The Internet Security Alliance (ISA) released a new report today aimed at taking the Obama Administration’s “Cyberspace Policy Review” document to the next level.
“ISA is supportive of the Obama Administration’s document,” ISA President Larry Clinton said. “Now, the private sector needs to formulate how we can implement programs in areas where we have conceptual agreement with the administration. Our report does that by proposing frameworks for implementing solutions to key cybersecurity issues both ISA and the Obama Administration think are important.”
Titled, “Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model,” the report emphasizes the need to focus on the economics of cybersecurity. “When it comes to cybersecurity, all of the economic incentives favor the attackers,” Clinton said. “Attacks are relatively easy, cheap, and the gains from them can be enormous. On the other hand, defense can be costly. The perimeter to defend is virtually infinite and there is often limited return on cybersecurity investments. We will never have a sustainable system of cybersecurity until we change the economic equation that governs it.”
The report includes frameworks for creating a public/private partnership model to enhance cybersecurity at the business plan level; addressing the international issues in cybersecurity; securing the global IT supply chain; and establishing a new model for information sharing, among other things. The common thread linking all of the frameworks is their adherence to the ISA’s Cyber Security Social Contract Model. The ISA model is based on the successful partnership between government and industry to address the need for universal telephone and power service in the early 20th century.
Government recognized that there were considerable public safety and economic benefits to universal telephone and power service and provided substantial market incentives to ensure those public policy needs were met. “Just as the United States needed universal utility services a century ago, we need universal cybersecurity today,” Clinton said. “To achieve that objective, there must be incentives for companies to make investments that might not be justified in individual business plans.”