. However, he added, firms are not likely to get any liability coverage for cyberattacks under the new infrastructure being established.




But there is a way for firms to potentially participate in the executive order's cybersecurity framework and shield themselves from liability through existing legislation. This protection comes through the Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act). Part of the Homeland Security Act of 2002, the SAFETY Act is intended to promote developing and deploying anti-terrorism technologies by creating systems of "risk" and "litigation management." The law covers technologies such as products, devices, equipment, services, cyber-related items such as information technologies and networks and integrated systems.

The legislation applies to an "act of terrorism" that may include cyber terrorism. Among other things, the SAFETY Act uses the DHS definition of a terrorist act as an unlawful activity that causes harm, including financial damage, to a person, property, or entity in the United States or U.S. people or organizations overseas, explained Dismas Locaria, a Venable partner specializing in government contracts and homeland security issues.

Locaria notes that the SAFETY Act provides organizations with three levels of protection: certification; designation; and developmental, testing and evaluation designation (DTED). Certification offers the highest level of confidence, designation refers to systems that are proven to be effective, and DTED status is for technologies that require additional evidence to prove their effectiveness.

The SAFETY Act offers organizations with significant benefits; for example, certification status offers immunity from third-party liability as the result of a terrorist attack. Designation status provides a variety of protections: a predetermined cap on insurance premiums related to terrorist activities, exclusive jurisdiction in federal court, claims consolidation, no joint and several liability for noneconomic damages, a bar on noneconomic damages unless the plaintiff suffers physical harm, no punitive damages and prejudgment interest, and plaintiff's recovery is reduced by collateral sources. DTED also has the same benefits as designation, but for only three years, Locaria added.

Firms can get protection under the Act by conducting an internal technology assessment and submitting an application to the DHS's Office of Safety Act Implementation (OSAI). The firms are then reviewed for compliance -- a process that takes about four months -- before the DHS either approves or rejects the application. Although it is not a panacea, Locaria said that the law is an additional tool for companies to use when assessing their vulnerability to cyber attack.