Cyber Security Liability on Drawing Board

Tuesday, July 26, 2011 @ 04:07 PM gHale


Safety is an obvious area to talk about liability issues, but when it comes to security, it is still a brand new world.

The idea of extending liability protection as part of private sector adoption of a federally-mandated cyber security framework may some day be a part of the discussion with the Obama Administration, said Bruce McConnell, a senior Homeland Security Department cyber security advisor.

RELATED STORIES

Insuring Against Stuxnet

Insurers Begin Protecting … Themselves
Security Compliance Eases Cost Burden

The White House released in May a cyber security proposal that would require operators of critical infrastructure to adopt cyber security measures for which they would undergo a regular audit.

Liability protection is not in the proposal, McConnell said, “but that’s not because we’re opposed to it,” he said.

McConnell said the proposal is necessary because the private sector has underinvested in cyber security.

Companies’ spending on cyber security depends on the worth of the assets they want to protect, McConnell said. The problem is they tend to undervalue the damage of cyber attacks.

“Companies and firms don’t know how to value the confidentiality of information, they don’t know how to value the integrity of information, they don’t know how to value the losses that come from the attacks,” he said.

Cyber attacks made against particular companies can cause broader societal losses, but there’s currently “no reason why a firm would rationally make an investment beyond its own individual costs,” McConnell added.

The framework envisioned by the White House “is not a compliance-based approach,” McConnell said. “It’s a framework that allows firms to select the most technologically efficient ways of addressing the risks that we’ve identified, in cases where the social risk of not addressing them is judged to be too high.”

Private sector response to the proposal has been critical. Larry Clinton, president of the Internet Security Alliance, an industry association, said the private sector would respond better to liability protections, creation of a better cyber insurance market and government procurement incentives.

“Uneconomic investments are not sustainable,” Clinton said. “And this is a problem that we’re going to continue to have with us, and therefore we need to come up with a sustainable solution. We need to address the cost issues.”



Leave a Reply

You must be logged in to post a comment.