Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/7/2013
04:41 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

White House Proposes Cybersecurity Insurance, Other Incentives For Executive Order

Goal is to provide financial and other perks for participation in voluntary cybersecurity framework

A nagging question surrounding the Executive Order to beef up the security of the nation's critical infrastructure has been how the Obama administration would incentivize organizations to adopt the voluntary framework and participate in threat information-sharing. The White House yesterday answered that, spelling out several proposed incentives on the table for those who adopt the upcoming cybersecurity practices that will be mapped out in a framework currently under development.

Michael Daniel, special assistant to the president and cybersecurity coordinator, said the White House gathered recommendations from the Departments of Homeland Security, Commerce, and Treasury, and came up with these proposed incentives: cybersecurity insurance, federal grants, preference in technical assistance, liability limitation, streamlining with existing regulations and laws, optional public recognition, rate recovery for price-regulated industries, and cybersecurity research for future security issues.

"Over the next few months, agencies will examine these options in detail to determine which ones to adopt and how, based substantially on input from critical infrastructure stakeholders," Daniel said in a blog post, noting that this is preliminary report does not represent the final policy of the administration. "We believe that sharing the findings and our plans for continued work will promote transparency and sustain a public conversation about the recommendations."

The goal is to provide organizations with some financial and other incentives to justify investing in new technologies and practices under the voluntary framework. "Some of the recommended incentives can be put in place quickly under existing authorities after the Voluntary Program is established. Others would require legislative action and additional maturation of the Cybersecurity Framework and Voluntary Program, along with further analysis and dialogue between the Administration, Congress, and private sector stakeholders," he said. "We are currently working with the appropriate agencies to prioritize each incentive area and move forward."

One of the more intriguing incentives, security experts say, is the one that brings the insurance industry into the equation. Daniel explained it as a way "to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market. The Commerce Department’s National Institute of Standards and Technology is taking steps to engage the insurance industry in further discussion on the Framework," he said in his blog post.

[Michael Daniel says President Obama's Executive Order on Cybersecurity sets the stage for cybersecurity legislation for protecting critical infrastructure. See White House Cybersecurity Czar: New Executive Order A 'Down Payment'.]

The National Institute of Standards and Technology (NIST) last month held its third workshop on crafting the cybersecurity framework. The voluntary framework is being hashed out by participating critical infrastructure operators and owners, security experts, and others under the leadership of NIST. It's scheduled to be published in draft form in October and finalized in February of 2014.

The framework thus far is centered around five security functions: know, prevent, detect, respond and recover, notes Stephen Cobb, security evangelist for Eset, which is participating in the NIST workshops to build the framework. Cobb recently blogged about the July workshop .

Meanwhile, incentives are key to getting organizations to adopt the framework, experts say. The Obama administration's outline of incentives is a major step there, they say.

"I think it's one of the most positive things to come out of the EO and actually creates some motivation for companies to think about the voluntary framework," says Mark Weatherford, principal with The Chertoff Group. "The kind of incentives identified actually go farther than I've seen in the past which is very good news."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
oneilldon
50%
50%
oneilldon,
User Rank: Guru
8/8/2013 | 7:07:35 PM
re: White House Proposes Cybersecurity Insurance, Other Incentives For Executive Order
Just as the emphasis on reputation, economics, mission, and competitiveness varies among government, critical infrastructure, defense industrial base, and commercial industry partners, so does the range of tolerance for risk and regulation. Consequently, the public policy measures needed to promote the public good must be tailored and harmonized among these diverse interest.

The NIST Workshops on the Cyber Security Framework are revealing an underlying reluctance to harmonize standards associated with resistance to regulation. Here there are trust issues associated with the commitment to voluntary compliance. Beyond that Congress is split on what kind and whether incentives should be offered especially on indemnification of liability.

And then there is the issue of moral hazard faced by industry participants. If they know of threats and risks and don't act on behalf of their customers and the public, there are consequences.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35196
PUBLISHED: 2021-06-21
** DISPUTED ** Manuskript through 0.12.0 allows remote attackers to execute arbitrary code via a crafted settings.pickle file in a project file, because there is insecure deserialization via the pickle.load() function in settings.py. NOTE: the vendor's position is that the product is not intended fo...
CVE-2010-1433
PUBLISHED: 2021-06-21
Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauth...
CVE-2010-1434
PUBLISHED: 2021-06-21
Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain access to sensitive information, which may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulne...
CVE-2010-1435
PUBLISHED: 2021-06-21
Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an already existing SQL injection vector. Joomla! Core versions 1.5.x ranging from 1.5...
CVE-2010-0413
PUBLISHED: 2021-06-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.