Feds urged to provide cybersecurity incentives

IDG News Service - President-elect Barack Obama needs to take a new approach to cybersecurity, with the government providing incentives for private businesses to adopt security measures, a cybersecurity group said.

The Internet Security Alliance (ISA), a cybersecurity advocacy group, called on Obama to abandon the voluntary approach advocated by President George W. Bush's administration during the past eight years. "The voluntary partnership model of the Bush administration did not work adequately," said Larry Clinton, the ISA's president. "However, a centralized set of regulatory mandates will not meet this international and quickly evolving problem and might even be counterproductive."

The Bush administration's 2002 National Strategy to Secure Cyber Space and later efforts contained "no serious attempt" to address incentives needed for private business to invest in cybersecurity, the report said.

Half of all senior executives do not know how much money their companies have lost from cyberattacks, the ISA said. One third of companies in a recent survey don't use firewalls, and nearly half didn't use encryption, the group said.

A new ISA report, "The Cyber Security Social Contract" (download PDF), released Tuesday, recommends that the U.S. government establish incentives -- tax breaks, small-business loans or lawsuit protection -- for private companies to invest in cybersecurity.

"We are now past the time when government can hope that industry will simply fulfill the role of fully funding cyberinfrastructure security," the report said.

It's unclear how much the ISA's recommendations would cost.

The report calls on the government to set up a comprehensive and "aggressive" cybersecurity education program targeted at senior executives at businesses. And it calls for an extensive program to improve the U.S. government's own cybersecurity efforts, targeted at fixing problems at many agencies receiving poor grades on annual Federal Information Security Management Act (FISMA) reports.

The report also lays out the cybersecurity challenges for several U.S. industries, including banking, communications and manufacturing. It asks representatives of those industries to detail what they'd tell Obama about cybersecurity needs.

For example, an unnamed representative of the banking industry said that U.S. cybersecurity "cannot be successfully defended or mitigated against using our current paradigm of thinking."

Instead, companies need better software quality and assurance, protection from lawsuits, a robust cyberinsurance program and better education programs, the banking representative said.

ISA officials said they're confident the Obama administration will be open to the recommendations.

"The good news is that we actually do know a great deal about how to secure our cybersystems," Clinton said. "Independent research and anecdotal reports from information security officials both indicate that as much as 80% to 90% of our current problem could be successfully addressed if we simply get people to adopt the security practices that have been demonstrated to work."

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.