Policy Issues Regarding Implementations of Cyber Attack  97


              agencies, national governments engaged in addressing automobile cyber
              security, automobile companies, and numerous others gain access to that
              data. As a result, international curation policies and processes would be called
              for. Organizations such as INTERPOL could potentially play a key role in
              creating the needed international orientation.


              5.5 MARKET INCENTIVES

              In February 2014, the National Institute of Standards and Technology
              (NIST) released Version 1 of White House Executive Order 13636—
              Cybersecurity Framework, an initial structure for organizations, govern-
              ment, and customers to use in considering comprehensive cyber-security
              programs (WH, 2013). In April 2015 a NIST presentation provided a status
              report on the evolving framework (NIST, 2015). The framework broadly
              addresses the specific needs that are discussed in the previous section, but
              without the required specificity to illuminate the complexity associated with
              anticipatory physical system solutions. Past efforts to establish market incen-
              tives for improved information system cyber security illustrate the conse-
              quences of inaction, and also demonstrate the uncertainties and
              difficulties surrounding anticipatory actions. The example provided by
              information systems highlights the importance of initiating early data collec-
              tion efforts so that incidents can be assessed for potential cyber attacks and
              confirmed attacks can be documented. With this evidence in hand, it will be
              easier to evaluate next-step responses and incentives for anticipatory forms of
              cyber security will be increased. As emphasized above, it will be difficult to
              motivate anticipatory solutions without confirmation that attacks on phys-
              ical systems are actually occurring. The National Highway Safety Traffic
              System (NHTSA), through guidance that they are providing for improving
              automobile-related cybersecurity, has taken encouraging steps to anticipate
              some of the needs addressed above (USDOT, 2016). A potential sequence of
              events is that data collection starts early and provides incontrovertible evi-
              dence of attacks on physical systems, which then drives the development of
              the needed government, industry, and consumer relationships that underpin
              market incentives for investment in anticipatory cyber security. As suggested
              above, attacks on physical systems generally pose a much greater risk to
              human safety than attacks on information systems. Therefore it may be easier
              to motivate firms and policymakers to invest in physical system security,
              since potential consequences are so severe. The development of data cura-
              tion processes that could promote the involvement of appropriate