ISA Policy on Incentives

Botnet Report on Incentives
“There is adequate precedent for an incentive approach. We have market incentives deployed in multiple industry sectors – agriculture, aviation, ground transport, environment, and even physical security – to assist the private sector in reaching public-policy goals. We simply need to apply this creativity and will to cybersecurity.” – The Cybersecurity Social Contract (p. 41)


“While the government believes that the market offers the most effective incentive for the private sector to adopt strong cybersecurity practices, government also recognizes that it must be willing to step-in to incentivize best practices when the marketplace alone proves insufficient to achieve national security levels of cybersecurity.” – Draft “Collective Security” White Paper


“Market incentives do not currently appear to align with the goal of ‘dramatically reducing threats perpetrated by automated and distributed attacks.’ Product developers, manufacturers, and vendors are motivated to minimize cost and time to market rather than to build in security or offer efficient security updates. Market incentives must be realigned to promote a better balance between security and convenience when developing products.” (p. 8)

ISA Policy on Regulatory Streamlining

Botnet Report on Regulatory Streamlining

“The explosion of regulations has occurred notwithstanding the avowed policy of following a voluntary model epitomized by the NIST Cybersecurity Framework…. Companies now often face multiple inconsistent regulatory and quasiregulatory systems that aren’t improving security… The new president ought to charge the Office of Information and Regulatory Affairs with developing a cross-government program for streamlining regulations.” – The Cybersecurity Social Contract (p. 39)


“With support of its industry partners, the USG is open to identifying federal regulations that are excessively burdensome, conflicting, or ineffective.” – Draft “Collective Security” White Paper



“Sector-specific regulatory agencies can, however, promote ecosystem resilience by working with industry to ensure that the security of the products deployed is appropriate for the products’ use… Stakeholders emphasized that the federal government might benefit from an interagency IoT coordination mechanism to promote and share these types of innovative practices and lessons learned, and to avoid regulatory conflicts.” (p. 41)

“Compliance requirements, or mandating specific regulations, may address some risks, but they can carry with them a greater burden while still leaving the broader ecosystem insecure or sending the signal that complying with the regulation is sufficient rather than the minimum necessary. The regulatory picture is further complicated by state or local regulation of edge devices, operational technology, and infrastructure. Solutions specific to particular countries or jurisdictions put at risk the global nature of an ecosystem where both bits and products flow with relative ease…” (p. 22)

ISA Policy on Cost-Effectiveness

Botnet Report on Cost Effectiveness
“Specifically, the government should complete the task begun with creation of the National Institute of Standards and Technology Cybersecurity Framework in determining what the most cost-effective elements of cyber defense are.  The executive order that resulted in the framework’s creation never saw it as an end in of itself. The order charged the network with setting out a ‘prioritized, flexible, repeatable, performance-based, and cost-effective approach to cybersecurity (emphasis added).” – The Cybersecurity Social Contract (p. 160)

“The USG should build on the progress made by developing the Framework in a consensus effort focused on measuring its effectiveness and cost effectiveness.” – Draft “Collective Security” White Paper


The private sector should establish voluntary labeling schemes for industrial IoT applications, supported by a scalable and cost-effective assessment process, to offer sufficient assurance for critical applications of IoT… Establishing an evaluated products list will permit security-conscious enterprises to make informed choices and create market incentives for robust secure development lifecycle processes.” (p. 45)

ISA Policy on Prioritization Botnet Report on Prioritization

“The new administration should fundamentally reprioritize the targeting of its cybersecurity programs in keeping with sound risk-management practice and focus much greater attention on the areas of greatest current need.” – The Cybersecurity Social Contract (p. 36)

“By prioritizing and operationalizing existing recommendations and best practices, the U.S. can begin addressing systemic risks in a sophisticated threat environment and boost the Collective Security of the Nation.” – Draft “Collective Security” White Paper 


