Co-authored by first time contributor Colin Bortner
The Internet Security Alliance released a report, “Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model,” yesterday responding to Obama administration’s Cyber Space Policy Review. The report takes a broad view of cybersecurity and tackles everything from information sharing to securing the IT supply chain, but its most substantive proposal is a public private-model to enhance cybersecurity though market incentives.
The report strives to align the President’s Cyber Space Policy Review, completed in May, with points raised in the the Cyber Security Social Contract: Recommendations for the Obama Administration, published by ISA a year ago. As noted by ISA then, the social contract:
is essentially a deal between industry and government wherein both entities agree to provide services and receive benefits resulting in a larger social good.
The social contract ISA is proposing is based on the agreement between government and the utilities in the early 20th century which had the goal of providing universal phone, power and light service to Americans. That model worked.
The Contract had two key elements:
“First is the realization that cyber security is not a purely technical problem. Rather, cyber security is an enterprise-wide risk management problem which must be understood as much for its economic perspectives as for its technical issues.”
“The second key element is that, at this point, government’s primary role ought to be to encourage the investment required to implement the standards, practices, and technologies that have already been shown to be effective in improving cyber security.”
The public-private model outlined in the report released yesterday calls for the establishment a family of incentives and a body charged with evaluating and grading security certifications. The various grades of certification would be mapped to the various incentives so that certification x would yield incentive a, while certification y would yield incentive b.
The incentives that ISA suggests include basic tax incentives, access to Federal grants, participation in Federal procurement, a Cyber Safety Act (modeled after the Safety Act providing limited liability in the case of a cyber incident), and national awards for cybersecurity, among other recomendations. ISA envisions the certification to be a stamp of compliance with an established open standard, such as those developed and maintained by ISO and NIST, or a proprietary, sector-specific certification, such as PCI-DSS for the payments industry.
The model aims to accommodate an ecosystem of certifications that are both tailored to fit the needs of different industries or organizations and which provide different levels of security at different costs (and rewards). ISA predicts that this would create a competitive marketplace of Federally-blessed certification organizations that compete to win access to greater incentives for their customers at lower costs.
The ISA Report largely reiterates the views advocated by ISA over the last several years. As a non-profit collaboration between the Electronic Industries Alliance (EIA), a federation of trade associations, and Carnegie Mellon University’s CyLab, ISA represents corporate interests from the Defense & Aerospace, Banking & Financial, Food Service, Entertainment, Telecommunications and Manufacturing industries. Focusing on the Internet economy sectors, it makes sense that ISA would promote insurance and incentives over pure regulation.
Unfortunately, without high-level leadership in the White House on cybersecurity, a review of ISA’s and others views and proposals are lagging. The Department of Homeland Security, led by Rand Beers, Phil Reitinger, and Greg Schaffer in the National Protection and Programs Directorate (NPPD), is getting its house in order and making headway on DHS’s efforts to better streamline and secure government systems. Hopefully, with the new Assistant Secretary of Private Sector Douglas Smith, the folks at NPPD can strengthen their public-private sector outreach. That will only be 1/2 the puzzle, however, if they do not have a strong advocate in the White House for their operational and policy efforts.