Discussion and Recommendations to the President on Incentives for Critical Infrastructure Owners and Operators to Join a Voluntary Cybersecurity Program

On February 12, 2013, the President issued Executive Order 13636, stating that the “cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.” The Executive Order sets out a number of steps to address this problem, including calling on the Department of Commerce’s National Institute of Standards and Technology to develop a Cybersecurity Framework and the Department of Homeland Security to build a voluntary program “to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities. . .” The Program could include guidance on how to implement the Framework in specific sectors, as well as incentives for companies to align their cybersecurity practices, with the practices and standards specified in the Framework. The President requires DHS, the Department of Commerce, and the Department of Treasury to draft separate reports on incentives to join the Program. The following recommendations are Commerce’s contribution to this analysis of incentives.