Government agencies and private companies – many involved in critical infrastructure industries like utilities, communications companies, and banks – have been subjected to increasing numbers of cyberattacks that raise serious concerns about the Nation’s ability to protect its infrastructure and security. Having failed to convince Congress to pass formal cybersecurity legislation, the President, on February 12, 2013, issued Executive Order 13636 instructing the National Institute of Standards and Technology (“NIST”) of the U.S. Department of Commerce to develop a set of “voluntary” standards and guidelines to address cyber risks by incorporating industry best practices to the fullest extent possible.
On August 30, 2013, NIST released its draft cybersecurity standards for consideration by executives of private sector companies engaged in critical infrastructure. Without identifying specifically which businesses these standards and guidelines are meant to address, it is generally understood that “critical infrastructure” companies include, at least, banks, utilities, energy and communications companies, transportation companies, and, potentially, pharmaceutical and food processing companies. The current draft standards are meant to be flexible – there is a general prejudice against “one size fits all” – and to encourage data sharing between private industry and the government about actual and potential risks.
In the absence of a legislative mandate, the Administration has suggested ways by which private companies would be encouraged to participate in establishing in their own cybersecurity safeguards. Potentially, some such safeguards could be implemented by Executive action: for example, the White House has suggested making adoption of NIST’s Cybersecurity Framework a condition for grants or other forms of technical assistance. The Defense Department already has in place its Defense Industrial Base Cyber Security/Information Assurance (DIB CS/IA) Program to encourage information sharing and reduction of cybersecurity risk among defense contractors. Other White House suggestions for encouraging adoption of cybersecurity standards, such as reduced tort liability, lower burdens of proof, and creation of a preempting federal legal privilege, will require legislation. Of particular concern to companies involved in critical infrastructure industries is the possibility that NIST’s Cybersecurity Framework standards and guidelines will become the presumptive “reasonable” standards for protecting their companies from cyber-attacks, and failure to adopt and implement such standards may create a basis for tort and contract liability for resulting injury.
NIST invites and encourages industry participation in the development of its cybersecurity standards and guidelines. NIST is sponsoring a Cybersecurity Framework workshop on September 11-13, 2013, at the University of Texas at Dallas, and welcomes comments from anyone.