Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/7/2013
02:12 PM
50%
50%

Infrastructure Cybersecurity: Carrots And Sticks

As lawmakers and private industry leaders wrangle over how to best protect our nation's critical infrastructure from cyberattack, existing anti-terror legislation could offer a promising start.

Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
Industry leaders and federal policy makers have been in discussions for years on how to better protect the nation's critical, privately held infrastructure from cybersecurity attacks. But for a number of reasons, including pushback on liability issues, comprehensive legislation has been stalled in Congress and is unlikely to get attention anytime soon. That leaves an executive order issued by President Obama aimed at improving critical infrastructure the only game in town for the foreseeable future.

A key part of the executive order, known as E.O. 13636, calls for setting up a voluntary cybersecurity framework that can be adopted by companies. The National Institute of Standards and Technology (NIST) is responsible for working on the framework, while the Department of Homeland Security (DHS) has overall responsibility for developing a set of incentives to get critical infrastructure owners and operators to participate.

Among the incentives being discussed are tax credits, revenue recovery, insurance bundles and liability protections, but in most cases, that will require new legislation. Because of the rancor on Capitol Hill, the chances appear slim for any legislation to be passed in the next six months -- when the final framework is due to be issued. The framework promises to take into account many of the practices and concerns industry has to offer. But because the president's executive order offers no immediate promise of liability protections from lawsuits relating to cyber attacks, businesses leaders are antsy about participating.

[ Federal officials say government shutdown is an invitation to hackers. Read more at Shutdown Heightens Cybersecurity Risks, Feds Warn. ]

Nevertheless, those following NIST's efforts surrounding the executive order see headway in talks with industry. And existing legislation could give private sector firms a way to protect themselves using the executive order, according to legal experts.

Many of the proposed incentives have already been discussed with industry leaders at NIST workshops held around the country, according to Jason Wool, an attorney at the law firm Venable, which specializes in cybersecurity issues relating to energy and regulatory sectors.

The most promising of the NIST suggestions focused on remediation and liability limitation, Wool said during a Sept. 25 forum seminar on the cybersecurity framework.

There was generally strong consensus in the NIST workshops with private industry for government to collaborate with the insurance industry, Wool said. The advantage of this approach is that private industry gets to drive the process. But the challenge is that both industry and government are unsure about how to go about launching such an undertaking. If it can be carried off, it would provide a baseline for risk management of cyber threats, but he cautioned that cybersecurity insurance is still in its infancy, noting that there is a lack of case data with which to build a baseline.

The other incentive is liability limitation, which has been heavily discussed in all of the NIST workshops. But at the moment, all of the groups reported that liability limitation for cyber attacks should continue to be studied and recommended that no procedures be implemented before more data is available. Wool explained that legislation could create legal safe harbors for firms, but he noted that there is a good possibility that any cybersecurity legislation will be postponed until next year.

Cybersecurity Incentives for the private sector, and how they might be structured, also remain unclear. A major question with incentives is whether market-based incentives, such as insurance for cyber attacks, will be enough to get firms to participate. Wool said that the DHS recently recommended bundling liability limitations together with legal rules. However, he added that the downside to this approach is that it would require legislation.

Owners of critical infrastructure may be liable under existing legislation if an attack causes financial or physical damage, Wool said. One example is that cyberattacks on infrastructure, such as the Stuxnet attacks on Iranian nuclear fuel processing machinery, can cause physical damage. "We know that cyberattacks can affect the real world," Wool said. Attacks have the potential to disrupt business operations, which can lead a variety of lawsuits. However, he added, firms are not likely to get any liability coverage for cyberattacks under the new infrastructure being established.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
10/11/2013 | 6:38:09 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
This article hits the nail on the head. A cooperative discourse by industry and goverment can figure out the best ways to protect the nationGs
critical, privately held infrastructure from
cyberattack. It involves both incentives and regulations. The Executive Order order issued by President Obama and coordinated by The National Institute of Standards and Technology (NIST) calling for a voluntary cyberrsecurity framework is a good start. Ultimately, it will be Department of Homeland Security (DHS)
that has overall responsibility for developing a set of incentives to get critical
infrastructure owners and operators to participate. Liability issues are always a concern but hopefully with support of Congress and public/private working committees, the undertaking will come to fruition sometime next year.
WKash
50%
50%
WKash,
User Rank: Apprentice
10/7/2013 | 8:05:44 PM
re: Infrastructure Cybersecurity: Carrots And Sticks
Add this to the list of critical issues that will likely be significantly impacted by the mounting impact of the government shutdown.
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.