ARCHIVED 12/3/09

December 3, 2009

To view the original article please click here.


Eric Chabrow,, 12/03/2009

The Internet Security Alliance, an industry group affiliated with Carnegie Mellon’s cybersecurity laboratory, issued a report Thursday that argues that giving businesses incentives and not regulating them will better safeguard the nation’s IT systems.

Entitled Implementing the Obama Cybersecurity Strategy Via the ISA Social Contract Model, the ISA contends the process of developing effective regulations is inherently time consuming and that any regulations specific enough to assure improved cybersecurity would become outdated soon after their enactment.

The ISA report says cybersecurity is an enterprise-wide risk management that must be understood as much for its economic perspective as for its technical issues.

”Government’s primary role ought to be to encourage the investment required to implement the standards, practices and technologies that have already been shown to be effective in improving cybersecurity,” the 74-page report says.

ISA proposed nine incentives it contends could alter economic perspective with respect to investment in cybersecurity procedures, encouraging private entities to improve their security posture in the broad national interest:

*Enact a Cyber Safety Act, patterned after the Safety Act that spurred physical development after the 9/11 attacks, by providing marketing and insurance benefits for companies that design, develop and implement of cybersecurity technology, standards and practices.

*Tie federal monies – grants, Small Business Administration loans and stimulus and bailout money – to adoption of designated effective cybersecurity standards and best practices.

*Leverage purchasing power of the federal government. Government could increase the value of security in the contracts it awards to the private sector, thereby encouraging broader inclusion of the level of security provided to government, which in turn could facilitate broad improvement of the cybersecurity posture among the owners and operators of the national critical IT infrastructure.

*Streamline regulations and reduce complexity. Regulatory and legislative mandates and compliance frameworks that address information security, such as Sarbanes-Oxley, Gramm-Leach-Bliley, the Health Insurance Portability and Accountability Act, along with state regimes, could be analyzed to create a unified compliance mode for similar actions and to eliminate any wasteful overlaps.

*Tax incentives for the development of and compliance with cybersecurity standards practices and use of technology. Tax credits can be made contingent upon compliance with established and pre-identified cybersecurity practices. Such incentives could encourage small and midsize businesses to implement cyber protections.

*Provide grants and/or direct funding of cybersecurity research and development to companies that are developing and implementing cybersecurity technologies or best practices. Alternatively, R&D could be run through one or more of the federally funded R&D centers.

*Limit liability for good actors. The government could create limited liability protections for certified products and processes or those certified against recognized industry best practices.

*Create a national award for excellence in cybersecurity, akin to the Commerce Department’s Malcolm Baldridge Award. Organizations may strive to receive the award as a means of differentiating themselves in marketing, particularly in a marketplace in which security concerns continue to increase.

*Promote cyber insurance. Cyber insurance, if more broadly employed, could provide a set of uniform and constantly improving standards for corporations to adopt and to be measured against, all while simultaneously transferring a portion of risk that the federal government might face in the case of a major cyber event.

Besides incentives, the report also suggests ways to craft a new, practical model for information sharing; create an enterprise education program to properly structure industry; address the technical and legal disconnect created by digital systems; manage the global IT supply chain; and address the international nature of cybersecurity issues.