White House considers incentives for cybersecurity

The White House is considering incentives in order to get organizations in the private sector onboard with investing in cybersecurity

On Tuesday, President Obama's cybersecurity coordinator, Michael Daniel, blogged about a handful of incentives being considered, as the Department's of Homeland Security, Treasury, and Commerce, work with the public and private sectors to establish a cybersecurity framework due in February of 2014.

The cybersecurity framework is part of a larger program, aimed at critical infrastructure, stems from a cybersecurity initiative launched by the Obama Administration in 2009, and continues the plans outlined in an Executive Order issued earlier this year.

The goal of the initiative, and the program itself, is information sharing and the establishment of best practices and guidelines that will ensure organizations (both public and private) are better prepared to deal with cybersecurity issues.

[Related: NIST closer to critical infrastructure cybersecurity framework]

While all of this takes place, the underlying goal of maintaining clear privacy policies that protect the information held by most of these organizations from external and internal risks, forms the third layer of the program -- one that government watchdogs say is the most important.

Sarah Baso, OWASP Foundation Executive Director, and Chief Organizer, OWASP's AppSec USA conference, told CSO that the Executive Order itself isn't a much different from what people in InfoSec are already used to dealing with.

"This order is something that is no radical departure from what people in the industry have known for quite a while, that more focus needs to be spent on cybersecurity. That's education, at all levels internally for companies, as well as putting budget allocations towards making these things a higher priority," she said.

Participation in the program is voluntary, but those organizations that choose to opt-in and follow the framework's guidelines stand to gain some benefits outside of increased information and established baselines for protection -- such as cybersecurity insurance, liability limitations, grants, process preferences, and streamlined regulations, just to name a few.

"While the set of core practices have been known for years, barriers to adoption exist, such as the challenge of clearly identifying the benefits of making certain cybersecurity investments," Daniel blogged.

However, while some of the recommended incentives could be put in place quickly, Daniel added, others would require legislative action and additional maturation of the framework and program itself, in addition to further analysis and dialogue between Congress, the Obama Administration and private sector stakeholders.

"When they talk about incentives programs, the interesting thing that we see is [that] many companies are willing to spend money on visibility and cybersecurity once a breach happens, or once there is a problem, but they aren't necessarily willing to allocate budget upfront," Baso said.

[More on this story: U.S. agencies explore cybersecurity incentives for the private sector]

So the existence of some type of incentive program will hopefully start shifting the focus towards preventative measures, and looking at things before problems happen, instead of trying to remediate after data loss and privacy issues have occurred, Baso noted.

Under the terms of the Executive Order, critical infrastructure is defined as systems and assets, be they physical or virtual, so vital to the U.S. that the "incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."

So, the planned incentives could cover a large swath of the public and private sector, if they're implemented as outlined. The question remains however, will they be enough to coax organizations from changing status quo? Maybe they won't have to be.

According to a study released this week from Experian Data Breach Resolution and the Ponemon Institute; 76 percent of the 18,829 IT professionals interviewed said that guarding against cybersecurity risks ranks higher on the priority scale than natural disasters, and other business disruptions.

Those same professionals also say their respective organizations are hedging their bets, as 31 percent of them claim to have cyber insurance, with another 39 percent confirming that such protection is planned in the future. Still, 30 percent said they don't have cyber insurance, and they don't plan to acquire it anytime soon.

So incentives from the White House that include cybersecurity insurance, including partnerships between insurers and the government that build better "underwriting practices" promoting the adoption of "risk-based pricing and foster a competitive cyber insurance market;" as well as liability limitations, that could include "reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a Federal legal privilege that preempts State disclosure requirements"; may help change some hearts and minds.

"I think that for most companies, it will be a business decision, and it will come down to the financial pros and cons, instead of just from a policy or a principle level [of] 'what's the right thing to do?'" Baso commented, when asked if she felt the incentives would make a difference.

The framework and incentives are far from finalized, but the White House wants to have the discussion, so that's a start.

"While these reports do not yet represent a final Administration policy, they do offer an initial examination of how the critical infrastructure community could be incentivized to adopt the Cybersecurity Framework as envisioned in the Executive Order. We will be making more information on these efforts available as the Framework and Program are completed," Daniel concluded.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitygovernment

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts