How Tax Credits Could Present Near-Term Motivation for More Secure Devices

NatalyaBurova/Getty Images

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
Edward Graham By Edward Graham,
Staff Reporter, Nextgov/FCW

By Edward Graham

|

As federal officials call for tech firms to take more responsibility for the security of their products, some members of Congress and industry voices have highlighted the potential of cyber investment tax credits as an incentive.

Biden administration officials are pushing to make technology manufacturers liable for the security of their products, but the currently divided Congress may stretch out the timeline for instituting non-voluntary solutions. In the interim, some lawmakers, experts and industry leaders have proposed the issuance of cybersecurity investment tax credits to help firms adopt enhanced cyber standards on their own. 

These incentives are seen as one way to encourage the tech sector to voluntarily embrace “secure-by-design” and “secure-by-default” principles, which are viewed as critical for enhancing the security of devices during their design and development stages. And calls for the issuance of cyber tax credits build upon recent efforts by the Cybersecurity and Infrastructure Security Agency and federal officials to encourage tech and software firms to embrace more stringent cyber standards.

CISA chief’s call to industry

During a House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing on Thursday, CISA Director Jen Easterly told lawmakers that “innovation should not trump safety and security in a world where we all rely on tech.”

“We need to ensure that the technology that underpins the critical services and functions that Americans rely on every day is built secure—secure by design, with a limited number of vulnerabilities, and secure by default, with things like multifactor authentication,” she said. 

Easterly’s comments mirrored her calls in recent months for tech and software firms to undertake a fundamental shift in the way they approach the cybersecurity of their devices and services, with a new focus on embracing secure-by-design and -default principles. 

During a February speech at Carnegie Mellon University, Easterly said the tech sector should stop using consumers as “crash test dummies,” and instead embrace a model where the public can have “implicit trust in the safety and integrity of the technology products that we use every hour of every day.”

Shifting the burden from consumers to companies

As cyber threats and ransomware attacks continue to indiscriminately target critical infrastructure services, public institutions and everyday Americans, the Biden administration has begun embracing more targeted approaches for encouraging the tech sector to prioritize built-in cybersecurity. 

The national cybersecurity strategy—released by the White House on March 2—called, in part, for tech companies to take greater responsibility for the security of their devices, warning that too many firms “ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities and integrate third-party software of unvetted or unknown provenance.” 

To move the cybersecurity burden away from consumers and toward manufacturers, the strategy document said the White House would work with Congress and the private sector to develop legislation that would “shift liability onto those entities that fail to take reasonable precautions to secure their software, while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities.”

Given the current political climate, a senior administration official acknowledged to reporters on a press call following the strategy’s release that “we don’t anticipate that this is something where we’re going to see a new law on the books within the next year,” adding at the time that the strategy as a whole is “looking out a decade.”

The strategy document, however, outlined a number of non-legislative steps the Biden administration is also pursuing “to further incentivize the adoption of secure software development practices.” These include encouraging “coordinated vulnerability disclosure across all technology types and sectors,” promoting the development of software bills of materials and developing a process “for identifying and mitigating the risk presented by unsupported software that is widely used or supports critical infrastructure.”

CISA—along with the FBI, NSA and security agencies from six international allies—also released voluntary guidance on April 13 to help companies develop secure-by-design and -default products. 

Cyber tax credits as incentive

Since political gridlock is likely to stymie the national cyber strategy’s call for Congress “to develop legislation establishing liability for software products and services,” some lawmakers have offered up other approaches for encouraging tech manufacturers to voluntarily enhance the security of their products. 

During a March 28 House Appropriations Subcommittee on Homeland Security hearing to discuss CISA’s fiscal year 2024 budget request, Rep. Michael Guest, R-Miss., told Easterly that “it seems to me that tax credits will be a logical step to encourage businesses” to bake security into their products and devices. 

“One of the things that I've heard talked about is the possibility of tax credits for private businesses—particularly those in the 16 critical infrastructure sectors—that if they're using those dollars to harden their cybersecurity, that they be given some sort of tax credit for that,” he added.

“I haven't studied it, but generally I'm supportive of anything that incentivizes our businesses to make their networks and systems more secure.” Easterly told him, noting that the cost, talent and employee skill levels needed to secure networks can be difficult for some firms to manage.

Guest voiced support for the use of cyber tax credits in an emailed statement to Nextgov, noting that the modern cyber landscape means “our foreign enemies are targeting our technology infrastructure in new ways every day.”

“Technology is a critical resource that has changed the way our nation conducts business, but it has also opened new ways for our foreign enemies to disrupt our way of life,” he added. “We have to secure our homeland from these threats, and I believe that cybersecurity tax credits could be an effective way to protect our strong American businesses and infrastructure.”

A CISA spokesperson said the agency didn’t have anything to add on the topic beyond Easterly’s comments. A spokesperson for the Office of the National Cyber Director—or ONCD—told Nextgov that “we do not have a stated position” on cyber tax credits and would not be able to provide a comment on their potential use.

At least some academic experts, however, have cited cyber tax credits as one effective way for the government to incentivize stronger cybersecurity standards across the tech sector. A January 2023 study slated for publication in the American Business Law Journal proposed, in part, that the implementation of a three-tiered federal cyber investment tax credit would help firms enhance the security of their devices and enforce the idea “that businesses have basic cybersecurity responsibilities and fundamental duties to operate securely in a digital society.” 

In a Feb. 15 Wall Street Journal op-ed, one of the study’s authors—Scott Shackelford, a professor of business law and ethics at Indiana University’s Kelley School of Business and executive director of the Ostrom Workshop and Center for Applied Cybersecurity Research—argued that this tax credit framework would “encourage businesses to adopt and implement cybersecurity practices that an agency such as the Cybersecurity and Infrastructure Security Agency has identified as necessary to defend our nation and critical infrastructure.”

Tech firms see benefits of cyber tax credits

Following the national cyber strategy’s release in March, tech sector leaders and organizations largely voiced support for many of the document’s proposed cyber priorities. 

BSA I The Software Alliance—an industry group—issued a press release following the strategy’s release that said the document offered a path for public and private sector stakeholders “to collaborate to build a more secure and resilient future.”

In a statement to Nextgov, Henry Young—BSA’s director of policy—said the group has worked “to promote software security and identify best practices that help companies continuously evolve products to meet new threats,” and signaled that it was open to the idea of cyber tax credits to further incentivize these types of enhanced security standards. 

“We partnered closely with ONCD to promote areas of shared interest related to securely-designed software, and CISA’s work to further promote these shared principles are welcome,” he added. “Enterprise software companies take seriously their responsibility to develop secure products, and would welcome collaboration and incentives that advance cybersecurity.”

Other sector leaders have also said that the issuance of cyber tax credits could be a boon for smaller companies hoping to enhance the security of their devices to meet growing digital threats. Joel Krooswyk—the federal chief technology officer at GitLab—told Nextgov that prioritizing security in the design and development phases of new products is often “an economy of scale issue” for small and mid-size firms. 

“What I love about the concept of a tax credit is, if you've got a small company and you're trying to start up or you're trying to get a product to market, you're focused on functionality; you're not necessarily focused on security,” Krooswyk said. “What this enables you to do is say, ‘well, I don't really have the budget, but if I can get a lot of it offset, I can now look into a platform that's going to do a lot of this for me.’ Kind of the out-of-the-box, automated security capabilities. You're not going to get that with the typical small company approach of, ‘what tools are free, and how do we cobble them together?’”

NEXT STORY: Global Appeal of NIST Cyber Framework Leads to Multiple Translations, Possible Updates

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.