Giving government incentives to companies that take steps to make their networks safer would be more effective than mandating them to do so, according to a white paper released this month by a coalition of private-sector groups.
Market-based incentives are one of several recommendations made in a white paper by the Business Software Alliance, Internet Security Alliance, Center for Democracy and Technology, U.S. Chamber of Commerce and TechAmerica. The document, titled Improving our Nation’s Cybersecurity through the Public-Private Partnership, asserts that public-private partnerships are essential to securing Internet infrastructure and that partnerships should be expanded.
Other recommendations from the industry groups include building upon conclusions reached in President Barack Obama’s Cyberspace Policy Review: government and industry partnering in risk management, an integrated incident management watch center, cyber-security education and awareness, research and development, information sharing, engaging the international community, and supply chain security.
If the government offered incentives, corporations could have personal stakes in Internet security. The Internet is a network of networks. But the owner of one network may not be concerned with the integrity of a connected network unless there’s something to encourage the partnership, according to Larry Clinton, president of the Internet Security Alliance.
“A criminal or whoever is the bad guy in this scenario — they can come into your network and steal your data. Now I don’t have any economic incentives to stop him because he is not stealing anything of mine; he is stealing something of yours,” he said. “At the same time, your investments and your security are being undermined because even when you invest in your security, you can’t guarantee it because it is dependent on my network.”
The report’s suggestions for economic incentives include: tax incentives to encourage cyber-security investments, grant funding, streamlining regulatory procedures to cut government and industry costs, and stimulating the growth of a “cyber-insurance” industry. The aim would be to create a private market mechanism that fosters adoption and compliance.
The paper makes no mention of incentives for government agencies. But Clinton has suggestions for the public sector. Most government entities go to legislatures for funding, which perhaps could allow legislatures to wield their power. “They could say, ‘We are going to decrease our authorization to X department because they have a bad system score,’” he said. Both public and private organizations could also make employee cyber-activity — good or bad — part of their performance reviews, he said.
The paper is focused on these issues as they relate to federal agencies, but Clinton said some of the same principles could apply to state or local entities. The paper makes no mention of inroads that have already been made in the incentive arena, except for the R&D tax credit.
“The R&D tax credit may be the most attractive option for an IT security vendor, while a defense firm may be more interested in procurement options, an electric utility in a streamlined regulatory environment or an IT-user enterprise in an insurance discount and risk transfer,” the paper’s authors wrote. “Many of these incentives are deployed successfully in other areas of the economy, but not yet to cyber-security.”