Risk
10/7/2013
02:12 PM
50%
50%

Infrastructure Cybersecurity: Carrots And Sticks

As lawmakers and private industry leaders wrangle over how to best protect our nation's critical infrastructure from cyberattack, existing anti-terror legislation could offer a promising start.

Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
Industry leaders and federal policy makers have been in discussions for years on how to better protect the nation's critical, privately held infrastructure from cybersecurity attacks. But for a number of reasons, including pushback on liability issues, comprehensive legislation has been stalled in Congress and is unlikely to get attention anytime soon. That leaves an executive order issued by President Obama aimed at improving critical infrastructure the only game in town for the foreseeable future.

A key part of the executive order, known as E.O. 13636, calls for setting up a voluntary cybersecurity framework that can be adopted by companies. The National Institute of Standards and Technology (NIST) is responsible for working on the framework, while the Department of Homeland Security (DHS) has overall responsibility for developing a set of incentives to get critical infrastructure owners and operators to participate.

Among the incentives being discussed are tax credits, revenue recovery, insurance bundles and liability protections, but in most cases, that will require new legislation. Because of the rancor on Capitol Hill, the chances appear slim for any legislation to be passed in the next six months -- when the final framework is due to be issued. The framework promises to take into account many of the practices and concerns industry has to offer. But because the president's executive order offers no immediate promise of liability protections from lawsuits relating to cyber attacks, businesses leaders are antsy about participating.

[ Federal officials say government shutdown is an invitation to hackers. Read more at Shutdown Heightens Cybersecurity Risks, Feds Warn. ]

Nevertheless, those following NIST's efforts surrounding the executive order see headway in talks with industry. And existing legislation could give private sector firms a way to protect themselves using the executive order, according to legal experts.

Many of the proposed incentives have already been discussed with industry leaders at NIST workshops held around the country, according to Jason Wool, an attorney at the law firm Venable, which specializes in cybersecurity issues relating to energy and regulatory sectors.

The most promising of the NIST suggestions focused on remediation and liability limitation, Wool said during a Sept. 25 forum seminar on the cybersecurity framework.

There was generally strong consensus in the NIST workshops with private industry for government to collaborate with the insurance industry, Wool said. The advantage of this approach is that private industry gets to drive the process. But the challenge is that both industry and government are unsure about how to go about launching such an undertaking. If it can be carried off, it would provide a baseline for risk management of cyber threats, but he cautioned that cybersecurity insurance is still in its infancy, noting that there is a lack of case data with which to build a baseline.

The other incentive is liability limitation, which has been heavily discussed in all of the NIST workshops. But at the moment, all of the groups reported that liability limitation for cyber attacks should continue to be studied and recommended that no procedures be implemented before more data is available. Wool explained that legislation could create legal safe harbors for firms, but he noted that there is a good possibility that any cybersecurity legislation will be postponed until next year.

Cybersecurity Incentives for the private sector, and how they might be structured, also remain unclear. A major question with incentives is whether market-based incentives, such as insurance for cyber attacks, will be enough to get firms to participate. Wool said that the DHS recently recommended bundling liability limitations together with legal rules. However, he added that the downside to this approach is that it would require legislation.

Owners of critical infrastructure may be liable under existing legislation if an attack causes financial or physical damage, Wool said. One example is that cyberattacks on infrastructure, such as the Stuxnet attacks on Iranian nuclear fuel processing machinery, can cause physical damage. "We know that cyberattacks can affect the real world," Wool said. Attacks have the potential to disrupt business operations, which can lead a variety of lawsuits. However, he added, firms are not likely to get any liability coverage for cyberattacks under the new infrastructure being established.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
WKash
50%
50%
WKash,
User Rank: Apprentice
10/7/2013 | 8:05:44 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
Add this to the list of critical issues that will likely be significantly impacted by the mounting impact of the government shutdown.
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
10/11/2013 | 6:38:09 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
This article hits the nail on the head. A cooperative discourse by industry and goverment can figure out the best ways to protect the nationG«÷s
critical, privately held infrastructure from
cyberattack. It involves both incentives and regulations. The Executive Order order issued by President Obama and coordinated by The National Institute of Standards and Technology (NIST) calling for a voluntary cyberrsecurity framework is a good start. Ultimately, it will be Department of Homeland Security (DHS)
that has overall responsibility for developing a set of incentives to get critical
infrastructure owners and operators to participate. Liability issues are always a concern but hopefully with support of Congress and public/private working committees, the undertaking will come to fruition sometime next year.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?