Recommendations on Cybersecurity Incentives May Go Public By Month’s End
The departments of Homeland Security (DHS), Commerce and Treasury hope their reports on possible incentives to encourage the private sector to adopt voluntary cybersecurity standards will be made public by the end of the month, said Jeanette Manfra, DHS deputy director running the task force implementing President Barack Obama’s Cybersecurity Executive Order, during a Wiley Rein program Wednesday on implementation of that order. Among other things, the order tasks DHS with overseeing the private sector’s implementation of the National Institute of Standards and Technology’s (NIST) forthcoming voluntary Cybersecurity Framework, including implementation of incentives (CD Feb 14 p1). DHS, Commerce and Treasury submitted separate reports to the Office of Management and Budget June 12 that examined the feasibility and effectiveness of possible incentives, but they have not yet been made public while they undergo an internal review (CD July 8 p9).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The reports will help DHS and others “continue the dialogue” on what the best incentives are, “and figure out how we can best use our resources,” Manfra said. There are only so many things the government can incentivize on its own, Manfra said, saying she wants the marketplace to create additional incentives of its own. The government can’t release incentive funds to industry in amounts high enough to totally offset security spending that would occur with the adoption of standards, but it can encourage incentives in sectors like the insurance industry, which could expand use of cybersecurity insurance as a way of encouraging industry adoption of standards, Manfra said. “We don’t want an assumption that government has all of the incentivization tools,” she said.
NIST is continuing to develop and refine the Cybersecurity Framework, incorporating input the agency received last week when it held its third workshop with members of critical infrastructure industries, said Adam Sedgewick, NIST senior information technology policy adviser. That workshop at the University of California, San Diego, focused on refining the framework in the context of an outline version NIST released earlier this month, as well as working to fill gaps in the information NIST has collected so far on established best practices related to issues like privacy and civil liberties. NIST hopes to release a draft version of the framework in August for industry review prior to the last framework workshop, which is Sept. 11-13 at the University of Texas at Dallas, Sedgewick said. Additional input collected at the final workshop will form the basis for revisions before NIST releases a preliminary framework Oct. 10 for public comment, Sedgewick said. A final version of the framework must be released by February.
The wireless industry hopes the government remains committed to a non-regulatory regime to address critical infrastructure cybersecurity, said John Marinho, CTIA vice president-cybersecurity and technology. Regulations requiring industry to adopt cybersecurity standards would likely backfire because “you can’t treat it like weights and measures,” he said. Regulations are also unnecessary because some sectors already have standards related to cybersecurity and vigorously apply them, Marinho said. NIST has done well so far in fostering development of the framework, which is “coming together as a reasonable tool,” he said. The final proof of the framework’s strength will depend on the extent to which industry actually uses the framework as a tool going forward, Marinho said.