White House Unveils Recommendations To Incentivize Cybersecurity Best Practices

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Alexei Alexis  


The White House Aug. 6 unveiled recommendations on incentives that could be used to encourage critical parts of the private sector to adopt cybersecurity best practices.

The departments of Commerce, Homeland Security, and Treasury were required to prepare the recommendations as part of a larger cybersecurity plan launched by President Obama earlier this year. The agencies explored incentives such as cybersecurity insurance, grants, liability limitation, streamlined regulations, and research.

“Over the next few months, agencies will examine these options in detail to determine which ones to adopt and how, based substantially on input from critical infrastructure stakeholders,” White House Cybersecurity Coordinator Michael Daniel said in an Aug. 6 blog post.

Publication of the three agencies' reports is an interim step and does not indicate the administration's final policy position, he said.

White House Shift Welcomed

The White House announcement was welcomed by the Internet Security Alliance (ISA), a Washington industry group that includes companies such as Verizon Communications Inc., General Electric Co., The Boeing Co., Lockheed Martin Corp., and Wells Fargo & Co.

“We see this as a dramatic and positive change in direction for the Obama administration,” ISA President Larry Clinton told BNA Aug. 6.

The administration unsuccessfully lobbied the previous Congress to give the federal government new authority to issue mandatory cybersecurity regulations.

At issue is the protection of computer systems that run the nation's “critical infrastructure,” such as the electric grid. The White House and Congress have become increasingly concerned about these systems in light of mounting cyberthreats.

In February, the president signed an executive order directing the National Institute of Standards and Technology, a division of Commerce, to lead the creation of a framework with voluntary cybersecurity standards for the private sector (12 PVLR 257, 2/18/13).

Draft Framework Due in October

A draft framework is due in October, and a final version must be produced by February 2014. Commerce, DHS, and Treasury were required to provide the White House with reports on potential cybersecurity incentives by June 12.

Ultimately, DHS is expected to coordinate the development of a program with incentives to promote industry adoption of the framework, once it has been finalized.

“How the incentives process works itself out to support the adoption of the framework is something the private sector will be very interested to see,” Norma Krayem, a senior policy adviser at Patton Boggs LLP in Washington, told BNA Aug. 6.

According to Daniel, some of the recommended incentives can be put in place quickly under existing authorities after the voluntary program is in place, while others would require legislative action. “We are currently working with the appropriate agencies to prioritize each incentive area and move forward,” he said.


“We see this as a dramatic and positive change in direction for the Obama administration.”



Larry Clinton, President,
Internet Security Alliance

Agencies Consider Mix of Incentives

The agency reports recommend actions such as:

• streamlining existing cybersecurity regulations;

• offering cybersecurity litigation benefits, such as reduced tort liability, limited indemnity, lower burdens of proof, or the creation of a federal legal privilege that preempts state disclosure requirements;

• engaging the insurance industry in the development of the cybersecurity framework and program;

• requiring participation in the program as a condition or as one of the weighted criteria for federal critical infrastructure grants;

• pursuing further dialogue with federal, state, and local regulators and sector-specific agencies on whether agencies that set utility rates should consider allowing recovery for cybersecurity investments related to participation in the program; and

• identifying areas where research and development can help to meet pressing cybersecurity challenges.

Treasury: No Insurance Legislation Needed

The Treasury Department found that input from and collaboration with the insurance sector could play a critical role in the success of the framework. However, the agency said that no legislative action is needed for the industry's continued growth and recommended against the creation of a government program for cyber-insurance at this time.

“Direct government involvement may not be necessary and could, in fact, impede the development of a private market,” the agency said in its report. “Nevertheless, the natural development of the private cyber insurance market could advance cybersecurity, and through its standard-setting and compliance functions, may indirectly spur adoption of the Framework.”

While the department found that use of tax incentives could help to spur cybersecurity investments, the agency ultimately concluded that it would come at the expense of “foregone revenue for the government or reallocation of existing fiscal obligations” and recommended against further consideration of the option.


The White House blog post is available at http://www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework.

The Commerce report, “Recommendations to the President on Incentives for Critical Infrastructure Owners and Operators to Join a Voluntary Cybersecurity Program,” is available at http://www.ntia.doc.gov/files/ntia/Commerce_Incentives_Recommendations_Final.pdf.

The DHS report, “Executive Order 13636: Improving Critical Infrastructure Cybersecurity Department of Homeland Security Integrated Task Force Incentives Study,” is available at http://www.dhs.gov/sites/default/files/publications/dhs-eo13636-summary-report-cybersecurity-incentives-study_0.pdf.

Treasury's report, “Treasury Department Summary Report to the President on Cybersecurity Incentives Pursuant to Executive Order 13636,” is available at http://www.treasury.gov/press-center/Documents/Treasury%20Report%20%28Summary%29%20to%20the%20President%20on%20Cybersecurity%20Incentives_FINAL.pdf.