The White House has signaled its tilt toward a cooperative and voluntary approach for protecting “critical infrastructure” assets from cyberattacks and breaches in a notice issued last month by cybersecurity coordinator Michael Daniel.
Daniel stated, “Protecting cyberspace is, by its very nature, a mission shared by all. This reality makes organizing for cybersecurity incredibly complex, because it requires cooperation across boundaries in the physical world that are difficult to bridge — between government agencies, within the private sector, and between the government and the private sector.”
The major conclusion of an administration study of executive branch agencies was that the study “supports our current voluntary approach to address cyber risk," Daniel said his post. “The administration has determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information.”
In February, the Obama Administration announced the launch of the Cybersecurity Framework, which is the result of a year-long private-sector led effort to develop a voluntary how-to guide for organizations in the critical infrastructure community to enhance their cybersecurity. The framework is a key deliverable from the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Barack Obama announced in the 2013 State of the Union.
“While others are still toying with antiquated regulatory models to address this issue, the administration has charted a new and visionary course through the President’s 2013 executive order on cybersecurity,” said Larry Clinton, president of the Internet Security Alliance.
As part of a 2013 executive order and the adoption earlier this year of cybersecurity approach developed through the National Institutes of Technology, known as the “NIST Framework,” the administration examined three major agencies regarding cybersecurity: the Department of Homeland Security, the Department of Health and Human Services, and the Environmental Protection Agency. The review covered such critical infrastructure components as water, chemical hazards, food and medical supplies and services, and transportation. Each agency concluded that its existing authorities were adequate to meet the goals of the NIST Framework, and that voluntary and cooperative programs with the private sector were preferable to an exclusively regulatory approach.
Although there are signs that the administration is leaning toward a voluntary approach, legislation might still be necessary in order to bring the private sector completely on board for a national government-industry program for the prevention or containment of cyberattacks. The challenge is for Congress to craft a bill that provides incentives for business cooperation while minimizing burdensome regulation.
The Senate approved a bill on July 8, the Cybersecurity Information Sharing Act, that would encourage private companies to share information about cyber threats with the federal government and other companies. It also includes liability protections measures for sharing information and responding to threats.
A similar bill, The Cyber Information Sharing and Protection Act, or CISPA, passed in the House by a 288-127 vote last year.