U.S. Cybersecurity Plan Not Designed To Increase Regulation, Officials Say

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Alexei Alexis

An Obama administration effort to develop voluntary cybersecurity standards for the private sector is not intended as a vehicle for imposing back-door regulations, officials assured a House panel July 18.

Under an executive order signed by President Obama earlier this year, the National Institute of Standards and Technology is required to produce a voluntary framework consisting of cybersecurity standards for the private sector (12 PVLR 257, 2/18/13). In addition, the Department of Homeland Security is charged with developing a program with incentives to promote industry adoption of the framework.

“I really think the voluntary nature of the [initiative] is quite explicit and quite transparent, and we expect it to continue to be that way,” Charles Romine, director of NIST's Information Technology Laboratory, said at an oversight hearing held by the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.

Similar thoughts were shared by Robert Kolasky, director of a DHS task force working on executive order implementation issues.

“Businesses make rational decisions, and they have to see that this is in their business interest,” Kolasky said.

Subcommittee Chairman Raises Doubts

Despite these assurances, Subcommittee Chairman Patrick Meehan (R-Pa.) appeared to remain skeptical about the executive order. He noted that it includes a provision directing regulatory agencies to review existing cybersecurity mandates after the NIST framework has been finalized. If existing regulations are ineffective or insufficient, the agencies are directed to propose “prioritized, risk-based, efficient, and coordinated actions … to mitigate cyber risk.”

“That appears to me to be regulation or rulemaking,” Meehan said.

Under the president's order, a draft cybersecurity framework is due by the fall, and a final version must be produced by February 2014. NIST, under the Department of Commerce, issued a draft framework outline dated July 1 (12 PVLR 1194, 7/8/13).

Recommendations Under Review

The departments of Commerce, Homeland Security, and Treasury were required to provide the White House with recommendations on potential cybersecurity incentives by June 12 (12 PVLR 1194, 7/8/13).

“We're now talking at the administration level [about] … steps forward,” Kolasky said, adding that some incentives may require legislative action.

Incentives such as grants, liability protections, streamlined information security regulations, insurance requirements, and procurement considerations have been analyzed at DHS, according to a May 21 agency study report obtained by BNA.

In his prepared testimony , Kolasky called for the enactment of comprehensive cybersecurity legislation to address issues that remain unresolved in the wake of the executive order. Such legislation should, among other provisions, incentivize industry adoption of best practices and standards, he said.

Consensus Seen on Need for Legislation

Meehan agreed that legislative action is still needed, despite steps that are already being taken by the administration.

“Ultimately, I believe it is the consensus of this committee that Congress must pass legislation, in order to address many of these outstanding issues,” Meehan said. “Existing structures within DHS must be authorized by Congress to continue functioning. Liability protections, information-sharing provisions, and industry-led incentives can only be fully enacted by statute, not presidential directives.”

In June, Meehan said that he was close to unveiling a cybersecurity bill with Rep. Michael McCaul (R-Texas), chairman of the full committee (12 PVLR 1004, 6/10/13). However, the effort has stalled.

A Meehan spokeswoman told BNA July 18 that the committee is still receiving comments on a discussion draft. The congressman now anticipates committee action in the fall, she said.

Meanwhile, panelists at a July 17 conference hosted by Wiley Rein LLP said federal agencies are aiming to incorporate industry ideas as they develop frameworks to comply with the executive order.


Further information on the hearing, “Oversight of Executive Order 13636 and Development of the Cybersecurity Framework,” including links to opening statements, prepared witness testimony, and archived webcasts of the hearing, is available at http://homeland.house.gov/hearing/subcommittee-hearing-oversight-executive-order-13636-and-development-cybersecurity-framework.

Full text of the preliminary DHS incentives study is available at http://op.bna.com/der.nsf/r?Open=sbay-99qtkg.