I am participating today and tomorrow at a seminar at Roger Williams University Law School, entitled Cyber Threats and Cyber Realities. It is being hosted by our Lawfare guest contributor Peter Marguiles.
On today's first panel, I was particularly struck by two observations made by panelist Jonathan Schneider. Schneider is an energy lawyer in Washington DC who is closely following the ongoing process at NIST that is designed to develop a "Cybersecurity Framework." This Framework is styled as a "best practices" system that will be voluntary for the effected industries. I asked Schneider about this and he said two things: First, he noted that no responsible energy company CEO could ignore the Framework standards, even if they were voluntary. For one thing, he expected that the fact of non-compliance would have to be reported to the local public utility commission. For another, he assumed that the fact of compliance or non-compliance would eventually be known to the utilities customers.
Both those seem right to me and suggest to me that even if the voluntary framework does NOT result in actually liability for non-compliance it is likely that other collateral factors will drive us so that the Framework becomes, effectively, semi-mandatory. And if you think that the government's capability to define good standards is high, this will please you. If you doubt the capability this will be off-putting.
The second observation, which builds on the first, was Schneider's opinion that that Framework will have sufficient "bite" to it and enough semi-mandatory character, that the White House will likely decide that it does not need a statute providing mandatory statutory requirements. Which, in turn, might explain something that has puzzled me -- namely why the Senate Democrats have yet to reintroduce an updated version of last year's Cybersecurity Act with a regulatory title? Perhaps they, and the White House, are increasingly convinced that they don't need it.