The National Institute of Standards and Technology (NIST) is not a household name, particularly outside the I-495 Beltway surrounding Washington, D.C., but companies across the country may soon be impacted by NIST’s growing role in cybersecurity. President Obama has charged NIST, an agency in the Department of Commerce, with developing a new Cybersecurity Framework for private sector owners and operators of critical infrastructure and new Senate legislation would cement NIST’s cybersecurity role. On August 6, 2013, the White House released a list of potential incentives the government may offer to encourage companies to adopt NIST’s Cybersecurity Framework, including liability protections, cybersecurity insurance, and cybersecurity conditions in government grants.
NIST’s Cybersecurity Framework is part of a larger federal government initiative to increase private sector cybersecurity. Many of the government’s efforts to date, such as the Department of Defense’s Defense Industrial Base Cyber Security/Information Assurance (DIB CS/IA) program, have focused on information sharing with defense contractors and reducing cybersecurity risk in the supply chain. NIST’s Cybersecurity Framework would apply beyond defense contractors to the full spectrum of private sector owners and operators of critical infrastructure in order to increase the adoption of industry cybersecurity best practices and companies’ investments in protecting their information systems.
The standards and best practices that make up the NIST Cybersecurity Framework will impact a broad range of companies in the telecommunications, energy, finance, and transportation industries. This Advisory provides an overview of recent cybersecurityrelated legislative and regulatory developments and opportunities for interested companies to participate in the policy process.
NIST’s Growing Role in Cybersecurity
On July 10th through 12th, 2013, NIST held the third in a series of Cybersecurity Framework workshops that started in April. These workshops are part of NIST’s effort to develop the Cybersecurity Framework required under Executive Order 13636 (EO 13636), which President Obama signed on February 19, 2013. Each workshop has been attended by hundreds of participants from private industry who are working with NIST to develop a set of standards, guidelines, and procedures to reduce cyber risk to critical infrastructure. While the NIST framework would be voluntary, the White House has put forth a suggested list of incentives for companies to adopt the standards, as discussed below. Many in the private sector have expressed concerns that once finalized, the Cybersecurity Framework will effectively become mandatory because critical infrastructure companies would be expected to meet the standards.
At NIST’s July workshop in San Diego, the participants refined the draft Preliminary Framework Outline and Core that NIST released on July 1, 2013. The outline and core documents NIST released in early July were largely a shell, so part of the goal of the workshop was to generate content by engaging with industry and other stakeholders.
Based on the input generated at the San Diego workshop, NIST plans to post a preliminary draft of the full Cybersecurity Framework in August 2013. Interested companies will have an opportunity to provide feedback on the forthcoming draft framework at NIST’s fourth and final workshop, which will be held at the University of Texas at Dallas on September 11th through 13th. NIST plans to publish the framework in the Federal Register for public comment on October 10, 2013, which will give industry another opportunity to provide input on the standards and best practices before they are finalized. EO 13636 requires NIST to finalize the framework by February 19, 2014.
NIST will continue to play a key role in cybersecurity even after the framework is finalized. In addition to updating the standards and guidelines that make up the framework, NIST announced this spring that it also plans to establish a Federally Funded Research and Development Center (FFRDC) focused on cybersecurity. FFRDCs, such as the National Aeronautics and Space Administration’s Jet Propulsion Laboratory at the California Institute of Technology, enable government agencies to engage with the private sector to address special long-term research and development needs. NIST’s new FFRDC would facilitate public-private collaboration to accelerate the adoption of integrated cybersecurity tools and technologies.
The proposed FFRDC will have three primary purposes: (1) research, development, engineering, and technical support; (2) program and project management, including expert advice and guidance focused on increasing the effectiveness and efficiency of cybersecurity applications, prototyping, demonstrations, and technical activities; and (3) facilities management.
Renewed Push for Cybersecurity Legislation
On July 30, 2013, the Senate Commerce, Science, and Transportation Committee unanimously approved the Cybersecurity Act of 2013, S. 1353, paving the way for a full Senate vote on the bill before the end of the year. Prior to its July 31st markup, the Committee held a related hearing on July 25th regarding the partnership between NIST and the private sector to improve cybersecurity. At the hearing, technology firms and the National Association of Manufacturers supported the bill, which is sponsored by Senators Rockefeller and Thune. The bill has also received support from key industry groups, including the U.S. Chamber of Commerce, which opposed comprehensive cybersecurity legislation sponsored by Senator Rockefeller and others in the last session of Congress.
