In a white paper titled Improving our Nation’s Cybersecurity through the Public-Private Partnership, five industry groups are urging the US government to offer incentives for companies to adopt stronger cybersecurity practices and develop more innovative cybersecurity products.
“Abandoning the core tenets of the [public-private partnership] model in favor of a more government-centric set of mandates would be counterproductive to both our economic and national security”, the white paper warns.
The report was authored by the Business Software Alliance (BSA), Center for Democracy and Technology, the Internet Security Alliance, TechAmerica, and the US Chamber of Commerce.
“Cybersecurity is a fast paced game. You need to be flexible in how you respond to threats”, said Franck Journoud, BSA’s director of cybersecurity policy. “We felt that incentives would provide the right impetus for the market players to act, preserving their flexibility to innovate and fight back against rapidly evolving threats”, he told Infosecurity.
Journoud supported providing research and development tax credits to encourage cybersecurity innovation. At the same time, he admitted that in a tight fiscal environment, tax incentives might not be the most popular way to go.
Another incentive would be offering liability and insurance benefits to cybersecurity firms to develop innovative technologies; this would be modeled on the SAFETY Act, which provides liability protections to companies developing antiterrorism technologies.
“Sometimes liability risks hold back innovative activity because you are not sure what risks you run as the developer of a solution. When the government feels that there is a public interest in development of those solutions….providing appropriate liability protections has shown to be effective in helping with their development”, he said.
Another incentive would be for government to stimulate the growth of the private cyber insurance industry by offering reinsurance programs. Strengthening the cyber insurance industry would “provide private economic incentives to spur greater cybersecurity efforts while also creating a private market mechanism that fosters adoption and compliance”, the report said.
“Cyber insurance is generally extremely limited. It covers only a very limited number of occurrences because insurers have a tough time getting a handle…of how to measure cyber risk and how to measure the effectiveness of countermeasures in reducing that risk”, Journoud observed.
“Incentivizing the development of the cyber insurance market would be a great way to help companies get a handle on their cyber risk and take effective measures to reduce it”, he added.
Journoud concluded that industry is not opposed to regulation that is targeted to specific threats, such as a state-sponsored attack against critical infrastructure that could cripple the US economy. The risk, however, is that the regulation could take a broad-brush approach that would have a negative effect on the vast majority of the US economy that does not fall into that narrow category of cybersecurity threat.