As federal officials call for tech firms to take more responsibility for the security of their products, some members of Congress and industry voices have highlighted the potential of cyber investment tax credits as an incentive.
Biden administration officials are pushing to make technology manufacturers liable for the security of their products, but the currently divided Congress may stretch out the timeline for instituting non-voluntary solutions. In the interim, some lawmakers, experts and industry leaders have proposed the issuance of cybersecurity investment tax credits to help firms adopt enhanced cyber standards on their own.
These incentives are seen as one way to encourage the tech sector to voluntarily embrace “secure-by-design” and “secure-by-default” principles, which are viewed as critical for enhancing the security of devices during their design and development stages. And calls for the issuance of cyber tax credits build upon recent efforts by the Cybersecurity and Infrastructure Security Agency and federal officials to encourage tech and software firms to embrace more stringent cyber standards.
CISA chief’s call to industry
During a House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing on Thursday, CISA Director Jen Easterly told lawmakers that “innovation should not trump safety and security in a world where we all rely on tech.”
“We need to ensure that the technology that underpins the critical services and functions that Americans rely on every day is built secure—secure by design, with a limited number of vulnerabilities, and secure by default, with things like multifactor authentication,” she said.
Easterly’s comments mirrored her calls in recent months for tech and software firms to undertake a fundamental shift in the way they approach the cybersecurity of their devices and services, with a new focus on embracing secure-by-design and -default principles.
During a February speech at Carnegie Mellon University, Easterly said the tech sector should stop using consumers as “crash test dummies,” and instead embrace a model where the public can have “implicit trust in the safety and integrity of the technology products that we use every hour of every day.”
Shifting the burden from consumers to companies
As cyber threats and ransomware attacks continue to indiscriminately target critical infrastructure services, public institutions and everyday Americans, the Biden administration has begun embracing more targeted approaches for encouraging the tech sector to prioritize built-in cybersecurity.
The national cybersecurity strategy—released by the White House on March 2—called, in part, for tech companies to take greater responsibility for the security of their devices, warning that too many firms “ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities and integrate third-party software of unvetted or unknown provenance.”
To move the cybersecurity burden away from consumers and toward manufacturers, the strategy document said the White House would work with Congress and the private sector to develop legislation that would “shift liability onto those entities that fail to take reasonable precautions to secure their software, while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities.”
Given the current political climate, a senior administration official acknowledged to reporters on a press call following the strategy’s release that “we don’t anticipate that this is something where we’re going to see a new law on the books within the next year,” adding at the time that the strategy as a whole is “looking out a decade.”
The strategy document, however, outlined a number of non-legislative steps the Biden administration is also pursuing “to further incentivize the adoption of secure software development practices.” These include encouraging “coordinated vulnerability disclosure across all technology types and sectors,” promoting the development of software bills of materials and developing a process “for identifying and mitigating the risk presented by unsupported software that is widely used or supports critical infrastructure.”
CISA—along with the FBI, NSA and security agencies from six international allies—also released voluntary guidance on April 13 to help companies develop secure-by-design and -default products.
Cyber tax credits as incentive
Since political gridlock is likely to stymie the national cyber strategy’s call for Congress “to develop legislation establishing liability for software products and services,” some lawmakers have offered up other approaches for encouraging tech manufacturers to voluntarily enhance the security of their products.
During a March 28 House Appropriations Subcommittee on Homeland Security hearing to discuss CISA’s fiscal year 2024 budget request, Rep. Michael Guest, R-Miss., told Easterly that “it seems to me that tax credits will be a logical step to encourage businesses” to bake security into their products and devices.
“One of the things that I've heard talked about is the possibility of tax credits for private businesses—particularly those in the 16 critical infrastructure sectors—that if they're using those dollars to harden their cybersecurity, that they be given some sort of tax credit for that,” he added.
“I haven't studied it, but generally I'm supportive of anything that incentivizes our businesses to make their networks and systems more secure.” Easterly told him, noting that the cost, talent and employee skill levels needed to secure networks can be difficult for some firms to manage.
Guest voiced support for the use of cyber tax credits in an emailed statement to Nextgov, noting that the modern cyber landscape means “our foreign enemies are targeting our technology infrastructure in new ways every day.”
“Technology is a critical resource that has changed the way our nation conducts business, but it has also opened new ways for our foreign enemies to disrupt our way of life,” he added. “We have to secure our homeland from these threats, and I believe that cybersecurity tax credits could be an effective way to protect our strong American businesses and infrastructure.”
A CISA spokesperson said the agency didn’t have anything to add on the topic beyond Easterly’s comments. A spokesperson for the Office of the National Cyber Director—or ONCD—told Nextgov that “we do not have a stated position” on cyber tax credits and would not be able to provide a comment on their potential use.
At least some academic experts, however, have cited cyber tax credits as one effective way for the government to incentivize stronger cybersecurity standards across the tech sector. A January 2023 study slated for publication in the American Business Law Journal proposed, in part, that the implementation of a three-tiered federal cyber investment tax credit would help firms enhance the security of their devices and enforce the idea “that businesses have basic cybersecurity responsibilities and fundamental duties to operate securely in a digital society.”
In a Feb. 15 Wall Street Journal op-ed, one of the study’s authors—Scott Shackelford, a professor of business law and ethics at Indiana University’s Kelley School of Business and executive director of the Ostrom Workshop and Center for Applied Cybersecurity Research—argued that this tax credit framework would “encourage businesses to adopt and implement cybersecurity practices that an agency such as the Cybersecurity and Infrastructure Security Agency has identified as necessary to defend our nation and critical infrastructure.”
Tech firms see benefits of cyber tax credits
Following the national cyber strategy’s release in March, tech sector leaders and organizations largely voiced support for many of the document’s proposed cyber priorities.
BSA I The Software Alliance—an industry group—issued a press release following the strategy’s release that said the document offered a path for public and private sector stakeholders “to collaborate to build a more secure and resilient future.”
In a statement to Nextgov, Henry Young—BSA’s director of policy—said the group has worked “to promote software security and identify best practices that help companies continuously evolve products to meet new threats,” and signaled that it was open to the idea of cyber tax credits to further incentivize these types of enhanced security standards.
“We partnered closely with ONCD to promote areas of shared interest related to securely-designed software, and CISA’s work to further promote these shared principles are welcome,” he added. “Enterprise software companies take seriously their responsibility to develop secure products, and would welcome collaboration and incentives that advance cybersecurity.”
Other sector leaders have also said that the issuance of cyber tax credits could be a boon for smaller companies hoping to enhance the security of their devices to meet growing digital threats. Joel Krooswyk—the federal chief technology officer at GitLab—told Nextgov that prioritizing security in the design and development phases of new products is often “an economy of scale issue” for small and mid-size firms.
“What I love about the concept of a tax credit is, if you've got a small company and you're trying to start up or you're trying to get a product to market, you're focused on functionality; you're not necessarily focused on security,” Krooswyk said. “What this enables you to do is say, ‘well, I don't really have the budget, but if I can get a lot of it offset, I can now look into a platform that's going to do a lot of this for me.’ Kind of the out-of-the-box, automated security capabilities. You're not going to get that with the typical small company approach of, ‘what tools are free, and how do we cobble them together?’”