Risk
10/7/2013
02:12 PM
50%
50%

Infrastructure Cybersecurity: Carrots And Sticks

As lawmakers and private industry leaders wrangle over how to best protect our nation's critical infrastructure from cyberattack, existing anti-terror legislation could offer a promising start.

Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
Industry leaders and federal policy makers have been in discussions for years on how to better protect the nation's critical, privately held infrastructure from cybersecurity attacks. But for a number of reasons, including pushback on liability issues, comprehensive legislation has been stalled in Congress and is unlikely to get attention anytime soon. That leaves an executive order issued by President Obama aimed at improving critical infrastructure the only game in town for the foreseeable future.

A key part of the executive order, known as E.O. 13636, calls for setting up a voluntary cybersecurity framework that can be adopted by companies. The National Institute of Standards and Technology (NIST) is responsible for working on the framework, while the Department of Homeland Security (DHS) has overall responsibility for developing a set of incentives to get critical infrastructure owners and operators to participate.

Among the incentives being discussed are tax credits, revenue recovery, insurance bundles and liability protections, but in most cases, that will require new legislation. Because of the rancor on Capitol Hill, the chances appear slim for any legislation to be passed in the next six months -- when the final framework is due to be issued. The framework promises to take into account many of the practices and concerns industry has to offer. But because the president's executive order offers no immediate promise of liability protections from lawsuits relating to cyber attacks, businesses leaders are antsy about participating.

[ Federal officials say government shutdown is an invitation to hackers. Read more at Shutdown Heightens Cybersecurity Risks, Feds Warn. ]

Nevertheless, those following NIST's efforts surrounding the executive order see headway in talks with industry. And existing legislation could give private sector firms a way to protect themselves using the executive order, according to legal experts.

Many of the proposed incentives have already been discussed with industry leaders at NIST workshops held around the country, according to Jason Wool, an attorney at the law firm Venable, which specializes in cybersecurity issues relating to energy and regulatory sectors.

The most promising of the NIST suggestions focused on remediation and liability limitation, Wool said during a Sept. 25 forum seminar on the cybersecurity framework.

There was generally strong consensus in the NIST workshops with private industry for government to collaborate with the insurance industry, Wool said. The advantage of this approach is that private industry gets to drive the process. But the challenge is that both industry and government are unsure about how to go about launching such an undertaking. If it can be carried off, it would provide a baseline for risk management of cyber threats, but he cautioned that cybersecurity insurance is still in its infancy, noting that there is a lack of case data with which to build a baseline.

The other incentive is liability limitation, which has been heavily discussed in all of the NIST workshops. But at the moment, all of the groups reported that liability limitation for cyber attacks should continue to be studied and recommended that no procedures be implemented before more data is available. Wool explained that legislation could create legal safe harbors for firms, but he noted that there is a good possibility that any cybersecurity legislation will be postponed until next year.

Cybersecurity Incentives for the private sector, and how they might be structured, also remain unclear. A major question with incentives is whether market-based incentives, such as insurance for cyber attacks, will be enough to get firms to participate. Wool said that the DHS recently recommended bundling liability limitations together with legal rules. However, he added that the downside to this approach is that it would require legislation.

Owners of critical infrastructure may be liable under existing legislation if an attack causes financial or physical damage, Wool said. One example is that cyberattacks on infrastructure, such as the Stuxnet attacks on Iranian nuclear fuel processing machinery, can cause physical damage. "We know that cyberattacks can affect the real world," Wool said. Attacks have the potential to disrupt business operations, which can lead a variety of lawsuits. However, he added, firms are not likely to get any liability coverage for cyberattacks under the new infrastructure being established.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
10/11/2013 | 6:38:09 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
This article hits the nail on the head. A cooperative discourse by industry and goverment can figure out the best ways to protect the nationG«÷s
critical, privately held infrastructure from
cyberattack. It involves both incentives and regulations. The Executive Order order issued by President Obama and coordinated by The National Institute of Standards and Technology (NIST) calling for a voluntary cyberrsecurity framework is a good start. Ultimately, it will be Department of Homeland Security (DHS)
that has overall responsibility for developing a set of incentives to get critical
infrastructure owners and operators to participate. Liability issues are always a concern but hopefully with support of Congress and public/private working committees, the undertaking will come to fruition sometime next year.
WKash
50%
50%
WKash,
User Rank: Apprentice
10/7/2013 | 8:05:44 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
Add this to the list of critical issues that will likely be significantly impacted by the mounting impact of the government shutdown.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.