Voluntary Cybersecurity Framework Could Lead to Regulations in the Future
November 21, 2013 Leave a comment
The Preliminary Cybersecurity Framework, released for industry feedback in October serves as a preview of the voluntary guidelines and best practices aimed at industry for the purpose of reducing cyber risks to our critical infrastructure (see below). The Framework also focuses on information sharing, between industry and the government. Specifically, the government and private critical infrastructure operators, as well as the technology firms who support them, would share information on cyber breaches and ways to prevent them. The draft by the National Institute for Standards and Technology (NIST) was put together with industry feedback, but there are lingering concerns that the final version may not be all that voluntary.
Some industry watchers worry that if a technology company disregards the Framework, and there is an intrusion resulting in loss of data or impaired critical infrastructure, then that firm could be vulnerable to lawsuits. The draft Framework does include liability protection but only for those who adopt the Framework – leaving those on the outside more vulnerable particularly if the Framework becomes to the de facto standard.
The Framework also addresses privacy and civil liberty concerns, an issue on a lot of people’s minds nowadays. It calls for minimization of personally identifiable information (PII) as information on cyber breaches is shared with the government. The issue here is that all the scrubbing and anonymizing of data that will be required is costly and time consuming and could prove to be a disincentive.
The White House has gone to great lengths to make the Framework as benign and palatable as possible to industry, but while the Framework is not mandatory, there is concern it could pave the way for regulations and legislation in the future. The Executive Order from which the Framework is derived, for example, requires federal agencies to state whether they have authority to establish requirements based on the Framework…should they need to. Also, the word “should” was dropped from certain sections featuring recommendations for industry. The change was intended to make the language less forceful but now reads as if industry is being commanded.
Any concerns or recommendations can be conveyed to the government during a 45-day comment period which ends December 13, 2013. It is open to all industry, particularly those connected in some way to critical infrastructure. I encourage you to take a look at the Framework and take advantage of this opportunity to shape the guidelines which, if you peel back the layers may become more binding than you might think.