White House, executives discuss economic incentives for cybersecurity

The Obama administration is considering providing economic incentives to companies that follow good cybersecurity practices to encourage the private sector to cooperate with the federal government in protecting the computer systems that support major U.S. industries, said a security expert who met with the president and Cabinet officials on Wednesday.

"The notion that there is such a high-level commitment [to cybersecurity] was the first thing they wanted to convey," said Larry Clinton, president of the Internet Security Alliance, which represents information security companies. "The second was their sincerity in wanting to establish a creative public-private partnership rather than seeking to drive change through a regulatory process. That is a key perception, because some on Capitol Hill still believe that this is a traditional 20th century problem, and we should have some federal agency set standards and be done with it."

Clinton and other cybersecurity executives met with President Obama, White House Cybersecurity Coordinator Howard Schmidt, Homeland Security Secretary Janet Napolitano and Commerce Secretary Gary Locke. Obama, who stayed for about 15 minutes of the one-hour meeting, noted how the interconnected nature of the Internet made it exceptionally difficult to regulate, Clinton said.

White House officials pressed executives for ways to create economic incentives that would encourage companies to support broad cybersecurity initiatives that relied on partnerships with federal agencies and the deployment of safeguards to ensure their private computer networks and systems were adequately protected.

Too often, Clinton said, companies reduce or defer investment in cybersecurity, which introduces vulnerabilities that "seep into the whole system [of networks] and make those who do invest appropriate dollars [in cybersecurity] less secure."

The White House Cybersecurity Review, released in May, noted plans to identify procurement strategies that would financially compensate companies to make products and services sold to the government more secure, including providing tax incentives and reducing liability in exchange for improved security. The group also discussed giving companies that follow cybersecurity best practices lower cybersecurity insurance premiums, much the same way those who quit smoking or drive safely pay less for life and car insurance policies, Clinton said.

"Those are the kinds of strategies that are needed to establish a functioning, sustainable system of cybersecurity," he said. "This whole notion of looking at the challenge from a more strategic and economic perspective rather than an operational and technical one is a tectonic shift."

DHS also used the meeting as an opportunity to announce winners of its National Cybersecurity Awareness Challenge, which called on members of the public and private sectors to develop creative ways to educate people about the importance of good computer security practices.