ARCHIVED 3/31/10

March 31, 2010

To view the original article please click here.

REPORT: U.S. SHOULD OFFER CYBERSECURITY INCENTIVES

Antonie Boessenkool , Defense News, 03/31/2010

The U.S. government should give incentives to businesses that voluntarily adopt cybersecurity measures, the president of the Internet Security Alliance told reporters in Washington, D.C., March 31.

“We believe that government has an important role with regard to improving cybersecurity,” Larry Clinton said. “It’s just not the traditional regulatory role. That’s an outmoded approach.”

Instead, the U.S. government “should be determining what works,” and offering a “fairly broad list” of incentives to companies that adopt online security measures, because the private sector’s position in cybersecurity is crucial to national security and the protection of infrastructure, including the U.S. financial infrastructure.

The Internet Security Alliance and the American National Standards Institute were issuing a report stressing that private companies need to look at online security from a financial perspective rather than a technology perspective.

“What we are calling for is for private organizations to start to make investment decisions based on national-security concerns to some degree,” Clinton said. “If we’re going to be asking the private sector to fund national security concerns, we need to be providing public-sector incentives for them to do that: tax incentives, liability incentives, insurance incentives.”

Clinton said different sectors will want different incentives.

“Military contractors, for example, would be interested in procurement reform whereas small businesses might be interested in an extra amount in an [Small Business Administration] loan,” Clinton said. “The insurance industry can be better used. We can use awards programs.

“Basically, we’ve got dozens of market incentives that we use throughout the rest of the economy, all those other sectors – aviation and ground transportation, environment. We’ve got tons of market incentives we use to motivate good behavior there. We just haven’t applied those yet to cyber security.”

The report, which drew on views from about 60 government and industry experts, is directed at chief financial officers in private companies, naming them as the most logical people to lead online security efforts because of the cost of attacks and intellectual property theft.

But, the report says, citing a 2008 study from Deloitte, 95 percent of CFOs aren’t involved in managing their companies’ information security risks. Citing security software company Symantec, the report said online attacks rose 1,000 percent between 2006 and 2008.

“We’re seeing a significant amount of malicious organizations targeting individuals and corporations for intellectual property,” said Justin Somaini, chief information security officer at Symantec, one of the sponsors of the report. “It’s being leaked out at an alarming and astonishing rate.”

Moreover, he said, “Ninety percent of the critical infrastructure is actually being maintained in the private sector. This makes security really more of a private business security issue than a public policy [issue].”

The report sets out guidelines for companies to protect themselves from online attacks and intellectual property theft. Those include adopting a cyber security plan across all departments in a company, rather than relying on the IT department to protect against all risks; preparing and practicing responses when cyber attacks happen and considering the need for insurance that covers online threats.