Say what you will about President Obama's Administration, but one thing it can never be accused of is downplaying or ignoring the threat of cyber-attacks. The White House has made cybersecurity one of its top priorities, topping off its efforts with an Executive Order that set out to do many things, including establishing a "Cybersecurity Framework" that would set forth basic measures companies could take to protect themselves from a range of cyber-attacks.
As part of that EO, the Departments of Homeland Security, Commerce, and Treasury were tasked with identifying positive incentives that could be used to encourage companies to adopt the Cybersecurity Framework. The White House just released its list of incentives under consideration. Incentives were needed because, honestly, the White House does not have all the authority it needs to compel cybersecurity measures throughout the U.S. economy.
I won't go into the merits of compelling cybersecurity actions through compulsory requirements, as that is a discussion for another day. What I can say though is that before we even know what the Cybersecurity Framework looks like, the inter-agency group and the White House have put together some potentially interesting and attractive incentives options. The possible incentives include:
• Cybersecurity Insurance -- Working with the insurance industry is under consideration to develop the standards, procedures, and other measures that comprise the Framework and the Voluntary Program that will implement it. The goal here is to familiarize the insurance sector with the Framework and Voluntary Program so that ultimately cyber insurance underwriting rewards companies will adopt the Framework with better pricing and limits. The idea of offering premium discounts for "good" cybersecurity programs is attractive, but getting insurance carriers to put that into effect will take a great deal of work. And, we also have to make sure that the carriers have enough capacity to handle the demand for cyber insurance. That might require linking the Framework and cybersecurity in general to the insurance backstop program known as TRIA (Terrorism Reinsurance Act). TRIA guarantees the availability of funds for catastrophic terrorist attacks, and going forward cyber may have to be linked in as well. Finally, let's also remember that there is a world of difference between selling an insurance policy and paying out claims on said policies. Policyholders will need assurances that their claims will be honored. Without faith in that result, this incentive will face strong headwinds.
• Grants -- Also suggested was using federal grant programs to incentivize participation in the Framework and Voluntary Program. This, too, is a great idea. DHS alone has over $2 billion in grant funds available annually to state, local, and tribal governments. Those funds can be used to purchase cybersecurity equipment and training, and should be spent on just such activities. The key here will be to ensure that grant funds are made available to the private sector as well, as they are the main target of the Framework and Program. Spending money to secure public infrastructure from cyber threats is wise and overdue, but the White House has to make sure funds are available for all key players.
• Process Preference -- One interesting incentive forwarded was expediting government assistance for Framework and Voluntary Program adoptees. This could be helpful, but we also shouldn't let non-participation be an obstacle to obtaining government help. Tread lightly here.
• Liability Limitation -- This is one of my personal favorites. Further investigation will be conducted to see if the promise of liability protections like reduced tort liability, higher burdens of proof, or preemption of State disclosure requirements will encourage companies to adopt the Framework and Program. If done right, I think it will. Companies are deathly afraid of liability, as evidenced by increased worries by Boards and the C-suite regarding cyber exposure. I also strongly believe that liability protection should be available regardless of whether a company opts in to the Framework and Voluntary Program. Companies can pursue this right now through the DHS administered "SAFETY Act". That program was created post 9/11 to incentivize the deployment of anti-terrorism technologies, and it also applies to cyber-attacks. It is a great program that already exists, is well run, and is trusted (especially as a form of "public recognition", which is another incentive option). Key here is to encourage liability protection whether as part of the Framework adoption or just the implementation of good cybersecurity measures.
• Rate Recovery for Price Regulated Industries -- One other area mentioned was working with federal, state, and local regulators and sector specific agencies to determine whether utility rates could be set to allow for the "recovery" of investments made on cybersecurity investments. This is somewhat of a no-brainer ... if utilities can recover the cost of trimming trees to prevent power outages, they should also be able to tack on a few dollars per month to pay for cybersecurity investments. And in reality state and local public utility commissions are the best place to determine whether a company needs to add on charges to recover cybersecurity costs or if they can pay for that with existing rates.
Other ideas under consideration include streamlining regulations (always a good idea) and increased cybersecurity research and development (needed, but likely being handled by the private sector).
I think the report is an excellent start on determining how to encourage companies to do more with respect to cybersecurity. Truthfully, many of these incentives should be offered if companies implement measures that can be shown to be just as effective than the Framework and Voluntary Program. The big challenge here, though, is whether the incentives -- no matter how good they are -- can encourage the adoption of a Framework no one has seen. If no one likes that Framework, well then we have a lot more work to do.