White House considers incentives for cybersecurity
The White House is considering incentives, including cybersecurity insurance, grants, and liability limits, in order to get organizations in the private sector onboard with investing in cybersecurity
By Steve Ragan, Staff Writer
August 07, 2013 — CSO —
On Tuesday, President Obama's cybersecurity coordinator, Michael Daniel, blogged about a handful of incentives being considered, as the Department's of Homeland Security, Treasury, and Commerce, work with the public and private sectors to establish a cybersecurity framework due in February of 2014.
The cybersecurity framework is part of a larger program, aimed at critical infrastructure, stems from a cybersecurity initiative launched by the Obama Administration in 2009, and continues the plans outlined in an Executive Order issued earlier this year.
The goal of the initiative, and the program itself, is information sharing and the establishment of best practices and guidelines that will ensure organizations (both public and private) are better prepared to deal with cybersecurity issues.
While all of this takes place, the underlying goal of maintaining clear privacy policies that protect the information held by most of these organizations from external and internal risks, forms the third layer of the program — one that government watchdogs say is the most important.
Sarah Baso, OWASP Foundation Executive Director, and Chief Organizer, OWASP's AppSec USA conference, told CSO that the Executive Order itself isn't a much different from what people in InfoSec are already used to dealing with.
"This order is something that is no radical departure from what people in the industry have known for quite a while, that more focus needs to be spent on cybersecurity. That's education, at all levels internally for companies, as well as putting budget allocations towards making these things a higher priority," she said.
Participation in the program is voluntary, but those organizations that choose to opt-in and follow the framework's guidelines stand to gain some benefits outside of increased information and established baselines for protection — such as cybersecurity insurance, liability limitations, grants, process preferences, and streamlined regulations, just to name a few.
"While the set of core practices have been known for years, barriers to adoption exist, such as the challenge of clearly identifying the benefits of making certain cybersecurity investments," Daniel blogged.
However, while some of the recommended incentives could be put in place quickly, Daniel added, others would require legislative action and additional maturation of the framework and program itself, in addition to further analysis and dialogue between Congress, the Obama Administration and private sector stakeholders.
"When they talk about incentives programs, the interesting thing that we see is [that] many companies are willing to spend money on visibility and cybersecurity once a breach happens, or once there is a problem, but they aren't necessarily willing to allocate budget upfront," Baso said.