On February 19, 2014, Venable attorneys and a cybersecurity policy thought-leader gathered to review the recently released NIST Cybersecurity Framework. In a midday webinar, partner and retired Navy Rear Admiral Jamie Barnett, associates Jason Wool and Ariel Wolf and President and CEO of Internet Security Alliance (ISA) Larry Clinton, considered what the reaction from business and other stakeholders will be to this important document. The NIST Cybersecurity Framework is the culmination of a year-long collaboration between owners and operators of critical infrastructure and the federal government to standardize cyber risk management. News of the event was featured in Legal Times and Federal Computer Week on February 19.
According to Legal Times, the new framework is “a good start,” but the real test will be whether companies adopt it. “Liability protection is the number one incentive businesses are looking for in exchange for participating in the program on a formal level,” Wool said during webinar. Admiral Barnett said the new framework is “the most that can be done without legislation,” but cautioned, “There are definite limitations to it.” Admiral Barnett noted that while voluntary, government contracts may feel the effects in requests for proposals saying, “for those companies doing business with the federal government, it may be a carrot, but kind of like getting hit over the head with a carrot.” A major concern over the new framework involves tort liability. “I could see plaintiffs lawyers bringing it into court, questioning ‘What did you do for this part of the framework or that part,’” said Admiral Barnett. “It’s certainly possible we’ll see it used that way… It’s easy to bring the cases--it’s hard to win them.”
The big questions about the new framework, according to Federal Computer Week, involve the role of legislation, regulatory measures, incentives for adoption, and metrics for success. “Now the focus shifts to adoption. There are no strong mechanisms for measuring adoption, that's yet to emerge,” said Admiral Barnett. “There's motivation to stave off regulatory action [and] questions over whether incentives are enough; legislation is still needed to provide the incentives necessary for widespread adoption.”
According to Legal Times, the new framework is “a good start,” but the real test will be whether companies adopt it. “Liability protection is the number one incentive businesses are looking for in exchange for participating in the program on a formal level,” Wool said during webinar. Admiral Barnett said the new framework is “the most that can be done without legislation,” but cautioned, “There are definite limitations to it.” Admiral Barnett noted that while voluntary, government contracts may feel the effects in requests for proposals saying, “for those companies doing business with the federal government, it may be a carrot, but kind of like getting hit over the head with a carrot.” A major concern over the new framework involves tort liability. “I could see plaintiffs lawyers bringing it into court, questioning ‘What did you do for this part of the framework or that part,’” said Admiral Barnett. “It’s certainly possible we’ll see it used that way… It’s easy to bring the cases--it’s hard to win them.”
The big questions about the new framework, according to Federal Computer Week, involve the role of legislation, regulatory measures, incentives for adoption, and metrics for success. “Now the focus shifts to adoption. There are no strong mechanisms for measuring adoption, that's yet to emerge,” said Admiral Barnett. “There's motivation to stave off regulatory action [and] questions over whether incentives are enough; legislation is still needed to provide the incentives necessary for widespread adoption.”