The Obama administration, with support from Congress, should give information technology companies financial incentives for improving cybersecurity defenses, including providing funding in research and development and shielding them from liability caused by cyberattacks, a group representing information security companies said on Tuesday.
Comment on this article in The Forum.The Internet Security Alliance said its report, the Cybersecurity Social Contract, is a conceptual framework that provides recommendations to the incoming Obama administration and Congress for addressing cyber threats through a public-private partnership. The report calls on the government to "get its own house in order" by improving the network security of federal systems, to educate senior industry executives about the scope of cybersecurity requirements, and to create incentives for industry to invest in cybersecurity beyond what is currently incorporated in existing business plans.
"Consumer issues, [such as] spam, are being addressed," said Larry Clinton, president of the alliance. "But to truly modernize the infrastructure, there needs to be greater investment [by industry]; and to get companies to invest, government has to make it in their best interest."
He added, "This notion of pointing fingers back and forth is not going to get the job done, [nor is] just appointing a chief technology officer," which Obama said during the campaign he would do if elected president. "To not understand the public interest in assisting industry affirmatively is a mistake."
The report offers examples of how the government can provide incentives, including credits given to vendors in government contracts for investing internally in cybersecurity efforts and a requirement for companies awarded loans from the Small Business Administration to put a percentage of funds toward information security. The report also suggests that Congress and the Obama administration encourage insurance companies to offer benefits such as lower premiums to companies that meet certain cybersecurity standards.
The alliance also encourages Congress to establish safe harbor laws that protect companies from liability for financial loss or damage resulting from a cyberattack, if they can prove they followed appropriate cybersecurity processes. Also, award programs could be created to recognize companies for stellar cybersecurity programs and results. Companies could use the awards or designations to differentiate them from competitors. Government could fund a consortium of government, industry and academic organizations to encourage research, development and adoption of new security protocols.
"Clearly, the message is out there [to] work with private industry," said Joe Buonomo, president of the software company Direct Computer Resources and an alliance board member. "They can make things happen, but they can also go broke doing it," if government doesn't offer some return on the investment.
In return for incentives, the IT industry would be expected to develop standards, technologies and practices to strengthen cybersecurity, implement best practices to secure their own networks and work with government to overcome obstacles to information sharing.
Such strategies for public-private partnerships are not new, Clinton said. Since the early 20th century, government has offered various incentives to utility companies to establish universal phone, power and light service to all Americans. The approach detailed by the alliance is based on a similar model and encourages government to reexamine existing programs to determine whether cybersecurity can be integrated in enterprisewide.
Clinton also emphasized that the program should reside in the White House because agencies would have to work together on it.