In February of 2013, President Obama signed an executive order with the purpose of creating a cybersecurity framework (or set of voluntary standards and procedures) to encourage private companies that operate critical infrastructure to take steps to reduce their cyber risk (see our blog here). Critical Infrastructure Systems such as the electric grid, drinking water, and trains are considered vulnerable to cyber attack, and the results of such attack could be debilitating. The Departments of Commerce, Homeland Security, and Treasury were tasked with preparing recommendations to incentivize private companies to comply with heightened cybersecurity standards. On August 6, 2013 the White House posted its preliminary list of incentives encouraging the adoption of cybersecurity best practices.

The draft framework of incentives is not due until October of this year, when it will be published for public comment. A final version is expected for February of 2014. The August 6th post serves as an interim step, which allows the private sector an opportunity to think about the recommendations and provide feedback.

In the post, Michael Daniel, Special Assistant to the President and the Cybersecurity Coordinator, lists eight ideas, summarized below.

  • Cybersecurity Insurance – engage the insurance industry with the goal of creating a competitive cyber insurance market.
  • Grants – make participation in the cybersecurity programs a condition or criteria for a federal critical infrastructure grant.
  • Process Preference— make participation a consideration in the government’s determination of whether to expedite existing government service delivery.
  • Liability Limitation — agencies are looking into whether reducing liability on participants in certain areas (such as tort liability, limited indemnity, higher burdens of proof) would encourage critical infrastructure companies to implement the framework.
  • Streamline Regulations — streamline existing cybersecurity regulations and develop ways to make compliance easier, such as by eliminating overlaps in existing laws and reducing audit burdens.
  • Public Recognition — agencies are exploring whether giving companies the option of public recognition for participation in the programs would work as an incentive.
  • Rate Recovery for Price Regulated Industries — speaking to federal, state, and local regulators regarding whether utility rates could be set to allow for recovery for investments related to adopting the cybersecurity framework.
  • Cybersecurity Research — research and development to determine where commercial solutions are possible but do not yet exist. The government can then focus on research and development to meet the most pressing cybersecurity issues.

The August 6th report offers an “initial examination” of ways to incentivize the adoption of cybersecurity measures by private companies in the critical infrastructure sector. Discussions with the industry will help determine which direction the government ultimately takes with its cybersecurity framework.