On April 29, 2004, the American National Standards Institute (ANSI) recommended to the 9/11 Commission that NFPA 1600 be established as the national preparedness standard. On July 22, 2004, the 9/11 Commission formally endorsed NFPA 1600 and urged that compliance with NFPA 1600 be taken into account by the insurance and credit rating industries in assessing a company’s insurance rating and creditworthiness. The 9/11 Commission also believes “compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purposes.”
NFPA 1600 establishes a shared set of norms for disaster management, emergency management, and business continuity programs. It also recognizes ways to exercise plans and makes available a listing of resource organizations within the fields of disaster recovery, emergency management and business continuity planning. One vital aspect of NFPA 1600 is its requirement that all emergency management and business continuity programs must comply with all relevant laws, policies and industry practice.
Incorporating NFPA 1600 Through EMAP
Incident managment use of disaster mitigation in the critical infrastructure domain
1. 1
Waiting for the cyber-hurricane safe harbor:
incident management standards adrift ?
Part five of a series
July 2013
Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP
(non-attorney who is not providing legal advice)
ABSTRACT
Use of best practices for incident management may help in litigation mitigation.
Background
In March 2002 two Fayetteville, NY
firefighters, died when a floor collapsed
at a house fire. A widow filed suit
against the property owner, Onondaga
County, and the fire departments
involved for mismanaging the incident,
and allowing unsafe operations that
caused the death.
Pursuant to NY General Municipal Law
§ 205-a a court deemed there was a
failure to properly implement the tenants
of the National Incident Management
System (NIMS) and the Incident
Command System (ICS) resulting in a
costly settlement for the widow.
The case has reminded fire departments
across the nation that best practices,
and failure to follow them, can result in
painful outcomes.
***
The cybersecurity national floor
A Cybersecurity Framework (CSF) has
been proposed by the White House via
Executive Order 13636; which, amongst
other things, tasks the U.S. National
Institute on Standards and Technology
(NIST) to develop a consensus-driven
policy framework designed for voluntary
compliance by industry. The focus is to
help secure the Critical Infrastructure
and Key Resources (CI/KR) maintained
by private owner-operators and define
risk management metrics (an estimated
80% of CI/KR is operated by private
entities)1
.
Simultaneously with CSF development,
CI/KR industry thought leaders are
promoting a Cyber Safety Act;
legislation that would provide safe
harbors or other limitations on cyber-
security liability, contingent on
reasonable efforts to conform to best
practices.
1 National Infrastructure Protection Plan, Energy Sector,
U.S. Department of Homeland Security (2005)
2. 2
CSF may ultimately become the
baseline to provide for these “best
practices”, or the “national floor" for
CI/KR cybersecurity2
incident immunity.
As the Integrated Task Force (ITF) for
Presidential Policy Directive 21 (PPD-
21) has opined regarding the proposed
Cyber Safety Act:
“..Liability would be capped at the
amount of cyber insurance acquired.
Additionally, this incentive would provide
marketing and insurance benefits to
corporations, improving the business
case for making cybersecurity
investments…3
”
These initiatives have been proposed to
create an incentive environment in the
hopes that CI/KR private operators can
be incentivized to implement voluntary
frameworks; like the EO 13636 CSF.
How much cybersecurity is enough?
For nearly fifty years the landmark legal
precedent in establishing technology
disaster liability has been United States
vs. Carroll Towing Company4
.
In the Carroll Towing incident a tug boat
towed a barge into a nasty storm at sea.
When the barge was lost at sea the
2
“,,,HIPAA's privacy and security rules establish a national
floor for confidentiality, covered entities have been left to
develop their own internal enforcement..”. AHIMA.
"Sanction Guidelines for Privacy and Security Violations."
Journal of AHIMA 82, no.10 (October 2011): 66-71
3
Integrated Task Force, Critical Infrastructure Security and
Resilience, U.S. Department of Homeland Security.
4
United States v Carroll Towing Co., 159 E2d 169, 173-74
(2d Cir. 1947).
private tug boat operator was sued.
Inquiries were made as to why the tug
boat was not equipped with new
weather radios (this was 1947). The
operator claimed that this new
technology was costly.
However, the presiding judge created an
algebraic equation to determine the
amount of money that should be
expended on technology safeguards to
mitigate loss and injury (known as the
Hand Rule). Restated:
“…if the probability be called P; the
injury, L; and the burden, B; liability
depends upon whether B is less than L
multiplied by P: i.e., whether B < PL…”
Meaning if estimated business injury is
$12 million, and there is a 10 percent
chance of such disaster, it may be
prudent to invest $1.2 million to mitigate
such an outcome.
During any post-incident legal analysis
and litigation the Hand Rule will most
certainly be applied by litigators to
measure the adequacy of an
organization’s pre-incident planning and
management of the incident.
Establish a national floor for incident
management
Meanwhile, private CI/KR operators
complain that cyber threats are over-
hyped in a threat-driven environment
and that millions have already been
invested in “check the box” mandatory
3. 3
compliance standards (that usually
address static infrastructure). In
contrast, investing in dynamic incident
management capabilities may provide a
flexible tool to mitigate evolving disaster.
For instance, in July 2004, the 9/11
Commission formally endorsed National
Fire Protection Association (NFPA)
Standard 16005
for use in emergency
incident management and urged that
compliance with NFPA 1600 be taken
into account by the insurance and credit
rating industries in assessing a
company’s insurance rating and
creditworthiness. The 9/11 Commission
also suggested:
“..compliance with the standard should
define the standard of care owed by a
company to its employees and the
public for legal purposes….”6
Thus, there is a need for CI/KR private
operators to examine NFPA 1600
incident management principles in the
context of a Carroll Towing type of
investment (as opposed to static cyber
security appliances). Restated,
purchasing weather radios without the
necessary radio operator training to tune
the radio and locate the necessary
weather report.
Incident management (unlike static
controls) is a dynamic and evolving
response to the consequences of a
5
NFPA 1600®: Standard on Disaster-Emergency
Management and Business Continuity Programs, 2013
Edition
6
The 9/11 Commission Report 398 (2004).
severe incident. This includes man
made cyber incidents that have
downstream and cascading effects on
CI/KR. NFPA 1600 recognizes this and
incorporates the principles of the
National Incident Management System
(NIMS).
“The NIMS approach fosters
coordination and cooperation
(interoperability) between public and
private entities in a variety of domestic
incident management activities
regardless of cause, size, or
complexity…7
”
In sum, serious consideration should be
given by CSF planners to incorporate a
NFPA 1600 and/or NIMS response
capability in the EO 13636 CSF. This
would promote the holistic integration of
incident response and management with
the cyber security community.
***
About the author: Dave Sweigert is a
Certified Information Systems Security
Professional, Certified Information
Systems Auditor, Project Management
Professional and holds Master’s
degrees in Information Security and
Project Management. A graduate of the
National Fire Academy (NFA) Incident
Management Team (IMT) course, he is
a practitioner of NFPA1600/NIMS in his
role of assisting private organizations in
institutionalizing NFPA1600/NIMS into
their organizational severe incident
response plans and training.
7
NIMS, Dec. 2008, U..S. Department of Homeland
Security