A Chance to Comment on Commerce’s Report on Cybersecurity Incentives

As part of the Executive Order  signed by President Obama last month directing agencies to use their existing authorities and work with the private sector to better protect our nation’s power, water, and other critical systems, the Commerce Department is preparing a report on ways to incentivize companies and organizations to improve their cybersecurity.  To better understand what stakeholders –  such as companies, trade associations, academics and others – believe would best serve as incentives, the Department has released a series of questions to gather  public comments in a Notice of Inquiry published today.

The national and economic security of the United States depends on the strength of our nation’s critical infrastructure. The cyber threat to critical infrastructure is growing, and represents one of the most serious national security challenges that the United States must confront. As the President stated in the Executive Order, “repeated cyber intrusions into America’s critical infrastructure demonstrate a need for improved cybersecurity.”

As a first step toward protecting critical infrastructure, the Executive Order tasks the Department of Homeland Security (DHS) to identify the systems that could be affected by a cybersecurity incident which could in catastrophic regional or national effects on public health or safety, economic security, or national security.  Second, the National Institute of Standards and Technology (NIST) will develop a framework consisting of a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. This Cybersecurity Framework will provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach to improving cybersecurity, which will help owners and operators of critical infrastructure identify, assess and mange cyber risk. Third, DHS will work with sector-specific agencies to develop the Critical Infrastructure Cybersecurity Program to promote voluntary adoption of the Framework.

The Executive Order recognizes that the private sector might require additional incentives to participate in the DHS-run program. In order to understand what incentives currently exist, and to come up with additional incentives, the Executive Order directs the Department of Commerce to recommend ways to promote participation in the Program. These incentives may include technical and public policy measures that improve cybersecurity without creating barriers to innovation, economic growth, and the free flow of information.

The Notice of Inquiry published today is the mechanism through which the Department of Commerce will collect feedback on incentives from industry and stakeholders. The Department will submit its recommendations to the President no later than June 12, 2013.  The Executive Order also directs the Secretaries of the Treasury and Homeland Security to recommend incentives to participate in the Program. The Secretary of Defense and the Administrator of General Services are tasked with reporting on government procurement-related issues.

Improving cybersecurity practices among entities that do not own or operate critical infrastructure, or for other reasons are unlikely to join the DHS program, is also an important priority. Therefore, the Department of Commerce also seeks comment on a broader set of incentives that could help to promote the adoption of proven efforts to address cybersecurity vulnerabilities.

Today’s Notice of Inquiry will remain open for public comment until April 27, 2013.  All comments will be posted on the Department’s Internet Policy Task Force web site.