The White House has released a tentative list of incentives that it hopes will stir the private sector to voluntary adopt the “Cyber Security Framework” – a set of “core practices” to be implemented next year that aims to help the nation mitigate attacks on critical infrastructure.
The incentives, which are being introduced as part of President Obama's cyber security executive order issued in February, were created from feedback received by the Departments of Homeland Security, Commerce and Treasury.
In a Tuesday blog post, the White House detailed the eight incentives which are meant to support the protection of electric grids, mass transportation and facilities that manage the nation's water supply and other industrial systems.
The incentives include having the insurance industry help provide options for private companies participating in the framework; that federal grant programs are leveraged to incentivize critical infrastructure involvement; and that the government would prioritize which companies receive technical assistance when “non-emergency” incidents take place.
In addition, incentives to reduce the legal liability of companies that suffer critical infrastructure attacks were also posed, along with incentives that would streamline existing regulations, publicly recognize companies that participate in the program, and allow companies to recover money from investments made to come into compliance. The White House also recommended that the government support cyber security research in areas where there are challenges in effectively implementing the framework's cyber security practices.
On Wednesday, Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, which researches cooperation, competition and conflict in cyber space, told SCMagazine.com that additional regulation, which is also expected to be a by-product of the framework, would be the real factor that spurs the private sector to participate.
“I think there's a feeling in the private sector that it's just something sweet to make the pain of regulation go down a lot more easily,” Healey said of the incentives.
Ahren Tryon, an attorney at Cozen O'Connor, a law firm that handles regulatory issues concerning energy and public utilities, told SCMagazine.com on Wednesday that the incentive providing legal protection to companies experiencing attacks was a prime example of where legislation would be needed to support the voluntary program.
“The White House blog post discusses limitations on liability, which would have to be done through legislation,” he explained.
Further, Lila Kee, a member of the North American Energy Standards Board, which promotes security standards for the natural gas and electric industry, told SCMagazine.com that one strong point of the framework is that it incorporates and supports existing security standards, for instance those regulated by the Federal Energy Regulatory Commission (FERC).
Kee said that companies that are already in compliance with FERC regulations would be prone to participate in the security framework for the incentives alone, and that those in the private sector waiting to take the plunge may follow their lead.
“There may be a lot of companies that are saying, 'I will see if it works out for [others] before I take the plunge,'” she said. “It may have companies on the sidelines jump in.”Since the Cyber Security Framework is still in a development phase, federal agencies and critical infrastructure companies are encouraged to present their feedback on incentives before another draft is completed in October. A final version of the framework is scheduled to be released in February 2014.