Commerce officials call on Congress to pass cybersecurity legislation
However, officials will be limited with the type of incentives it can offer industry as an executive order cannot grant new powers or authorities like congressional legislation can. These incentives are intended to entice critical infrastructure firms to join a voluntary program led by the Department of Homeland Security, which was established in the president’s cyber order. The companies that participate in this program will follow the cybersecurity best practices and standards crafted by NIST.
At a Senate hearing last week, Homeland Security Secretary Janet Napolitano said the administration is considering offering a “seal of approval” to companies who join the Homeland Security-led program and a “procurement preferences acquisition” process as possible incentives.
The officials also acknowledged that it will be “a challenge” to put together a cybersecurity framework over the next eight months that can apply across various sectors of U.S. critical infrastructure—such as water systems, electric companies and banking systems—and businesses that vary in size. They also repeated the administration’s call for industry to help with the implementation of the order.
“The NIST process will not work if we don’t have help from industry,” said Adam Sedgewick, senior Internet policy advisor at NIST. “It will not be a successful framework if we don’t get that kind of participation.”
Administration officials have said repeatedly in public remarks that the president’s executive order is only a “downpayment” on cybersecurity legislation that must be passed in Congress. White House Press Secretary Jay Carney told reporters at a Monday press briefing that the president will speak to lawmakers about the need “to take action on cybersecurity” when he meets with Democrats and Republicans in both chambers this week.
The Senate has committed to returning to work on cybersecurity legislation this year, but has yet to craft a bill. In the lower chamber, the House Intelligence Committee leaders have put forward a bill that will, in part, offer liability protection to businesses if they share information about cyber threats they spot on their computer systems and networks with the government. It will also shield those companies who share information with the government from antitrust cases and freedom of information requests.
The existing cybersecurity regulations in the energy sector will likely serve as a “model” for the best practices that NIST is crafting, according to Brian Zimmet, a partner at Venable.
Zimmet noted that some critical infrastructure firms may run into issues when it comes to complying with new cybersecurity regulations because their IT professionals did not design their businesses’ computer networks with that goal in mind.
“These IT networks, these computer networks were designed not…with an eye towards meeting any regulatory standards, but with an eye towards making the system work and making the company’s operations as smooth as possible,” he said.
With the release of the executive order, Zimmet advised companies to start thinking about how they manage access to their networks and can list which people have access to them, among other computer security issues.
He also warned that critical infrastructure firms may run into problems if they don’t comply with new government cybersecurity standards. For example, Zimmet said it may be difficult in the long term for companies to secure cybersecurity insurance if they do not comply with new government standards.
The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.