To ensure that the most important actions are adequately resourced and efficiently executed by stakeholders, the stakeholder communities have strongly encouraged the federal government to clearly delineate priorities for action… The Departments of Commerce and Homeland Security, in coordination with industry, civil society, and in consultation with international partners, should be tasked with developing an initial road map with prioritized actions within 120 days after approval of this report.” (p. 47)

ISA Policy on Public-Private Partnership

Botnet Report on Public-Private Partnership
“There is broad agreement that the security problem is severe and growing and that the traditional regulatory model does not fit well with unique characteristics of the Internet and the conscious and sustained attacks on it. Instead, a novel, voluntary, and economically sustainable partnership between industry and government needs to evolve. – The Cybersecurity Social Contract (p. 278)


“While multiple lines of effort to achieve Collective Security are needed, leveraging our public-private partnership across all of them is essential to success.” – Draft “Collective Security” White Paper

“As new scenarios emerge, there is an urgent need for coordination and collaboration across a diverse set of stakeholders… To enhance the resilience of the Internet and communications infrastructure, coordinated actions that cross geopolitical, public-private, industrial sector, and technical boundaries must become easier to implement.” (p. 5)


ISA Policy on Cybersecurity Law Enforcement

Botnet Report on Cybersecurity Law Enforcement
“The new administration should engage in a multitiered program to bolster cyber law enforcement… a concerted effort to create a functional international legal structure to address cybercrime is needed.” – The Cybersecurity Social Contract (p. 28-30)


“While the government’s initial prioritization of national-level attention toward critical infrastructure protection was warranted to address existential risks, a substantially increased focus on other forms of cybercrime should now supplement those efforts.” – Draft “Collective Security” White Paper

“Industry and law enforcement should work to find ways to coordinate more often and earlier to detect and prevent threat activity, and in managing incidents that take place.” (p. 23)

ISA Policy on Cybersecurity Workforce and Education

Botnet Report on Cybersecurity Workforce and Education
“There is an apparent market failure wherein we have an exciting, modern field with lots of high paying jobs that we can’t fill, and this deficit is expected to continue for some time… We now need a program focused not on awareness but on understanding the issue. We need a second targeted set of programs focused on recruiting people to help fill the cybersecurity void, which like the issue itself, goes beyond technical expertise and runs to overall risk management.” – The Cybersecurity Social Contract (p. 37)


“We need an integrated, multifaceted and targeted program with research-based messaging to promote joining the cyber workforce.  Efforts should be cognizant of the overall perception of the career field and undertake creative approaches to incentivize new members to join the workforce.” – Draft “Collective Security” White Paper

“Stakeholders have indicated that these broad cybersecurity awareness and education initiatives are critical to increasing the resilience of the ecosystem in a sustainable fashion… The academic sector, in collaboration with the National Initiative for Cybersecurity Education, should establish cybersecurity as a fundamental requirement across all engineering disciplines… [and] [t]he federal government should establish a public awareness campaign to support recognition and adoption of [IoT cybersecurity].” (p. 43)

ISA Policy on Small Business Cybersecurity

Botnet Report on Small Business Cybersecurity
“As is repeatedly observed in other chapters of this book, smaller companies are more vulnerable than larger ones, understand the issue less, are investing less, and are probably the segment that most needs government help.” – The Cybersecurity Social Contract (p. 32)


“Given the importance of SMBs to the Nation and their unique cybersecurity challenges, the government should pursue and sustain a collaborative process with industry and the SMB community to develop a comprehensive strategy to increase overall cybersecurity within the SMB community.” – Draft “Collective Security” White Paper

“At the core of the infrastructure, key players already share information about the evolving nature of threats. While many of these organization employ experts who coordinate with their peers around the globe, in the future, information sharing must expand to include smaller, less well-funded, or niche players through new automated tools and practices. Incentives could promote investment in better, more efficient detection of malicious traffic, as well as more public commitments to avoid carrying malicious traffic. These commitments would build on existing relationships across the community to help build a more stable global network.” (p. 12)