In a March 10, 2014, Communications Daily article, DC Senior Policy Advisor Norma Krayem commented on the recently released, voluntary cybersecurity framework, which may become a de facto standard of care in the near future, affecting future litigation. Referring to the framework as “only a series of best practices and points to existing standards that have existed for some time,” Ms. Krayem acknowledged the concerns of critical infrastructure entities over the impact of the framework’s potential de facto status.
The communications and IT sectors, which are part of the 16 critical infrastructure entities identified by Presidential Policy Directive 21, may have a special burden because “the other critical infrastructure sectors rely on them for everything that they do,” Ms. Krayem noted. The communications sector, for instance, “is a foundation for innovation in many things you see in the financial services sector, but the struggle then is that there are core interdependencies between these sectors,” she said. “The framework attempts to make it clear that no matter who you are, you are responsible for your portion of the supply chain,” Ms. Krayem added.
Regarding the framework’s scalability and impact on small versus larger carriers, Ms. Krayem claimed smaller companies have a bigger incentive to work with the Department of Homeland Security on framework implementation. DHS’s Critical Infrastructure Cyber Community program has “a number of tools and people who can come and help you evaluate what your level of risk is,” Ms. Krayem advised. “From that point, you’ll have a better baseline to evaluate what you need to spend,” she said. Larger entities in the communications sector and other sectors should also be “working within their sector and supply chain to provide assistance,” remarked Ms. Krayem. “There are certainly lessons learned by the larger carriers on risk factors, a much greater awareness about the types of cyber attackers and what that behavior looks like. There are hosts of companies that see things — and understand what they actually mean — more than what a smaller carrier would.”