Instead of imposing additional security regulations, the U.S. government must work with the private sector to develop incentives that motivate companies to voluntarily adopt security best practices, a coalition of industry associations and civil liberties groups recommended in a white paper released Tuesday.
The paper, crafted by members of the Business Software Alliance (BSA), Center for Democracy & Technology, Internet Security Alliance (ISA), TechAmerica and the U.S. Chamber of Commerce, calls on the government to develop a “menu” of incentives, such as insurance discounts for enterprises and research-and-development tax credits for IT security vendors.
The paper builds on the conclusions of President Obama's nearly two-year old Cyberspace Policy Review by providing recommendations for ways the government and industry can work together to improve cybersecurity, Franck Journoud, director of cybersecurity policy at BSA, told SCMagazineUS.com on Wednesday.
Cybersecurity incentives, in particular, are the most effective way to promote infrastructure improvements and stimulate innovation, the paper states.
“Cybersecurity is a very fast-paced game, and the bad guys change their tactics all the time,” Journoud said. “Companies trying to protect themselves need to adapt constantly. Incentives provide flexibility by allowing companies to determine the appropriate response for their specific business.”
However, Marc Sachs, former director of the SANS Internet Storm Center, told SCMagazineUS.com on Wednesday that efforts to incentivize cybersecurity have faced political hurdles in the past. Some lawmakers have argued that incentives should not be provided because organizations should be proactively securing their networks anyway, he said.
“It is hard to give tax breaks because if you give to one you must give to all,” he said. “Often, giving a regulatory break is also difficult because not everyone's regulated in the same way. If it were easy, it would have happened.”
The paper, drafted over the past six months, provides a number of other recommendations for ways the government and industry can collaborate to improve cybersecurity risk and incident management, information sharing, privacy, international engagement, supply chain security, innovation, research and development, as well as education and awareness.
With respect to risk management, the groups recommended the government and industry work with various standards bodies to develop and strengthen international cybersecurity benchmarks. To further information sharing, the government should consider ways to share classified and sensitive threat information that could help members of the private sector defend their networks.
The paper does not include any particularly groundbreaking recommendations, Sachs said, but is beneficial nonetheless because it provides the government a clear set of objectives for partnering with the private sector.
Members of the coalition who created the paper said they hope policymakers would treat it as a blueprint for improving cybersecurity. Copies of the document have been provided to the White House and key congressional cybersecurity offices.
