On Wednesday, February 12, the White House released the National Institute of Standards and Technology’s (NIST) Final Cybersecurity Framework: a set of industry best practices and standards to help owners and operators of critical infrastructure develop better cybersecurity programs. It is accompanied by a Roadmap which discusses NIST’s next steps with the Framework and identifies key areas of development, alignment, and collaboration. The Framework stems from President Obama’s February 2013 Executive Order on cybersecurity, previously covered on October 1, 2013. The overall core of the Framework is essentially unchanged from earlier drafts, also previously discussed on October 28, 2013.
The National Institute of Standards and Technology (NIST) has just released its Preliminary Cybersecurity Framework: a set of best practices to help owners and operators of critical infrastructure reduce cybersecurity risks. This voluntary framework provides both private and public-sector organizations with a common language for understanding and managing cybersecurity risks internally and externally. The framework stems from President Obama’s February 2013 Executive Order on cybersecurity, previously covered by this blog. The Final Framework is due to be released in February 2014, following a 45-day public comment period on the Preliminary Framework.
As practitioners are aware, in February 2013, President Obama issued an executive order directing federal agencies to create a set of voluntary cybersecurity standards and procedures for critical parts of the private sector. If followed, these “best practices” are intended to reduce the risk of a cyber attack and its attendant disruption of business.
On June 6, the Gibbons Institute of Law, Science & Technology, along with Seton Hall University School of Law, will host a timely and informative program, “Cybersecurity Insurance and Cybersecurity Risk Management.” The evening features two expert panels who will examine the developing cyber-risk insurance market. Panelists will address the potential legal liability for businesses victimized by cyber crimes, as well as the availability and scope of coverage for cyber-risk insurance policies.
Current Cybersecurity Issues and Laws Effecting Private Sector Industries Discussed at the Fifth Annual Gibbons E-Discovery Conference
On the heels of National Cybersecurity Awareness Month in October, the second panel discussion at the Fifth Annual Gibbons E-Discovery Conference dealt with pressing issues involving cybersecurity and their effect on private industries. Moderated by Gibbons Director and senior E-Discovery Task Force member Jeffrey L. Nagel, Esq., the panel opened with a presentation by Erez Lieberman, Esq., Deputy Chief of the Economic Crimes Unit and Chief of the Computer Hacking and Intellectual Property Section, Office of the United States Attorney, District of New Jersey. Mr. Lieberman discussed several cases of high profile cybersecurity breaches in recent years and the government’s role in those cases.
Cybercrime has increased tremendously in the digital economy. “According to the American Society for Industrial Security, American businesses [are] losing $250 billion a year from intellectual property theft since the mid-1990’s.” There is a clear and growing threat of Chinese industrial espionage targeted at American companies. In a recent case, a Michigan couple was accused of stealing $40 million worth of trade secrets from General Motors and selling them to a Chinese car maker. Aside from hackers, the threat also exists within organizations from insiders. A recent study commissioned by Cisco found that “[i]n the hands of uninformed, careless, or disgruntled employees, every device that accesses the network or stores data is a potential risk to intellectual property or sensitive customer data.”
With the U.S. economy still reeling from the aftershock of what is now known as the “Great Recession,” companies large and small are evaluating cloud computing as a means of reducing IT costs. The National Institute of Standards and Technologies (“NIST”) and the Cloud Security Alliance have defined cloud computing as a model for on-demand network access to a shared pool of computing resources over the internet, namely software applications, data servers, networks and other services. Just as businesses and consumers now pay for gas, electricity and other utilities, cloud enthusiasts predict that the cloud will be sold on demand as a pure IT service.