The concept of the social contract was popularized in the eighteenth and nineteenth centuries through the writings of Jean-Jacques Rousseau, John Locke, Thomas Hobbes, and others. It initially focused on the relationship between the individual and the state and what each would exchange with the other in order to achieve broader social order and benefit for the community.
In the early twentieth century, the social contract was adapted to the exchange between corporations and the state in order to achieve mutual and greater benefit for the social order.
At the time, the hot technologies were telecommunications (phones) and distributed electricity. Initially these services were provided where the economies justified them: urban and affluent areas. The policy makers of the era not only understood that universal service of these technologies would have broad social benefit but also realized government couldn’t accomplish this on its own. Moreover, compelling the private sector to provide the services without adequate compensation would be an unsustainable model. So, a “social contract”—essentially an economic deal—was developed.
Private companies agreed to provide universal service at regulated rates. In exchange, the government agreed to guarantee a substantial rate of return on their investments. Thus was born rate-of-return regulation, and the private-investor-owned public utility.
And it worked. The broader systemic benefits of the social contract were enormous. The electric and telecommunications infrastructures were deployed at an accelerated pace compared with other nations that chose a government-centric model. Moreover, the infrastructures, adequately supported by the economic incentives imbedded in the contract, were continually made more sophisticated and innovative. The rapid development of these infrastructures provided the foundation for accelerated industrialization, job creation, and innovation. These systemic effects were essential to turning the United States from a second-rate world presence at the turn of the twentieth century into the world’s leading superpower in a little more than a generation.
ISA believes that a similar situation exists today with respect to cybersecurity. For example, although there are substantial pockets in both the public and private sectors that are doing an admirable job funding and applying strong cyber defenses, because of the interconnection of the system, we need a universal solution. Neither companies nor government operating on their own can adequately secure themselves. A new system needs to be developed. That new system needs not just standards and practices but also economic support for their universal application and continued rapid innovation and adjustment in the face of the ever-evolving cyber threat.
There exist standards and practices that, if deployed universally, could substantially improve our nation’s cybersecurity. ISA calls for these standards and practices to be identified in a public-private partnership. Industry’s role would be continuing to develop and deploy these techniques. Government’s role would be to support and encourage this development and adoption by providing a menu of incentives tailored to the unique needs of industry sectors.
Social Contract 2016
In September 2016, the Internet Security Alliance published its fullest realization of what the “cybersecurity social contract” is: A book more than 400 pages long with contributions from 25 different authors containing 106 specific recommendations. The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity is written primarily by the ISA board, which consists of chief information security officers from 20 of the world’s major companies cutting across 11 economic sectors. The answer begins with a 12-step program that ranges from establishing the proper tone for addressing cybersecurity to strategic initiatives down to concrete operational recommendations.
The publication covers a range of cross-cutting issues such as educating corporate boards of directors, needed reforms to the cybersecurity auditing process, how insurance could best be used to transfer risk, how the federal government should be restructured for the digital age, resolving tensions between privacy and security and improving public-private partnerships.
is an attempt to provide a coherent and systemic framework for collaborative action. Advanced technology needs to be integrated with practical economics and thoughtful public policy to create a sustainable system of cybersecurity.
We are already seeing these recommendations being enacted, which is not surprising given the widespread independent endorsements the new publication has received.
Praise for the Cybersecurity Social Contract: Implementing A Market-Based Model for Cybersecurity:
|“The Cybersecurity Social Contract is a comprehensive assessment of the state of cybersecurity and offers the administration and Congress a road map for sensible and practical progress dealing with urgent security issues.”
-Michael Chertoff, Executive Chairman and Cofounder, the Chertoff Group, former Secretary, Department of Homeland Security
|“This well-researched and documented book is the most comprehensive work to date in addressing these issues. I strongly recommend the administration and the Congress adopt the recommendations of this work.”
-Admiral Mike McConnell (Retired), former Director of National Intelligence; former Director, National Security Agency
|“The Cybersecurity Social Contract provides a thoughtful roadmap of recommendations that places risk management principles at the core of the next administration’s cybersecurity agenda.”
-Melissa Hathaway, President, Hathaway Global Strategies, former Director of the Joint Interagency Cyber Task Force
|“What an accomplishment. The Internet Security Alliance continues to prove its thought leadership by laying out a practical framework that integrates technology, government policy and business economics.”
–Air Force General Charlie Croom (Retired), Senior Vice President and Director, Strategic Account Executives, Leidos
|“The Cybersecurity Social Contract blends for the first time real world economics and politics of cybersecurity. This volume offers the incoming administration the best hope for making serious progress.”
-Pradeep Khosla, Chancellor, University of California-San Diego; former Dean, College of Engineering, Carnegie Mellon University
|“The Cybersecurity Social Contract presents a comprehensive overview of why we have failed to get our arms around these issues—including privacy—and what the next administration needs to do to avoid catastrophe.”
-Art Coviello, Jr., Executive Chairman (Retired), RSA
The ISA’s “Social Contract 2.0” provided an outline to implementing market incentive recommendations detailed in President Obama’s Cyberspace Policy Review and as proposed by the ISA in our first cybersecurity social contract in 2008.
In early 2011, a coalition of five industry and civil liberties groups – ISA, the U.S. Chamber of Commerce, TechAmerica, the Business Software Alliance (BSA), and Center for Democracy and Technology (CDT) – adopted a similar set of recommendations.
In October 2011, the House Republican Cyber Security Task Force released its cybersecurity report, which largely mirrors the ISA recommendations. Its very first recommendation that Congress develop a “menu of market incentives tied to the voluntary adoption of cyber security measures,” is taken almost verbatim from ISA’s 2008 and 2009 publications.
In addition to adopting this core tenet, this House Task Force also included a number of other ISA “Social Contract” policy suggestions as part of their recommendations, such as:
- The notion that regulation cannot keep pace with technological change;
- The realization that not one set of cybersecurity standards will not apply equally across industries or even businesses;
- Streamlined regulation, licensing, and permitting as an incentive;
- Exploration of mechanisms to promote the usage of cyber insurance;
- Tying taxes and grants to adoption of cybersecurity best practices and measures; and
- Limited liability for good actors.
In 2008, ISA came out with our first publication detailing the concept of a cybersecurity social contract. In 2009, following an in-depth study by the National Security Council staff, the Obama administration released its “Cyberspace Policy Review.” That document’s executive summary began and ended by citing the ISA’s “Cyber Security Social Contract,” and, like our publication, urged the government to look into the development of market incentives as a means to advance cybersecurity.