Professor Scott J. Shackelford and I recently contributed an op-ed to The Huffington Post Blog. An excerpt of that post, “Why Ignoring the NIST Framework Could Cost You,” appears below. The full post can be found here.
Last week, the much anticipated (at least in the, let’s face it, relatively small and quirky circles that pay attention to this stuff) NETmundial meeting on the future of Internet governance wrapped up in Brazil. The conference helped to entrench a growing consensus surrounding the multi-stakeholder model of Internet governance, along with calling for a “secure, stable, resilient, [and] reliable” cyberspace. One of the recent paths toward enhancing cybersecurity, at least in the United States, has been the 2014 NIST Cybersecurity Framework. The Framework harmonizes consensus standard and industry best practices to provide, its proponents argue, a flexible and cost-effective approach to enhancing cybersecurity that assists owners and operators of critical infrastructure in assessing and managing cyber risk. But even though it’s voluntary, ignoring it may prove costly.
Reactions to the NIST Framework have been mixed. From its inception, the Framework has been developed with an aim toward creating a robust method of addressing critical infrastructure cybersecurity concerns without enacting binding (and potentially cumbersome) regulatory requirements. Proponents suggest that market-based incentives and support through the Department of Homeland Security’s Critical Infrastructure Cyber Community Voluntary Program (referred to as the “C-Cubed” Program) will help encourage organizations to adopt the Cybersecurity Framework. However, while market-driven incentives may play a role, it’s likely that avoiding liability may be a primary driver in firm decision-making. Negligence lawsuits in particular could use the Framework to shape reasonable standards of cybersecurity.