The implementation of President Obama’s executive order (EO) on cybersecurity is appropriately turning to incentives, which have been described in recent forums as including:
- Liability protection for the use of cybersecurity technologies and standards;
- Liability protection for information sharing;
- Cyber insurance; and
- Providing expedited security clearances for cybersecurity professionals in critical infrastructure organizations.
On their face, each of these ideas makes sense; for the framework under the EO to decrease our nation’s risk from cyber threats, however, the incentives will actually have to realize meaningful adoption of the standards among critical infrastructure owners and operators. The Devil’s in the details, and the details are where this laudable focus on incentives will motivate companies to adopt the framework under the EO. As the Department of Homeland Security and others consider incentives, they may want to look closely at existing incentives and a couple of other recommendations.
For example, liability protection for cybersecurity technologies is great, but would its existence mean that more firms adopt the standards? Not necessarily. Consider the SAFETY Act program, which was intended to provide liability protection for homeland security technologies writ large. While it was initially thought that the SAFETY Act program would be flooded with applications, it has not yet demonstrated that the existence of a liability-protection program guarantees a large amount of participation. Policymakers may want to consider examining the SAFETY Act program with potential adopters of the new EO standards and determine whether and how the program can be modified to encourage their participation. A new liability protection incentive should not be created until it is clear that the SAFETY Act program is insufficient.
Similarly, liability protection programs for information sharing can incent firms to access and use information to manage risks to both them and the country, but firms must have confidence in the program. Outside of classified national security information, there is a DHS program established by the Homeland Security Act of 2002 that facilitates the voluntary sharing of critical infrastructure information between government and the private sector—the Protected Critical Infrastructure Information (PCII) Program. PCII prohibits relevant information from being disclosed through a Freedom of Information Act request, or through a request under a similar state, tribal, or territorial disclosure law; disclosed in civil litigation; or used for regulatory purposes. Could the protections afforded by this program dispel industry’s liability concerns associated with cybersecurity? If they do not, what adjustments would need to occur to galvanize meaningful participation in the EO’s framework?
The cyber insurance question is an interesting one, but the EO’s implementation may not be able to totally resolve it. Because of the complexity of growing a cybersecurity insurance market, which has been chronicled, policymakers may want to consider a joint effort with industry to engage state insurance commissioners in a discussion of how to grow this area. Likewise, it is important that anyreauthorization of the Terrorism Risk Insurance Act is consistent with the goal of building an effective cybersecurity insurance market.
When it comes to providing clearances to representatives of critical infrastructure owners and operators so they can access relevant information, it is important to note that such programs currently exist. The focus should be on making these programs work even more effectively so that they process clearances in a quick, responsible manner.
There are other incentives policymakers may want to consider outside of security clearances and liability protection for the adoption of standards and information sharing. In addition to working with state insurance commissioners and industry on how to further mature the cybersecurity insurance market, below are a couple of other suggestions for consideration.
1. One potential incentive that should not be ignored is tax breaks or credits for adopting standards. While this would potentially help galvanize participation in the program, there is a cost consideration. A potential approach may be the use of a tax break or tax credit “trigger,” where participating firms would receive a break or credit if a certain number of critical infrastructure firms adopt the standards, thereby enlisting interested firms in the effort to broaden adoption of the standards.
2. The legal community should be consulted about whether the existence of cybersecurity standards actually creates a standard of care among firms at risk to cyber attacks. If they do, that may create a very strong incentive for firms to adopt the standards.
When considering the incentive options above, there are at least a handful of questions to consider:
- What number of adopters equates with success?
- What incentives will be the proximate cause of a significant number of firms adopting the standards?
- How does the existence of current, similar incentives impact the calculus of whether various incentives will be effective?
- Do current incentives need to be modified or do new ones need to be created?
- Regardless of whether there are modifications to existing incentives or the creation of new ones, is their cost offset by the benefit of increased standard adoption?
My recommendation is that incentives should only be promoted if they will proximately cause standard adoption that meaningfully reduces cyber risk to critical infrastructure. Policymakers and critical infrastructure owners and operators would be right to look at those incentives that currently exist and consider how they can be modified. Furthermore, modifications to existing programs will likely be far easier to make because they can potentially be executed administratively without the need for new legislation.
As the cybersecurity community implements the EO, incentives are a key element of success. Discussions underway between government and industry should identify those incentives that will actually create participation, and that conversation should start with the incentives we currently have.
Mike Beland is an Adjunct Professor at the University of Maryland Francis King Carey School of Law. He previously served as the Chief of Staff at the DHS Office of Infrastructure Protection in the Obama Administration and as Subcommittee Staff Director and Counsel at the Committee on Homeland Security in the U.S. House of Representatives.