Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
An Obama administration effort to develop voluntary cybersecurity standards for the private sector is not intended as a vehicle for imposing back-door regulations, officials assured a House panel July 18.
Under an executive order signed by President Obama earlier this year, the National Institute of Standards and Technology is required to produce a voluntary framework consisting of cybersecurity standards for the private sector (12 PVLR 257, 2/18/13). In addition, the Department of Homeland Security is charged with developing a program with incentives to promote industry adoption of the framework.
“I really think the voluntary nature of the [initiative] is quite explicit and quite transparent, and we expect it to continue to be that way,” Charles Romine, director of NIST's Information Technology Laboratory, said at an oversight hearing held by the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.
Similar thoughts were shared by Robert Kolasky, director of a DHS task force working on executive order implementation issues.
“Businesses make rational decisions, and they have to see that this is in their business interest,” Kolasky said.
Despite these assurances, Subcommittee Chairman Patrick Meehan (R-Pa.) appeared to remain skeptical about the executive order. He noted that it includes a provision directing regulatory agencies to review existing cybersecurity mandates after the NIST framework has been finalized. If existing regulations are ineffective or insufficient, the agencies are directed to propose “prioritized, risk-based, efficient, and coordinated actions … to mitigate cyber risk.”
“That appears to me to be regulation or rulemaking,” Meehan said.
Under the president's order, a draft cybersecurity framework is due by the fall, and a final version must be produced by February 2014. NIST, under the Department of Commerce, issued a draft framework outline dated July 1 (12 PVLR 1194, 7/8/13).
The departments of Commerce, Homeland Security, and Treasury were required to provide the White House with recommendations on potential cybersecurity incentives by June 12 (12 PVLR 1194, 7/8/13).
“We're now talking at the administration level [about] … steps forward,” Kolasky said, adding that some incentives may require legislative action.
Incentives such as grants, liability protections, streamlined information security regulations, insurance requirements, and procurement considerations have been analyzed at DHS, according to a May 21 agency study report obtained by BNA.
In his prepared testimony , Kolasky called for the enactment of comprehensive cybersecurity legislation to address issues that remain unresolved in the wake of the executive order. Such legislation should, among other provisions, incentivize industry adoption of best practices and standards, he said.
Meehan agreed that legislative action is still needed, despite steps that are already being taken by the administration.
“Ultimately, I believe it is the consensus of this committee that Congress must pass legislation, in order to address many of these outstanding issues,” Meehan said. “Existing structures within DHS must be authorized by Congress to continue functioning. Liability protections, information-sharing provisions, and industry-led incentives can only be fully enacted by statute, not presidential directives.”
In June, Meehan said that he was close to unveiling a cybersecurity bill with Rep. Michael McCaul (R-Texas), chairman of the full committee (12 PVLR 1004, 6/10/13). However, the effort has stalled.
A Meehan spokeswoman told BNA July 18 that the committee is still receiving comments on a discussion draft. The congressman now anticipates committee action in the fall, she said.
Meanwhile, panelists at a July 17 conference hosted by Wiley Rein LLP said federal agencies are aiming to incorporate industry ideas as they develop frameworks to comply with the executive order.
Further information on the hearing, “Oversight of Executive Order 13636 and Development of the Cybersecurity Framework,” including links to opening statements, prepared witness testimony, and archived webcasts of the hearing, is available at http://homeland.house.gov/hearing/subcommittee-hearing-oversight-executive-order-13636-and-development-cybersecurity-framework.
Full text of the preliminary DHS incentives study is available at http://op.bna.com/der.nsf/r?Open=sbay-99qtkg.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)