Last month my blog post discussed Microsoft’s perspective on building a Cybersecurity Framework for critical infrastructure, which is part of President Obama’s Executive Order on cybersecurity.  As a next step in the process of implementing the Executive Order, the Commerce Department recently requested comments regarding incentives to encourage critical infrastructure entities and others to adopt improved cybersecurity practices.  These incentives would be aimed at encouraging participation in a new voluntary program (referred to as the Voluntary Program below) to support the adoption by owners and operators of critical infrastructure and other interested entities of the Cybersecurity Framework being developed by the National Institute of Standards and Technology (NIST).

Last week, Microsoft submitted comments to the Commerce Department about these incentives.  Before discussing Microsoft’s  comments, it is important to acknowledge that the Commerce Department has led an ongoing public discussion about how to incent broader adoption of cybersecurity practices, reaching back to Commerce’s Green Paper on Cybersecurity, Innovation, and the Internet Economy and our comments both prior and subsequent to the Green Paper.  We appreciate the Commerce Department’s consistent focus on the important challenge of creating incentives to increase cybersecurity. 

Our comments outline four main incentives that we believe would be meaningful to both critical infrastructure and non-critical infrastructure entities:

  • Leveraging the procurement power of the federal government. We recommend that the federal government leverage its procurement power to encourage entities to strengthen their cybersecurity practices and investments in innovation.
  • Enabling information exchanges among participants in the Voluntary Program. We recommend creating channels for information exchange between and among Voluntary Program participants.  This would incentivize participation by promoting trust and providing greater legal clarity. 
  • Government leadership towards harmonized approaches to cybersecurity. We recommend that the government commit to international harmonization on key aspects of cybersecurity because many potential Voluntary Program participants are global entities, or may aspire to be, and could be incentivized to participate in the Voluntary Program if the underlying practices (namely the Cybersecurity Framework) were rooted in international standards.
  • Appropriately scoped limitations on liability from cybersecurity incidents.  We recommend that the administration and Congress continue to work together to encourage information sharing, and continue to include limitations on liability as an incentive to improve information sharing. 

The dialogue around the Executive Order implementation in the United States and the draft Network and Information Security Directive in Europe is an important phase in the development of global cybersecurity policy and practice. The development and implementation of these efforts are very challenging and will require new approaches and unprecedented collaboration between and among governments and industry.  Microsoft is committed to working with industry and government partners to help advance international standards and practices that enhance cybersecurity.  We look forward to continued engagement with Commerce, other agencies, and the private sector as the Executive Order is implemented.

Paul Nicholas
Senior Director, Global Security Strategy
Microsoft Corporation