Cybersecurity Framework Will Remain Voluntary, NIST and DHS Officials Tell Subcommittee
The National Institute of Standards and Technology believes President Barack Obama’s executive order on cybersecurity was “quite explicit” in emphasizing that the Cybersecurity Framework the agency is developing in consultation with critical infrastructure industries needs to be voluntary, Charles Romine, NIST director-Information Technology Laboratory, told a House Homeland Security subcommittee Thursday. Chairman Pat Meehan, R-Pa., had said he was concerned that some language in the executive order could be interpreted to give agencies the authority to impose regulations via the framework. NIST has a long history of developing frameworks that have governed industry practices in a purely voluntary way, and the agency believes that approach will be effective in developing the framework this time, Romine said. “I'm not concerned about this being a hidden way of getting regulatory authority.”
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The Department of Homeland Security, in charge of encouraging industry adoption of the framework and many of the order’s other provisions, also views the framework as being purely voluntary, said Robert Kolasky, DHS director-Implementation Task Force. The government won’t need to consider regulatory requirements attached to the framework if it can make adoption attractive to industry by creating confidence in the marketplace through incentives, he said. One incentive that industry actors have repeatedly mentioned is to allow adoption of the framework to meet the information security requirements already imposed on some critical infrastructure industries, Kolasky said. “We think this needs to be pursued,” he said. “If you can demonstrate you have good cybersecurity in place, you shouldn’t have to demonstrate it to the government twice.”
It’s possible adoption of the framework could become a “de facto” requirement if it remains strictly voluntary but becomes a business norm, said Eric Fischer, Congressional Research Service senior specialist-science and technology. “Businesses that don’t use it could become a target of criticism and lawsuits.” The executive order explicitly requires federal agencies to make recommendations on standards in areas where there are identifiable cybersecurity gaps, Fischer said. Those agencies could conceivably attempt to create regulations in those gap areas if they have authority to do so, and would need to come to Congress for additional authority beyond their mandate, he said. Some industries might be more comfortable with the notion of regulations related to the framework if those regulations were administered by agencies that already held regulatory authority over them, Fischer said.
Meehan and Subcommittee Ranking Member Yvette Clarke, D-N.Y., both said DHS had issued a preliminary study on possible incentives in late May, prior to submitting recommendations to the Office of Management and Budget on incentives. The departments of Commerce and Treasury also submitted recommendations on incentives, and the administration is still reviewing those recommendations, Kolasky said. DHS is “very much in favor” of seeing the cybersecurity insurance market grow as an incentive for standards adoption, though much of that growth should be market-based, he said. “A lot of progress has been made independent of government, and we hope that will continue.” The government has the “convening power” to promote the insurance market as an incentive, but other incentives would likely require legislative authorization, he said. Meehan urged the administration to include congressional leaders on any discussions involving legislation, since Congress has been attempting to address cybersecurity “on a bipartisan basis."
Rep. Tom Marino, R-Pa., said he’s concerned about what the Obama administration is doing to prevent “insider threats” similar to the leaks about the National Security Agency’s surveillance programs from occurring in its cybersecurity initiatives, so “we don’t have [Edward] Snowdens running around gathering critical information about what we're doing … and sharing it with our enemies.” DHS is focused on separating out unclassified information so it can disseminate it to critical infrastructure owners and operators “as quickly and efficiently as possible,” Kolasky said. DHS is also improving its Enhanced Cybersecurity Service classified information sharing program and ensuring that people that have security clearance within its cybersecurity programs have undergone proper vetting, he said. NIST is considering insider threats within the context of the framework’s risk mitigation strategies, Romine said.
It’s also critical that the administration consider the role academia can play in executing its cybersecurity initiatives, said Rep. Bill Keating, D-Mass. Academia can provide research “not biased to existing economic impacts,” and can help channel “brain power” into the cybersecurity field to offset “major problems we'll continue have as people move in and out of the private sector,” he said. NIST’s decision to hold three of its four framework development workshops on major college campuses was “an explicit attempt to engage a cross-section of the academic community” in the framework’s development, Romine said. The agency will hold its last framework workshop at the University of Texas at Dallas from Sept. 11-13. Universities can play a role in filling gaps in cybersecurity technology or standards, along with helping the government manage the risk posed by not attracting sufficient cybersecurity talent, he said.