Risk
10/7/2013
02:12 PM
Connect Directly
RSS
E-Mail
50%
50%

Infrastructure Cybersecurity: Carrots And Sticks

As lawmakers and private industry leaders wrangle over how to best protect our nation's critical infrastructure from cyberattack, existing anti-terror legislation could offer a promising start.

But there is a way for firms to potentially participate in the executive order's cybersecurity framework and shield themselves from liability through existing legislation. This protection comes through the Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act). Part of the Homeland Security Act of 2002, the SAFETY Act is intended to promote developing and deploying anti-terrorism technologies by creating systems of "risk" and "litigation management." The law covers technologies such as products, devices, equipment, services, cyber-related items such as information technologies and networks and integrated systems.

The legislation applies to an "act of terrorism" that may include cyber terrorism. Among other things, the SAFETY Act uses the DHS definition of a terrorist act as an unlawful activity that causes harm, including financial damage, to a person, property, or entity in the United States or U.S. people or organizations overseas, explained Dismas Locaria, a Venable partner specializing in government contracts and homeland security issues.

Locaria notes that the SAFETY Act provides organizations with three levels of protection: certification; designation; and developmental, testing and evaluation designation (DTED). Certification offers the highest level of confidence, designation refers to systems that are proven to be effective, and DTED status is for technologies that require additional evidence to prove their effectiveness.

The SAFETY Act offers organizations with significant benefits; for example, certification status offers immunity from third-party liability as the result of a terrorist attack. Designation status provides a variety of protections: a predetermined cap on insurance premiums related to terrorist activities, exclusive jurisdiction in federal court, claims consolidation, no joint and several liability for noneconomic damages, a bar on noneconomic damages unless the plaintiff suffers physical harm, no punitive damages and prejudgment interest, and plaintiff's recovery is reduced by collateral sources. DTED also has the same benefits as designation, but for only three years, Locaria added.

Firms can get protection under the Act by conducting an internal technology assessment and submitting an application to the DHS's Office of Safety Act Implementation (OSAI). The firms are then reviewed for compliance -- a process that takes about four months -- before the DHS either approves or rejects the application. Although it is not a panacea, Locaria said that the law is an additional tool for companies to use when assessing their vulnerability to cyber attack.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
10/11/2013 | 6:38:09 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
This article hits the nail on the head. A cooperative discourse by industry and goverment can figure out the best ways to protect the nationGÇÖs
critical, privately held infrastructure from
cyberattack. It involves both incentives and regulations. The Executive Order order issued by President Obama and coordinated by The National Institute of Standards and Technology (NIST) calling for a voluntary cyberrsecurity framework is a good start. Ultimately, it will be Department of Homeland Security (DHS)
that has overall responsibility for developing a set of incentives to get critical
infrastructure owners and operators to participate. Liability issues are always a concern but hopefully with support of Congress and public/private working committees, the undertaking will come to fruition sometime next year.
WKash
50%
50%
WKash,
User Rank: Apprentice
10/7/2013 | 8:05:44 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
Add this to the list of critical issues that will likely be significantly impacted by the mounting impact of the government shutdown.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.