The White House on Tuesday released a preliminary set of incentives it may offer power plants, water companies and others that operate critical infrastructure to get them to join a cybersecurity program chaired by the Homeland Security Department.
Companies could receive insurance from agencies if they adopt certain cybersecurity best practices and standards within their computer networks, priority consideration for grants and technical assistance from the government, and public recognition for compliance with the voluntary program's cybersecurity standards.
The administration compiled the list of preliminary incentives in accordance with the cybersecurity executive order signed by President Obama in February. The cyber order directed the Commerce, Treasury and Homeland Security departments to develop a list of incentives that the government could offer companies to entice them to join the cybersecurity program.
The White House stressed that publishing these preliminary incentives "is an interim step" and should not be considered its "final policy position on the recommend[ed] actions."
The president signed the executive order after Congress failed to reach agreement on cybersecurity legislation twice last year. Top national security and intelligence officials have warned that the United States is vulnerable to a devastating cyberattack that could led to disruption or fatalities.
Unlike legislation, an executive order must stay within the parameters of existing law and cannot grant new powers or authorities. This limits the types of carrots the government can offer to companies without having to pass new legislation.
For example, the executive branch cannot offer companies liability protection without passing new legislation first. Cybersecurity legislation considered in Congress last year would have granted companies protection from lawsuits if they're part of the cybersecurity program run by DHS and still suffer a security breach on their computer networks.
Under the executive order, the White House said agencies are gathering more information "to determine if legislation to reduce liability on program participants may appropriately encourage a broader range of critical infrastructure companies" to adopt cybersecurity best practices.
NIST was tasked with this responsibility in the executive order. The first draft of its cybersecurity framework is due in October. NIST has held workshops over the last few months across the country to gather feedback from industry.
The companies that choose to participate in the cybersecurity program chaired by DHS will adopt the best practices in the NIST framework.
"While these reports do not yet represent a final administration policy, they do offer an initial examination of how the critical infrastructure community could be incentivized to adopt the cybersecurity framework as envisioned in the executive order," the blog post reads.