NIST Measure Leaves Stakeholders with Little Choice

An Executive Order by President Obama in February this year helped establish some measure of standards (National Institute of Standards and Technology) for companies who are part of the vital infrastructure of the country, such as utilities, after repeated attempts by Congress to draft legislation were blocked. While the Executive Order did not create any mandated protocols, it instead helped agencies develop a concept of broad best-practices for their various industries.

Interestingly, the draft of the standards—which is currently delayed by the government shutdown but is expected to be approved in February 2014—demonstrates that they are a voluntary measure and not a required standard, even though failure to comply with those guidelines can result in liabilities for companies who cannot prove that they have similar or superior measures against cyberattack already in place.

Some critics of the voluntary standards have stated that they aren’t all that voluntary. If a company cannot prove that its practices exceed these standards, the door is opened for litigation. Also, critics have stated that the establishment of the cybersecurity standards will become the bar that lawyers point to in order to determine liability in the event of an incident.

But companies who do adopt these measures may still not be safe from legal action in the event of a cyberattack. If one set of standards concerning personal privacy are not adhered to when a threat is determined, the company in question can face legal consequences for not protecting privacy; at the same time, protecting the privacy of a suspected threat can result in lack of swift action, which can also result in liability.

Analysts have expressed concerns that any standards that are approved will not lead to stronger defenses for cybersecurity, but will actually have the opposite effect as members of the various infrastructure agencies struggle to come up with their own best practices.