S. 1353 would formalize cybersecurity as one of NIST’s priority areas of focus and codify NIST’s role under EO 13636 in developing cybersecurity standards. The bill’s NIST-related provisions would, however, differ from President Obama’s executive order in at least two important ways. First, S. 1353 charges NIST “on an ongoing basis” with facilitating the development of standards, guidelines, and best practices to reduce cyber risk to critical infrastructure, which the bill’s supporters argue will provide businesses with certainty that NIST’s lead role in cybersecurity will continue after the publication of the Cybersecurity Framework in February of next year. Moreover, supporters argue that legislating an ongoing role for NIST in this area will help the U.S. take the lead in establishing future global principles, norms, and standards on cybersecurity. Second, the bill would place certain restrictions on NIST and the cybersecurity standards it develops. For example, the bill requires NIST to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes.” The text of the legislation also specifies that it does not “confer any regulatory authority” on any federal agency or department. In addition to the bill’s NIST-related provisions, S. 1353 would also strengthen cyber research and development, improve the cyber workforce and cyber education, and increase the public’s awareness of cyber risks and cybersecurity.
Despite bipartisan support and the backing of key industry groups, cybersecurity legislation still faces significant challenges in Congress, not the least of which is that many different committees have jurisdiction over the issue and a number of competing bills are being considered. For example, the House passed the Cyber Intelligence Sharing and Protection Act (CISPA) on April 18, 2013. CISPA would allow companies to share cyber threat information with each other and the government, allow the government to provide classified cyber threat information to private industry, and provide liability protection for companies acting to protect their own networks or share threat information.
The unauthorized disclosures by Edward Snowden regarding the National Security Agency (NSA) surveillance programs may make passage of cybersecurity legislation this year more difficult. For example, Representative Michael McCaul has been quoted as saying that the NSA leaks “probably couldn’t have come at a worse time” for advancing a cybersecurity bill and he has reportedly postponed introduction of his cybersecurity legislation until at least September. Similarly, Senator Levin said passing a cybersecurity measure has become more difficult in the Senate.
Incentives to Support Adoption of the Cybersecurity Framework
One element that is notably missing from the Cybersecurity bill that the Senate Commerce Committee approved at the end of July is cybersecurity incentives for industry. Prior cybersecurity bills sponsored by Senator Rockefeller have included a variety of incentives designed to motivate industry to adopt voluntary cybersecurity standards, such as liability protections.
On August 6, 2013, the White House released a list of eight potential incentives to support adoption of NIST’s Cybersecurity Framework based on the reports the Departments of Homeland Security, Commerce, and Treasury were required to submit under EO 13636. The potential incentives include:
- Cybersecurity Insurance – Government agencies would engage the insurance industry to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.
- Grants – Government agencies would leverage federal grant programs to incentivize the adoption of the Cybersecurity Framework as a condition or as one of the weighted criteria for federal critical infrastructure grants.
- Process Preferences – Government agencies would expedite existing government service delivery for companies that adopt the Cybersecurity Framework, such as government provision of technical assistance to critical infrastructure.
- Liability Limitations – Companies that adopt the Cybersecurity Framework could take advantage of liability protections including in areas such as reduced tort liability, limited indemnity, lower burdens of proof, or the creation of a federal legal privilege that preempts state disclosure requirements.
- Streamline Regulations – Government agencies would help make compliance easier, for example by eliminating overlaps among existing laws and regulations, enabling equivalent adoption across regulatory structures, and reducing audit burdens.
- Public Recognition – Government agencies would publicly recognize companies that adopt the Cybersecurity Framework and their vendors.
- Rate Recovery for Price Regulated Industries – Government agencies that set utility rates could allow utilities to recover for cybersecurity investments related to complying with the Cybersecurity Framework.
- Cybersecurity Research – Government agencies would emphasize research and development to meet the most pressing cybersecurity challenges where commercial solutions are not currently available.
White House Cybersecurity Coordinator Michael Daniel said that over the next few months, federal agencies will examine these options in detail to determine which ones to adopt and how.
However, many of these incentives may require legislation, which will be difficult to pass given the current environment on Capitol Hill. Even if Congress is unable to pass legislation this year, NIST and the Obama administration will continue to push forward with their efforts to improve private sector cybersecurity.