02:12 PM

Infrastructure Cybersecurity: Carrots And Sticks

As lawmakers and private industry leaders wrangle over how to best protect our nation's critical infrastructure from cyberattack, existing anti-terror legislation could offer a promising start.

But there is a way for firms to potentially participate in the executive order's cybersecurity framework and shield themselves from liability through existing legislation. This protection comes through the Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act). Part of the Homeland Security Act of 2002, the SAFETY Act is intended to promote developing and deploying anti-terrorism technologies by creating systems of "risk" and "litigation management." The law covers technologies such as products, devices, equipment, services, cyber-related items such as information technologies and networks and integrated systems.

The legislation applies to an "act of terrorism" that may include cyber terrorism. Among other things, the SAFETY Act uses the DHS definition of a terrorist act as an unlawful activity that causes harm, including financial damage, to a person, property, or entity in the United States or U.S. people or organizations overseas, explained Dismas Locaria, a Venable partner specializing in government contracts and homeland security issues.

Locaria notes that the SAFETY Act provides organizations with three levels of protection: certification; designation; and developmental, testing and evaluation designation (DTED). Certification offers the highest level of confidence, designation refers to systems that are proven to be effective, and DTED status is for technologies that require additional evidence to prove their effectiveness.

The SAFETY Act offers organizations with significant benefits; for example, certification status offers immunity from third-party liability as the result of a terrorist attack. Designation status provides a variety of protections: a predetermined cap on insurance premiums related to terrorist activities, exclusive jurisdiction in federal court, claims consolidation, no joint and several liability for noneconomic damages, a bar on noneconomic damages unless the plaintiff suffers physical harm, no punitive damages and prejudgment interest, and plaintiff's recovery is reduced by collateral sources. DTED also has the same benefits as designation, but for only three years, Locaria added.

Firms can get protection under the Act by conducting an internal technology assessment and submitting an application to the DHS's Office of Safety Act Implementation (OSAI). The firms are then reviewed for compliance -- a process that takes about four months -- before the DHS either approves or rejects the application. Although it is not a panacea, Locaria said that the law is an additional tool for companies to use when assessing their vulnerability to cyber attack.

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Chuck Brooks
Chuck Brooks,
User Rank: Apprentice
10/11/2013 | 6:38:09 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
This article hits the nail on the head. A cooperative discourse by industry and goverment can figure out the best ways to protect the nationGÇÖs
critical, privately held infrastructure from
cyberattack. It involves both incentives and regulations. The Executive Order order issued by President Obama and coordinated by The National Institute of Standards and Technology (NIST) calling for a voluntary cyberrsecurity framework is a good start. Ultimately, it will be Department of Homeland Security (DHS)
that has overall responsibility for developing a set of incentives to get critical
infrastructure owners and operators to participate. Liability issues are always a concern but hopefully with support of Congress and public/private working committees, the undertaking will come to fruition sometime next year.
User Rank: Apprentice
10/7/2013 | 8:05:44 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
Add this to the list of critical issues that will likely be significantly impacted by the mounting impact of the government shutdown.
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio