Yesterday the White House announced the consideration of incentives in eight different areas to spur the adoption of the developing cybersecurity framework. Here is a quick analysis of the likelihood of each having an impact on changing behavior, ordered in most to least likely.

Rate Recovery for Price Regulated Industries, Impact – Moderate (if successful)

I’m out of my depth discussing rate cases in front of public utility commissions (PUC), but I have heard numerous times that not being able to recover money spent on security is a major impediment to getting funding. If recovering security costs is possible it would likely have an impact.

The question is can the federal government have an impact on PUC rate decisions? And is this a zero sum game where a rate increase for cyber security is at the cost of a different rate increase. I’d like to hear some thoughts from rate case experts.

Public Recognition, Impact – Small (if tied to SEC)

The Securities and Exchange Commission (SEC) has already begun to require cyber disclosure in public company filings. If they required critical infrastructure companies to disclose compliance with a voluntary framework it could have some impact on stock price, thereby incentivizing participation. The key would be the esteem in which the framework or voluntary program was held … and the effectiveness of the program.

The political goal might be to get critical infrastructure companies to participate in the voluntary program, but the practical goal is to improve the cyber security of the critical infrastructure.

Grants and Cybersecurity Research, Impact – Very Small

Progress on ICS cybersecurity is not being held back by technical challenges. Culture, will and money are the problems.

While the impact is small, tying grants and research contracts to framework goals is smart. The Department of Energy has been doing this for years in awarding research funding to efforts that directly support their Cybersecurity Roadmap.

Liability Limitation, Impact – Negligible (but I could be wrong)

I was a proponent of this back when DHS was promoting the protection from liability provisions of the Safety Act to ICS owner/operators and vendors. The impact of the Safety Act was zero, and it is hard to see why this would be different. Someone will have to explain why this effort would be different.

Streamline Regulations, Impact – Negligible

The ICS critical infrastructure has few overlapping cyber security regulations. Most sectors outside of electric have very minor regulation.

Process Preference, Impact – Negligible

So you are more likely to get a DHS flyaway team sent if you participate, but wait “The primary criteria for technical assistance would always remain the criticality of the infrastructure”. The flyaway teams are a PR move, not a practical solution.

Cybersecurity Insurance, Impact – Negligble

This is always an attractive suggestion, but it falls apart when you consider what you are asking to insure and how insurance works. Insurance companies need to understand and quantify the risk to write a policy. That is still difficult for cyber security losses in general, and not possible yet for ICS cyber security losses.

Any large scale incident is likely to run up against force majeure, act of war type clauses that would void the insurer’s responsibility. An insurance policy is of little value if it won’t pay off on the risk a company cannot afford to assume on its own.

Image by Trevor McGoldrick