As Congress has struggled to pass a national cyber security law, the Obama administration has begun its own quest to protect data held by the government and private businesses.
Earlier this year, President Obama signed a cyber security executive order. Rather than create new rules for companies and agencies, the order laid out a plan for creating voluntary security guidelines for companies that manage the nation’s “critical infrastructure.”
Affected business may include those running power plants, gas pipelines, traffic control systems and water treatment plants. Obama said companies will receive incentives for following the voluntary guidelines — however, the order didn’t give specifics about what the incentives would entail or what the guidelines would be.
6 areas for incentives
The Administration is currently working with business leaders to develop that Cybersecurity Framework, said U.S. Cybersecurity Coordinator Michael Daniel on a White House blog. A draft will be ready in October, with the final version scheduled for February 2014.
While it’s still a work in progress, Daniel described some of the possible ways the guidelines and incentives might be implemented:
- Cyber security insurance — Insurance agencies would be involved to build uderwriting practices to promote the use of the insurance to cover the costs of security incidents
- Grants — Certain cyber security criteria would be used in part to determine which companies receive federal critical infrastructure grants.
- Process preference — The government sometimes gives technical assistance to critical infrastructure organizations. Meeting cyber security guidelines would be used as a criteria for choosing what companies get that assistance.
- Liability limitation — When security incidents occur, liability for lawsuits and fines would be limited for organizations that meet the voluntary guidelines.
- Public recognition — Organizations would have the option of being recognized publicly for participating in the cyber security program.
- Rate recovery for industries with price regulations — Organizations that have rates set by the law — such as some utilities — would be given funds to make security investments in order to meet the guidelines.