White House considers incentives for cybersecurity

The White House is considering incentives, including cybersecurity insurance, grants, and liability limits, in order to get organizations in the private sector onboard with investing in cybersecurity

On Tuesday, President Obama's cybersecurity coordinator, Michael Daniel, blogged about a handful of incentives being considered, as the Department's of Homeland Security, Treasury, and Commerce, work with the public and private sectors to establish a cybersecurity framework due in February of 2014.

The cybersecurity framework is part of a larger program, aimed at critical infrastructure, stems from a cybersecurity initiative launched by the Obama Administration in 2009, and continues the plans outlined in an Executive Order issued earlier this year.

The goal of the initiative, and the program itself, is information sharing and the establishment of best practices and guidelines that will ensure organizations (both public and private) are better prepared to deal with cybersecurity issues.

[Related: NIST closer to critical infrastructure cybersecurity framework]

While all of this takes place, the underlying goal of maintaining clear privacy policies that protect the information held by most of these organizations from external and internal risks, forms the third layer of the program — one that government watchdogs say is the most important.

Sarah Baso, OWASP Foundation Executive Director, and Chief Organizer, OWASP's AppSec USA conference, told CSO that the Executive Order itself isn't a much different from what people in InfoSec are already used to dealing with.

"This order is something that is no radical departure from what people in the industry have known for quite a while, that more focus needs to be spent on cybersecurity. That's education, at all levels internally for companies, as well as putting budget allocations towards making these things a higher priority," she said.

Participation in the program is voluntary, but those organizations that choose to opt-in and follow the framework's guidelines stand to gain some benefits outside of increased information and established baselines for protection — such as cybersecurity insurance, liability limitations, grants, process preferences, and streamlined regulations, just to name a few.

"While the set of core practices have been known for years, barriers to adoption exist, such as the challenge of clearly identifying the benefits of making certain cybersecurity investments," Daniel blogged.

However, while some of the recommended incentives could be put in place quickly, Daniel added, others would require legislative action and additional maturation of the framework and program itself, in addition to further analysis and dialogue between Congress, the Obama Administration and private sector stakeholders.

"When they talk about incentives programs, the interesting thing that we see is [that] many companies are willing to spend money on visibility and cybersecurity once a breach happens, or once there is a problem, but they aren't necessarily willing to allocate budget upfront," Baso said.

[More on this story: U.S. agencies explore cybersecurity incentives for the private sector]

So the existence of some type of incentive program will hopefully start shifting the focus towards preventative measures, and looking at things before problems happen, instead of trying to remediate after data loss and privacy issues have occurred, Baso noted.

Under the terms of the Executive Order, critical infrastructure is defined as systems and assets, be they physical or virtual, so vital to the U.S. that the "incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."

So, the planned incentives could cover a large swath of the public and private sector, if they're implemented as outlined. The question remains however, will they be enough to coax organizations from changing status quo? Maybe they won't have to be.

According to a study released this week from Experian Data Breach Resolution and the Ponemon Institute; 76 percent of the 18,829 IT professionals interviewed said that guarding against cybersecurity risks ranks higher on the priority scale than natural disasters, and other business disruptions.

Those same professionals also say their respective organizations are hedging their bets, as 31 percent of them claim to have cyber insurance, with another 39 percent confirming that such protection is planned in the future. Still, 30 percent said they don't have cyber insurance, and they don't plan to acquire it anytime soon.

So incentives from the White House that include cybersecurity insurance, including partnerships between insurers and the government that build better "underwriting practices" promoting the adoption of "risk-based pricing and foster a competitive cyber insurance market;" as well as liability limitations, that could include "reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a Federal legal privilege that preempts State disclosure requirements"; may help change some hearts and minds.

"I think that for most companies, it will be a business decision, and it will come down to the financial pros and cons, instead of just from a policy or a principle level [of] 'what's the right thing to do?'" Baso commented, when asked if she felt the incentives would make a difference.

The framework and incentives are far from finalized, but the White House wants to have the discussion, so that's a start.

"While these reports do not yet represent a final Administration policy, they do offer an initial examination of how the critical infrastructure community could be incentivized to adopt the Cybersecurity Framework as envisioned in the Executive Order. We will be making more information on these efforts available as the Framework and Program are completed," Daniel concluded.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)