Risk
10/7/2013
02:12 PM
50%
50%

Infrastructure Cybersecurity: Carrots And Sticks

As lawmakers and private industry leaders wrangle over how to best protect our nation's critical infrastructure from cyberattack, existing anti-terror legislation could offer a promising start.

But there is a way for firms to potentially participate in the executive order's cybersecurity framework and shield themselves from liability through existing legislation. This protection comes through the Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act). Part of the Homeland Security Act of 2002, the SAFETY Act is intended to promote developing and deploying anti-terrorism technologies by creating systems of "risk" and "litigation management." The law covers technologies such as products, devices, equipment, services, cyber-related items such as information technologies and networks and integrated systems.

The legislation applies to an "act of terrorism" that may include cyber terrorism. Among other things, the SAFETY Act uses the DHS definition of a terrorist act as an unlawful activity that causes harm, including financial damage, to a person, property, or entity in the United States or U.S. people or organizations overseas, explained Dismas Locaria, a Venable partner specializing in government contracts and homeland security issues.

Locaria notes that the SAFETY Act provides organizations with three levels of protection: certification; designation; and developmental, testing and evaluation designation (DTED). Certification offers the highest level of confidence, designation refers to systems that are proven to be effective, and DTED status is for technologies that require additional evidence to prove their effectiveness.

The SAFETY Act offers organizations with significant benefits; for example, certification status offers immunity from third-party liability as the result of a terrorist attack. Designation status provides a variety of protections: a predetermined cap on insurance premiums related to terrorist activities, exclusive jurisdiction in federal court, claims consolidation, no joint and several liability for noneconomic damages, a bar on noneconomic damages unless the plaintiff suffers physical harm, no punitive damages and prejudgment interest, and plaintiff's recovery is reduced by collateral sources. DTED also has the same benefits as designation, but for only three years, Locaria added.

Firms can get protection under the Act by conducting an internal technology assessment and submitting an application to the DHS's Office of Safety Act Implementation (OSAI). The firms are then reviewed for compliance -- a process that takes about four months -- before the DHS either approves or rejects the application. Although it is not a panacea, Locaria said that the law is an additional tool for companies to use when assessing their vulnerability to cyber attack.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
10/11/2013 | 6:38:09 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
This article hits the nail on the head. A cooperative discourse by industry and goverment can figure out the best ways to protect the nationGÇÖs
critical, privately held infrastructure from
cyberattack. It involves both incentives and regulations. The Executive Order order issued by President Obama and coordinated by The National Institute of Standards and Technology (NIST) calling for a voluntary cyberrsecurity framework is a good start. Ultimately, it will be Department of Homeland Security (DHS)
that has overall responsibility for developing a set of incentives to get critical
infrastructure owners and operators to participate. Liability issues are always a concern but hopefully with support of Congress and public/private working committees, the undertaking will come to fruition sometime next year.
WKash
50%
50%
WKash,
User Rank: Apprentice
10/7/2013 | 8:05:44 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
Add this to the list of critical issues that will likely be significantly impacted by the mounting impact of the government shutdown.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.