Introduction by ISA President Larry Clinton
In this third and final blog on SDD, we will dive into the most important part of any proposal: how to pay for it.
Technology is not the issue – we know how to create secure products. However, the process of building in more security tends to increase cost and lower utility of the products – making them less competitive in a the international market.
A major issue with IT products produced Secure by Design and Default is the added cost to the final product. Making IT products more secure at the design phase will delay getting the product to market and will likely impair its functionality making it less competitive. Under the Biden plan consumers would not have to pay for these upgrades, meaning the companies must absorb the costs making them less profitable, less attractive to investors and less innovative. Someone has to pay for the upgrades. There is no free lunch.
The simplest answer is to have government pay for the upgrades, which after all, will enhance our national defense. This is the model we use in the Defense Industrial Base. Companies like RTX, L-3, GE and Leidos in produce products for the US military that are Secure by Design and Default. However, applying the national defense model to the universe of IT products would be prohibitively expensive even for the federal government.
The only practical way to make SDD work while keeping products economically viable is to design a series of markets incentives to reward or support more secure products by design because they may face market failures or distortions due to externalities.
The place to begin is by adapting existing incentive models to promote SDD. Ideally this system would be woven into an overarching risk management strategy for cybersecurity across the country.
ISA was recently asked to brief the President’s National Security Telecommunications Advisory Committee (NSTAC) on the issue of economic incentives. Below, we have outlined a few of the ideas ISA proposed to the NSTAC earlier this week.
An alternative path is to adapt the SAFETY Act to incentivize companies to build secure by design products with minimal risk. The SAFETY ACT in its current form offers numerous potential benefits for designated or certified companies. These incentives include caps on third-party liability, limits on punitive damages and limits on non-economic damages. The Act, currently designed to promote anti-terrorism technologies, could be updated by linking benefits to secure by design/default practices.
As currently structure the SAFETY Act is used to incentivize the development of anti-terrorist technologies, however the Act can be adapted to provide these same protections to organizations that can illustrate that they have followed the best practices and standards we have outlined in our previous posts. Greater access to insurance and reduced liability are powerful incentives that can help offset the economic impact of SDD on the provider company while still allowing them to participate in the international market economy.
Regulated companies would gain eligibility for these benefits by implementing models based on FAIR and the NACD-ISA Risk Management Handbook. These models have already been independently assessed and found to improve cybersecurity on a number of dimensions provide a road map for companies to follow. If regulated companies were relieved of the burdens of the current obligations to follow hundreds of check lists (none of which have ever been independently shown to improve security) and instead adhere to these alternative models they would have greater freedom, and resources to innovate within the SDD framework.
Moving to an environment of SDD is a big idea, creating such a model without impacting consumer costs is an even more challenging goal. To accomplish these twin goals, we will need not only to innovate the technical process for IT product design but the economics of the market to make the new system sustainable in a market economy.