When President Obama enacted his executive order on cybersecurity, section 7 required the Secretary of Commerce to command the Director of the National Institute of Standards and Technology (NSIT) to gather the various relevant parties and assemble a ‘framework’ of “standards, methodologies, procedures, and processes” to create harmony in how policy makers, businesses, and technology approach cybersecurity and the digital risks that exist.
That’s a long way of saying the President told parts of his administration to speak with companies, and come up with a set of voluntary policies to improve general cybersecurity preparedness and defense.
Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. (a) The Secretary of Commerce shall direct the Director of the National Institute of Standards and Technology (the “Director”) to lead the development of a framework to reduce cyber risks to critical infrastructure (the “Cybersecurity Framework”). The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall be consistent with voluntary international standards when such international standards will advance the objectives of this order, and shall meet the requirements of the National Institute of Standards and Technology Act, as amended (15 U.S.C. 271 et seq.), the National Technology Transfer and Advancement Act of 1995 (Public Law 104-113), and OMB Circular A-119, as revised.
The NSIT has now held two of its four “Cybersecurity Framework Workshops.” The most recent concluded on the final day of May.
Certain elements of the discussions that have occurred thus far are attracting Congressional attention. A specific proposal to grant a certain form of legal immunity to companies that adhere to the voluntary standards was recently critiqued by Sen. Rockefeller, who, following a lengthy laudatory preamble, said the following.
I do not believe that giving U.S. companies prospective liability protections for adopting the Framework will encourage U.S. companies to improve their cybersecurity. In fact, such an approach would likely have the opposite effect. Again, the outcome of the the NSIT-convened Framework process will be driven and determined by industry; in turn, companies will adopt the Framework if the product of this private-sector led effort benefits their security and business operations. Giving companies unprecedented liability protections based on cybersecurity standards that they themselves have developed would increase the likelihood that the American taxpayers will one day find themselves on the hook for corporate bailouts of unknown scope following a cyber disaster.
What the Senator is saying is that no company should be granted such legal protection for following a voluntary set of rules that it helped create; it simply doesn’t follow to give ironclad legal protection to companies that are following a standard by their choice that could be weak in its structure. Thus, if such protection was given on so little a standard, and something bad did happen, the company would be immune; others – read: the taxpayer – would be forced to swallow the cost and fallout.
This is the opposite of a free-market solution, though it will likely be heavily favored by companies who would prefer to hand off their cyber financial and moral risk to another party at a low or zero cost.
Senator Rockefeller goes further, stating the rule would engender moral hazard, “create perverse incentives to craft low-bar standards,” and toss out of balance the private insurance market; how could private cybersecurity insurance compete with an all-but-free legal option of no-liability from the government that could be procured for a song?
The cybersecurity laws, standards, and general state of readiness of the United States are a disgraceful mess. However, granting key stakeholders in the process of shoring our digital waters a get out of responsibility card for no reason other than they want it isn’t the proper way to proceed. Every involved party will need to do their part, and not shirk their earned responsibility.
Top Image Credit: Andrew Malone