New NIST cybersecurity standards could pose liability risks
Once passed, the standard will become the benchmark to measure critical infrastructure security programs
Computerworld - Critical infrastructure companies could face new liability risks if they fail to meet voluntary cybersecurity standards being developed by the National Institute of Standards and Technology.
The slated release of a draft of the standard on Thursday was delayed, apparently due to the federal government shutdown. NIST's main website was shuttered on Thursday.
The standards effort was launched after an Executive Order by President Barack Obama earlier this year.
A preliminary version of the draft standard has been floating around for several weeks, however.
The formal draft version, when released, will be available for public review until February 2014, according to the original schedule. Once the review is complete, will release a final version of the standards that incorporates changes recommended by stakeholders.
The NIST cybersecurity framework is designed to serve as a security best practices guide for organizations in critical infrastructure sectors, like power, telecommunications, financial services and energy.
The framework was developed with input from industry stakeholders.
It is not designed to mandate specific security controls. Rather, it offers broad standards for identifying and protecting critical data, services and assets against cyber threats. It offers a set of best practices for detecting and responding to an attack, mitigating the fallout from cyber incidents and for managing risks overall.
Obama issued the Executive Order in February to address, what he said was an immediate need to protect critical infrastructure targets against cyberattacks. Administration officials said the order came only after repeated failures by Congress to pass meaningful cybersecurity legislation.
Participation in the standards program is voluntary. The Executive Order leaves it up to the federal agencies in charge of each critical sector to push adoption of the standards through a combination of incentives and other market driven means.
In practice though, critical infrastructure owners and operators will likely be left with little choice but to follow the standards, or at least show they have comparable security measures in place, said Jason Wool, an attorney with Venable LLP, a Washington D.C-based law firm.
Companies that ignore the standards and are breached will open themselves up to negligence, shareholder and breach of contract lawsuits along with other liability claims. The standards will likely be viewed as the minimum level of care and integrity within critical infrastructure sectors, Wool noted.
"You don't have to adopt these standards. But the fact that this framework [spells out] activities that are recommended for cybersecurity, establishes a bar that companies need to meet," Wool said. "The framework requires, at minimum, that owners and operators of critical infrastructure look at themselves and do a gap analysis."
Even companies that don't adopt the standards need to show what they are doing is as effective.
- Everything You Know About Enterprise Security Is Wrong
- UK man charged with hacking Federal Reserve
- McAfee Offers Global Response to Nationalized Malware
- Tech Industry Praises Cybersecurity Framework From White House
- Ransomware like Cryptolocker uses Bitcoin, other virtual currencies for payment
- Trial for alleged Silk Road creator Ross Ulbricht set for November
- Target attack shows danger of remotely accessible HVAC systems
- U.S. is investigating Target data breach, AG Holder says
- Russian man pleads guilty in SpyEye malware case
- Suspected email hackers for hire charged in four countries
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Changing the Way Government Works: Four Technology Trends that Drive Down Costs and Increase Productivity
This paper discusses four technology-based approaches to improving processes and increasing
productivity while driving down department and agency costs.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Who's afraid of the big (data) bad wolf? Survive the big data storm by getting ahead of integration and governance functional requirements This paper provides a detailed review of the best practices clients should consider before embarking on their big data integration projects.
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Gov't Legislation/Regulation White Papers | Webcasts