Risk
10/7/2013
02:12 PM
50%
50%

Infrastructure Cybersecurity: Carrots And Sticks

As lawmakers and private industry leaders wrangle over how to best protect our nation's critical infrastructure from cyberattack, existing anti-terror legislation could offer a promising start.

But there is a way for firms to potentially participate in the executive order's cybersecurity framework and shield themselves from liability through existing legislation. This protection comes through the Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act). Part of the Homeland Security Act of 2002, the SAFETY Act is intended to promote developing and deploying anti-terrorism technologies by creating systems of "risk" and "litigation management." The law covers technologies such as products, devices, equipment, services, cyber-related items such as information technologies and networks and integrated systems.

The legislation applies to an "act of terrorism" that may include cyber terrorism. Among other things, the SAFETY Act uses the DHS definition of a terrorist act as an unlawful activity that causes harm, including financial damage, to a person, property, or entity in the United States or U.S. people or organizations overseas, explained Dismas Locaria, a Venable partner specializing in government contracts and homeland security issues.

Locaria notes that the SAFETY Act provides organizations with three levels of protection: certification; designation; and developmental, testing and evaluation designation (DTED). Certification offers the highest level of confidence, designation refers to systems that are proven to be effective, and DTED status is for technologies that require additional evidence to prove their effectiveness.

The SAFETY Act offers organizations with significant benefits; for example, certification status offers immunity from third-party liability as the result of a terrorist attack. Designation status provides a variety of protections: a predetermined cap on insurance premiums related to terrorist activities, exclusive jurisdiction in federal court, claims consolidation, no joint and several liability for noneconomic damages, a bar on noneconomic damages unless the plaintiff suffers physical harm, no punitive damages and prejudgment interest, and plaintiff's recovery is reduced by collateral sources. DTED also has the same benefits as designation, but for only three years, Locaria added.

Firms can get protection under the Act by conducting an internal technology assessment and submitting an application to the DHS's Office of Safety Act Implementation (OSAI). The firms are then reviewed for compliance -- a process that takes about four months -- before the DHS either approves or rejects the application. Although it is not a panacea, Locaria said that the law is an additional tool for companies to use when assessing their vulnerability to cyber attack.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
10/11/2013 | 6:38:09 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
This article hits the nail on the head. A cooperative discourse by industry and goverment can figure out the best ways to protect the nationG«÷s
critical, privately held infrastructure from
cyberattack. It involves both incentives and regulations. The Executive Order order issued by President Obama and coordinated by The National Institute of Standards and Technology (NIST) calling for a voluntary cyberrsecurity framework is a good start. Ultimately, it will be Department of Homeland Security (DHS)
that has overall responsibility for developing a set of incentives to get critical
infrastructure owners and operators to participate. Liability issues are always a concern but hopefully with support of Congress and public/private working committees, the undertaking will come to fruition sometime next year.
WKash
50%
50%
WKash,
User Rank: Apprentice
10/7/2013 | 8:05:44 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
Add this to the list of critical issues that will likely be significantly impacted by the mounting impact of the government shutdown.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-2157
Published: 2015-03-27
The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.