“The devil is in the details” — that about sums up my take on the White House Cybersecurity Plan. Many thanks to Lily Newman for including this and some other points from our discussion in her Wired article The High-Stakes Blame Game in the White House Cybersecurity Plan.
I appreciate that the Administration is talking about cybersecurity. Just like in a company, if you want to create a culture of cybersecurity here in America, we have to start talking more about cybersecurity and it works best if the leaders at the top are engaged in the discussion. In that sense, this Plan is a good thing.
All I am saying is don’t go getting too excited just yet expecting to see much of this actually come to pass. They laid out a strategy and some ideas for discussion, which is great, but much like threat intelligence — how much of it is really actionable and will lead to some meaningful tangible difference is the question. You may love the ideas in the Plan and desperately want to see them come to pass, but, practically speaking do you really think that those ideas will?
Some, yes; some, no; some, maybe? Here is the gist of my discussion with Lily from the article — what do you think?
Shawn Tuma, a partner in the law firm Spencer Fane who specializes in cybersecurity and data privacy issues, emphasizes that from an industry perspective, “the devil is in the details” on all these proposals. On legal liability, he says the debate comes down to what exactly is meant by “reasonable.”
“We all see the extremes in the continuum—we see the providers that are doing a poor job, that are just throwing stuff out there,” he says. “I’m fine for liability on them, but what about those that are trying to do their best but are engaged in an unwinnable war with well-resourced hackers? What’s ‘reasonable’?”
One point from the strategy that might see more movement is the Biden administration’s proposal for some sort of federal backstop to help stabilize the cybersecurity insurance market. If liability for cybersecurity failures were to shift in any meaningful way, cybersecurity insurance would become even more vital than it already is for tech companies and others who hold sensitive data, like health care firms. But that’s assuming insurance companies will cover cybersecurity incidents at all.
In late December, Mario Greco, CEO of the massive European insurer Zurich, told the Financial Times, “What will become uninsurable is going to be cyber.” The comment, made a day after Christmas, added an edge to an already tense climate in which companies grasp for safeguards and solutions as cybercriminal and nation-state attacks impose rapidly rising costs.
A government backstop like the one the national cybersecurity strategy is proposing could provide crucial reassurances, but Tuma points out that it could also come with strings attached for the insurance industry and its clients. He suggests the US government could mandate that, in exchange for its support, anyone who makes cybersecurity insurance claims would be required to report the incident to the FBI’s Internet Crime Complaint Center. “They need more cooperation from the private sector in reporting these events,” Tuma says.
You must log in to post a comment.