NIST Official: Businesses May Need Tax Breaks, Immunity to Adopt Cyberstandards

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Casey Wooten  

Work is progressing on implementing the president's executive order calling for voluntary cybersecurity standards, but legislation may be needed to entice industry to go along, a top National Institute of Standards and Technology official told lawmakers May 21.

“The primary need for legislation is going to be more important as we look at the implementation of the adoption of the framework,” Patrick Gallagher, undersecretary of commerce for standards and technology at NIST, said at a House Energy and Commerce Committee hearing on cyberthreats and security solutions.

Signed in February, the executive order directs NIST to lead the development of a framework of voluntary cybersecurity standards for critical infrastructure, such as utility, manufacturing, and telecommunications data networks. The executive order calls for creating incentives for the private sector to participate in the program (12 PVLR 257, 2/18/13).

Incentives Could Spur Adoption

“What we are going to be looking at is, 'What are the obstacles that get in the way of implementation?'” Gallagher said. “What are the areas where these practices require incentives, or maybe moving barriers to adoption?”

Gallagher listed liability protection, tax exemptions to support the capital investment required to upgrade systems, and grant programs to help fund research and development activity to advance security technology as potential incentives that would require legislation to create.

Other incentives would fall within existing authority, such as creating government procurement preferences for companies participating in the cybersecurity program, Gallagher said.

Liability a Key Issue

Witnesses agreed that a top incentive toward sharing cybersecurity information is protection from liability. If a company shares information on a security flaw in a critical network, it would want to be protected from potential litigation, said Phyllis Schneck, vice president and chief technology officer of the Global Public Sector at McAfee Inc., an internet security firm.

“If we see the same type of event happening to someone in the same sector, we want to be able to tell that to the whole sector … without fear that we will get hurt,” Schneck said.

Under the Cyber Intelligence Sharing and Protection Act (CISPA) (H.R. 624), which the House passed in April (12 PVLR 671, 4/22/13), companies would have liability protection when sharing cyberthreat information with the federal government. The bill is now in the Senate.

Businesses Worried About a Mandate

Committee Republicans and several panelists also expressed concern that the voluntary set of standards proposed by the administration could turn into a requirement.

“We just don't need extra complexity, to have another agency come in and try to regulate us a second time,” said Charles Blauner, global head of information security at Citigroup.

Utilities Under Regular Attack

Some committee Democrats showed skepticism about whether voluntary rules would be effective in securing critical networks.

The hearing came the same day as Reps. Henry Waxman (D-Calif.), the ranking member of the Energy and Commerce Committee, and Edward Markey (D-Mass.) released a report detailing the extent to which utilities come under cyber-attack. More than a dozen utilities out of 100 surveyed reported daily, constant, or frequent attempts to break into their computer systems, with one utility reporting more than 10,000 attempted cyber-attacks each month, the report said.

Calling the findings “sobering,” Waxman said in his opening remarks that his report found most utilities complied only with mandatory cybersecurity standards. Most had not implemented existing, voluntary recommendations set out by the North American Electric Reliability Corporation, an industry organization that develops security standards for the nation's electric grid.

“The failure of utilities to heed the advice of their own industry-controlled reliability organization raises serious questions about whether the grid will be adequately protected by a voluntary approach to cybersecurity,” Waxman said.

Further information on the hearing, including links to prepared testimony and an archived webcast of the hearing, is available at

Waxman and Markey's report, “Electric Grid Vulnerability: Industry Responses Reveal Security Gaps,” is available at

Request Bloomberg Law: Privacy & Data Security