Within the next year the Federal government will adopt a broad Framework of recommended cybersecurity programs that private sector actors and cloud service providers will be asked to voluntarily adopt. Underlying that Framework is an “incentive” structure that, for all practical purposes, may convert these voluntary standards into de facto mandatory industry requirements.
In early 2013 President Obama, frustrated by the lack of legislative action on his cybersecurity initiatives, issued an Executive Order, directing the National Institute for Standards and Technology (NIST) to develop a workable “framework” for cybersecurity. The framework was intended to “provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.”
By its terms the Framework is intended to be a set of voluntary standards – that is, a set of “best practices” and international norms that are a set of recommended cybersecurity practices. In October 2013, NIST released a copy of a preliminary draft of its proposed Framework. At its core, the Framework relied on five preexisting standards to form the basis for its cybersecurity recommendations:
- ISA 99.02.01 (2009), Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program;
- Control Objectives for Information and Related Technology (COBIT);
- ISO/IEC 27001, Information technology -- Security techniques -- Information security management systems – Requirements;
- NIST Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations; and
- Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC).
These standards are of broad applicability and will deeply effect the security operation of any IT system that does not already have these various security measures in place. It is no exaggeration to say that for any medium or large-sized cloud service provider, compliance (with the attendant auditing requirements) with these standards will likely be a significant cost.
Of course, since these are voluntary standards that cost can be avoided or minimized. Or can it?
The same Executive Order that created the Framework also directed other agencies of the Federal government to determine what, if any, authority they had to create incentives that would promote participation in the Framework program. The grounds for this sort of program incentive are reasonably well established. As the U.S. Government Accountability Office noted in 2011, while critical infrastructure sectors have issued a great deal of guidance, adherence to such guidance is limited. Hence the title of their report: “Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use.”
And so, in August 2013, the White House also announced the broad outlines of a program to construct incentives for adopting its Cybersecurity Framework. Broadly speaking the program will offer incentives in in eight separate areas:
- Cybersecurity Insurance
- Process Preference
- Liability Limitation
- Streamline Regulations
- Public Recognition
- Rate Recovery for Price Regulated Industries
- Cybersecurity Research
Undergirding this White House announcement were reports from three cabinet agencies: the Department of Treasury, the Department of Homeland Security, and the Department of Commerce. Each report particularized various incentives that the department could offer. But the most notable aspect of the reports was their commonality (which is unsurprising, as they doubtless were coordinated) in seeking to incentivize cybersecurity framework compliance through liability.
That’s a prospect that, if realized, will surely drive adoption of the Framework. No incentive is more likely to generate attention in the corporate boardroom than the prospect of a lawsuit and the incentive of immunity from a lawsuit in exchange for compliance. As the DHS incentive report puts it, they envision “a system of litigation risk mitigation for which those entities that adopt the Framework and meet reasonable insurance requirements . . . . Other types of legal benefits may include limited indemnity, higher burdens of proof, or limited penalties; case consolidations; case transfers to a single Federal court; creation of a Federal legal privilege that preempts State disclosure and/or discovery requirements for certain cybersecurity self-assessments. Insurance options could include a requirement for the purchase of private market liability insurance in order to apply for these liability protections and legal benefits.”
The description is short on details, but long on ambition. Some of the litigation incentives might require legislation to allow them to be affirmatively granted by the Federal government. But the true genius of the conception (perhaps we might even think its Machiavellian core) is that many of these incentives will flow naturally in the common law from the development of the Framework in the first instance.
After all, what is tort liability but liability for the negligent failure to act reasonably? And if the Federal government has identified reasonable cybersecurity standards, can liability for those who fail to adopt them be far behind? And with liability will come insurance and a system of private sector incentives backed up by the insurance industry’s auditing and compliance monitoring systems.
In short, the NIST Framework will drive the private sector toward the NIST security model through common law liability. If we layer on top of that other Federal incentives (like grants, or preferential access to threat and vulnerability information) the pressure to conform will be enormous. And all of it will happen without the need for Congressional legislation.
Paul Rosenzweig previously served as Deputy Assistant Secretary for Policy at the U.S. Department of Homeland Security. He is currently a Senior Advisor to The Chertoff Group, a global security advisory firm which advises clients on information security including cloud computing.