Agencies Release Cybersecurity Incentive Recommendations

The release of the three reports is an “interim step” meant to “promote transparency and sustain a public conversation about the recommendations,” said White House Cybersecurity Coordinator Michael Daniel in a blog post. The White House has not taken a “final policy position” on cybersecurity incentives; it will continue to examine and prioritize possible incentives as the final version of the framework and a DHS-administered “Voluntary Program” to encourage the framework’s adoption are completed, he said (http://1.usa.gov/1b9iC5h). NIST will release the final version of the framework in February.

The agencies said the cybersecurity insurance industry should play a role in crafting the Cybersecurity Framework and the “Voluntary Program.” Commerce said in its report that collaboration between NIST, the cybersecurity insurance industry and other stakeholders “could serve as a basis for creating underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing” (http://1.usa.gov/15FT4x5). NIST is already taking steps to engage the insurance industry in the framework’s development, Daniel said. DHS advocated for legislation to create a bundle of litigation risk mitigation benefits for companies that adopt the framework and meet “reasonable insurance requirements,” including the purchase of private market liability insurance (http://1.usa.gov/171TIl1). Treasury said cybersecurity insurance is a “growing but nascent industry” that would benefit from inclusion in the framework’s development, but recommended against legislation that would result in direct government involvement in the market (http://1.usa.gov/19L8MZp).

The agencies recommended using federal grant programs as an incentive, making framework adoption either a condition or a “weighted criteria” for critical infrastructure grants. The agencies will develop possible grant criteria over the next six months, Daniel said. Framework development should be a requirement for grants related to the National Strategy for Trusted Identities in Cyberspace and other Commerce grants, Commerce said. The White House should issue guidance to all agencies on how it should use framework development as a grant criterion, Commerce said. DHS recommended creating a new grant program in addition to utilizing existing grants. Although DHS and other agencies might have some flexibility under existing grant authorities and appropriations to use grants as an incentive, “it seems more likely that new statutory authority would be required to implement this particular type of incentive in a comprehensive and large scale way,” DHS said. Using the framework as a grant criterion would also increase the effectiveness of research grants, as research “that is informed by, and intended to support, the Framework is more likely to lead to beneficial products and services,” Treasury said.

The White House will continue to consider expediting government service delivery processes for companies that adopt the framework, Daniel said. Commerce recommended further study of the issue, saying the Department of Defense and the General Services Administration will issue a report on the feasibility of using federal procurement as an incentive. DHS recommended either the introduction of a technical requirement in the procurement process for “certain types of acquisitions for Framework adopters,” or requiring ICT providers with federal government contracts to adopt the framework. Treasury recommended the federal government explore ways of further accelerating the security clearance approval process, including new reporting requirements. Commerce recommended against further exploration of expedited security clearances, saying the expedited clearances allowed for critical infrastructure owners and operators under President Barack Obama’s cybersecurity executive order are “sufficient."

The White House will also continue to study whether to recommend legislation that would institute new liability protections to encourage framework adoption, Daniel said. Commerce recommended DHS and the Department of Justice study tort liabilities that critical infrastructure owners and operators face, and consider whether to recommend insurance or statutory liability limitations that would kick in if the company has adopted the framework. DHS’s bundle of liability risk mitigation benefits could include “limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to a single Federal court; creation of a Federal legal privilege that preempts State disclosure and/or discovery requirements for certain cybersecurity self-assessments,” the agency said. Such protections would likely require new statutory authority, DHS said. Treasury also recommended further study of liability protections, though it said “it is important to note that extending liability protection could also introduce moral hazard, undermining the policy objective of increasing cybersecurity to the extent critical infrastructure organizations are not held liable for taking insufficient precautions.”

The agencies will continue to examine ways to make framework adoption easier by streamlining existing regulations, Daniel said. DHS recommended creation of a “unified compliance model” that would eliminate areas where existing laws overlap, along with streamlining differences between U.S. and international information security laws through treaties. DHS also recommended the White House explore ways to reduce audit burdens and to offer prioritized permitting.

DHS should continue examining allowing price-regulated industries to recover the cost of cybersecurity investments through higher utility rates, Daniel said. Further consultation of federal, state and local regulators and sector-specific agencies is necessary, he said. DHS had recommended the government allow a company that adopts the framework to charge up to a capped maximum price independent of the realized cost. Existing legal authority, along with additional action from the Federal Energy Regulatory Commission would likely be sufficient to allow new price caps, DHS said.

The agencies should also continue to explore ways in which public recognition of framework adopters and bolstering cybersecurity research might be effective incentives, Daniel said. Many companies told Commerce they were interested in ways to publicly show they “adhere to sound cybersecurity practices,” Commerce said. The effectiveness of public recognition would depend on the organization, sector and risk tolerance, the agency said. NIST’s National Cybersecurity Center of Excellence can be an effective tool after the framework is released to work with framework adopters in identifying where commercial services can help them adhere to the framework and where further development is needed, Commerce said. The U.S. Patent and Trademark Office should consider creating a “Fast-Track Patent Pilot” program for framework adopters that would help them combat trade secret theft, Commerce said.

Commerce and Treasury recommended the White House abandon consideration of tax incentives to encourage framework development. Commerce found there was little consensus among the companies that it consulted on which kinds of tax incentives would be effective. “It would be difficult to ensure that tax incentives are sufficient to encourage participation in the Program and do not impose undue costs on the federal government,” Commerce said. While tax incentives could encourage additional cybersecurity research and investment, they would require additional legislation, Treasury said. “Tax incentives are difficult to target specifically at cybersecurity activities, and harder still to target at cybersecurity investments that firms would not otherwise make,” Treasury said. “Ultimately, adoption of a tax incentive would come at the expense of foregone revenue for the government or reallocation of existing fiscal obligations."

The proposals on the table aren’t specific enough to influence legislation in a direct way, said a spokeswoman for the Senate Commerce Committee. Committee Chairman Jay Rockefeller, D-W.Va., sponsored the Cybersecurity Act (S-1353) that passed out of the committee last week. Rockefeller recently sent a letter detailing his thinking on incentives to then-acting Secretary of Commerce Cam Kerry, “and it looks as though the administration carefully considered his comments, especially his comments about developing an insurance market to help improve cybersecurity risk management,” the spokesman said, noting that both Rockefeller and the administration are committed to a private sector-driven, non-regulatory approach focused on NIST. Senate Homeland Security Committee Chairman Tom Carper, D-Del., said in a statement “the President’s executive order is an important step in our effort to better protect our nation’s cyber networks. That being said, more action is needed to address cybersecurity and I still believe that bipartisan legislation offers the best long-term solution to this serious security threat.” A spokeswoman for Senate Commerce Ranking Member John Thune, R-S.D., who co-sponsored the Cybersecurity Act, said his office was still reviewing the recommendations. “Legislative options will be weighed, as appropriate, as the Executive Order plays out,” she said.

The Internet Security Alliance believes the agency reports are an indication of a “fairly stark and positive changing direction on the part of the White House away from the centralized government mandate models they had been advocating,” ISA President Larry Clinton told us. ISA has long advocated “a set of industry-determined standards and practices that are motivated by the use of market incentives,” he said. “That is essentially what is embodied in these reports.” The most effective incentives will depend on what sector a company is in, and in some cases the conditions within the individual company, Clinton said. “We believe that’s as it should be,” he said. Passing legislation to authorize some incentives may be less difficult than believed, Clinton said. “This particular issue is not particularly partisan,” he said, noting that House Republicans have been advocating for essentially the same incentives the agencies mentioned in their reports.