The Internet Security Alliance (ISA), a broadly focused industry group, has released a report as their entry into a race to be the most helpful in cyber security to the Obama Administration. At the National Press Club on December 3, the release was marked by a lunchtime gathering and short presentation.
Led by the organization’s president, Larry Clinton, a panel announced and summarized the report, titled “Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model.” This is a concept the ISA proudly points out was one of their main contributions to the May 29 Presidential “Cyber Space Policy Review.” Their recommendations focused on how the government will work with the private sector.
They began by reminding everyone that despite the press coverage and vocal concern shown by leaders in both the public and private sectors, everyone seems to think that cyber security is someone else’s job. Spending is actually going down on security on the commercial side, and at the very least, C Suite leaders expect their IT people to deal with it without any hindrance to business or increased costs.
ISA does not want the government to go forward with an old-style regulation regime. This will stifle innovation, put a big kink in the business models of most companies, cost a fortune and probably not work. Legislated regulations do not exactly move with “internet-like” speed. By the time they are enacted, and enforcement begins, they will be outstripped by new tech advances. Not a good route.
The Alliance points to their Social Contract Model as a better way forward. In a word, it calls for multiple actions that will all incentivize businesses to protect themselves. The guts of the report are a set of fairly practical ideas that could quickly be put in place, and with little emotion or rancor. These begin with an updated Cyber Safety Act, replacing the SAFETY ACT passed after 9/11. This was an anti-terror action that can be broadened to help set standards and promote best practices. They also recommended tying federal monies for grants, etc, to adopt better cyber security regimes.
The third point was to harness the Federal Government’s volume buying power to push manufacturers to provide better protected products. This would push everyone in that direction. Tax breaks for compliance and sound practices were the next recommendation. Direct provision of grants and other funding methods to promote cyber security R&D would help motivate the development of better technologies as well. Two related points were limited liability for actors doing the right things and faster development of viable cyber security insurance. Both are key to a balanced and comprehensive response. The last is a national award for excellence in cyber security.
Most folks in industry will see lots of good things in the ISA proposals, mainly because they share the concern over regulation-based models. This is much more business friendly. Playing devil’s advocate, one does have to ask why the government has to fund business so they’ll be motivated to protect themselves. That said, I also think ISA is on the right track. Their leaders should be congratulated on a good, thoughtful and hopefully adoptable plan.