Industry groups push for security incentives, not laws

Share this article:

Instead of imposing additional security regulations, the U.S. government must work with the private sector to develop incentives that motivate companies to voluntarily adopt security best practices, a coalition of industry associations and civil liberties groups recommended in a white paper released Tuesday.

The paper, crafted by members of the Business Software Alliance (BSA), Center for Democracy & Technology, Internet Security Alliance (ISA), TechAmerica and the U.S. Chamber of Commerce, calls on the government to develop a “menu” of incentives, such as insurance discounts for enterprises and research-and-development tax credits for IT security vendors.

The paper builds on the conclusions of President Obama's nearly two-year old Cyberspace Policy Review by providing recommendations for ways the government and industry can work together to improve cybersecurity, Franck Journoud, director of cybersecurity policy at BSA, told on Wednesday.

Cybersecurity incentives, in particular, are the most effective way to promote infrastructure improvements and stimulate innovation, the paper states.

“Cybersecurity is a very fast-paced game, and the bad guys change their tactics all the time,” Journoud said. “Companies trying to protect themselves need to adapt constantly. Incentives provide flexibility by allowing companies to determine the appropriate response for their specific business.”

However, Marc Sachs, former director of the SANS Internet Storm Center, told on Wednesday that efforts to incentivize cybersecurity have faced political hurdles in the past. Some lawmakers have argued that incentives should not be provided because organizations should be proactively securing their networks anyway, he said.

“It is hard to give tax breaks because if you give to one you must give to all,” he said. “Often, giving a regulatory break is also difficult because not everyone's regulated in the same way. If it were easy, it would have happened.”

The paper, drafted over the past six months, provides a number of other recommendations for ways the government and industry can collaborate to improve cybersecurity risk and incident management, information sharing, privacy, international engagement, supply chain security, innovation, research and development, as well as education and awareness.

With respect to risk management, the groups recommended the government and industry work with various standards bodies to develop and strengthen international cybersecurity benchmarks. To further information sharing, the government should consider ways to share classified and sensitive threat information that could help members of the private sector defend their networks.

The paper does not include any particularly groundbreaking recommendations, Sachs said, but is beneficial nonetheless because it provides the government a clear set of objectives for partnering with the private sector.

Members of the coalition who created the paper said they hope policymakers would treat it as a blueprint for improving cybersecurity. Copies of the document have been provided to the White House and key congressional cybersecurity offices.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.