Risk
10/7/2013
02:12 PM
Connect Directly
RSS
E-Mail
50%
50%

Infrastructure Cybersecurity: Carrots And Sticks

As lawmakers and private industry leaders wrangle over how to best protect our nation's critical infrastructure from cyberattack, existing anti-terror legislation could offer a promising start.

Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
Industry leaders and federal policy makers have been in discussions for years on how to better protect the nation's critical, privately held infrastructure from cybersecurity attacks. But for a number of reasons, including pushback on liability issues, comprehensive legislation has been stalled in Congress and is unlikely to get attention anytime soon. That leaves an executive order issued by President Obama aimed at improving critical infrastructure the only game in town for the foreseeable future.

A key part of the executive order, known as E.O. 13636, calls for setting up a voluntary cybersecurity framework that can be adopted by companies. The National Institute of Standards and Technology (NIST) is responsible for working on the framework, while the Department of Homeland Security (DHS) has overall responsibility for developing a set of incentives to get critical infrastructure owners and operators to participate.

Among the incentives being discussed are tax credits, revenue recovery, insurance bundles and liability protections, but in most cases, that will require new legislation. Because of the rancor on Capitol Hill, the chances appear slim for any legislation to be passed in the next six months -- when the final framework is due to be issued. The framework promises to take into account many of the practices and concerns industry has to offer. But because the president's executive order offers no immediate promise of liability protections from lawsuits relating to cyber attacks, businesses leaders are antsy about participating.

[ Federal officials say government shutdown is an invitation to hackers. Read more at Shutdown Heightens Cybersecurity Risks, Feds Warn. ]

Nevertheless, those following NIST's efforts surrounding the executive order see headway in talks with industry. And existing legislation could give private sector firms a way to protect themselves using the executive order, according to legal experts.

Many of the proposed incentives have already been discussed with industry leaders at NIST workshops held around the country, according to Jason Wool, an attorney at the law firm Venable, which specializes in cybersecurity issues relating to energy and regulatory sectors.

The most promising of the NIST suggestions focused on remediation and liability limitation, Wool said during a Sept. 25 forum seminar on the cybersecurity framework.

There was generally strong consensus in the NIST workshops with private industry for government to collaborate with the insurance industry, Wool said. The advantage of this approach is that private industry gets to drive the process. But the challenge is that both industry and government are unsure about how to go about launching such an undertaking. If it can be carried off, it would provide a baseline for risk management of cyber threats, but he cautioned that cybersecurity insurance is still in its infancy, noting that there is a lack of case data with which to build a baseline.

The other incentive is liability limitation, which has been heavily discussed in all of the NIST workshops. But at the moment, all of the groups reported that liability limitation for cyber attacks should continue to be studied and recommended that no procedures be implemented before more data is available. Wool explained that legislation could create legal safe harbors for firms, but he noted that there is a good possibility that any cybersecurity legislation will be postponed until next year.

Cybersecurity Incentives for the private sector, and how they might be structured, also remain unclear. A major question with incentives is whether market-based incentives, such as insurance for cyber attacks, will be enough to get firms to participate. Wool said that the DHS recently recommended bundling liability limitations together with legal rules. However, he added that the downside to this approach is that it would require legislation.

Owners of critical infrastructure may be liable under existing legislation if an attack causes financial or physical damage, Wool said. One example is that cyberattacks on infrastructure, such as the Stuxnet attacks on Iranian nuclear fuel processing machinery, can cause physical damage. "We know that cyberattacks can affect the real world," Wool said. Attacks have the potential to disrupt business operations, which can lead a variety of lawsuits. However, he added, firms are not likely to get any liability coverage for cyberattacks under the new infrastructure being established.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
WKash
50%
50%
WKash,
User Rank: Apprentice
10/7/2013 | 8:05:44 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
Add this to the list of critical issues that will likely be significantly impacted by the mounting impact of the government shutdown.
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
10/11/2013 | 6:38:09 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
This article hits the nail on the head. A cooperative discourse by industry and goverment can figure out the best ways to protect the nationGÇÖs
critical, privately held infrastructure from
cyberattack. It involves both incentives and regulations. The Executive Order order issued by President Obama and coordinated by The National Institute of Standards and Technology (NIST) calling for a voluntary cyberrsecurity framework is a good start. Ultimately, it will be Department of Homeland Security (DHS)
that has overall responsibility for developing a set of incentives to get critical
infrastructure owners and operators to participate. Liability issues are always a concern but hopefully with support of Congress and public/private working committees, the undertaking will come to fruition sometime next year.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

CVE-2014-3694
Published: 2014-10-29
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and ob...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.