Homeland Security Watch

News and analysis of critical issues in homeland security

December 4, 2009

ISA Issues Report: Incentivize Don’t Regulate

Filed under: Cybersecurity,General Homeland Security — by Jessica Herrera-Flanigan on December 4, 2009

Co-authored by first time contributor Colin Bortner

The Internet Security Alliance released a report, “Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model,” yesterday responding to Obama administration’s Cyber Space Policy Review. The report takes a broad view of cybersecurity and tackles everything from information sharing to securing the IT supply chain, but its most substantive proposal is a public private-model to enhance cybersecurity though market incentives.

The report strives to align the President’s Cyber Space Policy Review, completed in May, with points raised in the the Cyber Security Social Contract: Recommendations for the Obama Administration, published by ISA a year ago.  As noted by ISA then, the social contract:

is essentially a deal between industry and government wherein both entities agree to provide services and receive benefits resulting in a larger social good.

The social contract ISA is proposing is based on the agreement between government and the utilities in the early 20th century which had the goal of providing universal phone, power and light service to Americans. That model worked.

The Contract had two key elements:

“First is the realization that cyber security is not a purely technical problem. Rather, cyber security is an enterprise-wide risk management problem which must be understood as much for its economic perspectives as for its technical issues.”

“The second key element is that, at this point, government’s primary role ought to be to encourage the investment required to implement the standards, practices, and technologies that have already been shown to be effective in improving cyber security.”

The public-private model outlined in the report released yesterday calls for the establishment a family of incentives and a body charged with evaluating and grading security certifications.   The various grades of certification would be mapped to the various incentives so that certification x would yield incentive a, while certification y would yield incentive b.

The incentives that ISA suggests include basic tax incentives, access to Federal grants, participation in Federal procurement, a Cyber Safety Act (modeled after the Safety Act providing limited liability in the case of a cyber incident), and national awards for cybersecurity, among other recomendations.   ISA envisions the certification to be a stamp of compliance with an established open standard, such as those developed and maintained by ISO and NIST, or a proprietary, sector-specific certification, such as PCI-DSS for the payments industry.

The model aims to accommodate an ecosystem of certifications that are both tailored to fit the needs of different industries or organizations and which provide different levels of security at different costs (and rewards).  ISA predicts that this would create a competitive marketplace of Federally-blessed certification organizations that compete to win access to greater incentives for their customers at lower costs.

The ISA Report largely reiterates the views advocated by ISA over the last several years.  As a non-profit collaboration between the Electronic Industries Alliance (EIA), a federation of trade associations, and Carnegie Mellon University’s CyLab, ISA represents corporate interests from the Defense & Aerospace, Banking & Financial, Food Service, Entertainment, Telecommunications and Manufacturing industries.   Focusing on the Internet economy sectors, it makes sense that ISA would promote insurance and incentives over pure regulation.

Unfortunately, without high-level leadership in the White House on cybersecurity, a review of ISA’s and others views and proposals are lagging.  The Department of Homeland Security, led by Rand Beers, Phil Reitinger, and Greg Schaffer in the National Protection and Programs Directorate (NPPD),  is getting its house in order and making headway on DHS’s efforts to better streamline and secure government systems.  Hopefully, with the new Assistant Secretary of Private Sector Douglas Smith, the folks at NPPD can strengthen their public-private sector outreach.  That will only be 1/2 the puzzle, however, if they do not have a strong advocate in the White House for their operational and policy efforts.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn

3 Comments »

Comment by William R. Cumming

December 4, 2009 @ 6:26 am

Recognition of the “public commons” will always require the best and brightest to lead! Protecting and regulation of the commons requires the same. Unfortunately, here it looks like socialization of the costs, and privatization of all the benefits, is the goal. Hoping I am wrong as always. Still the report does provide a useful basis for discussion and yes, unless there is established a statutory merger of Cyber Security and Computer Security efforts (CIP and OMB-A-130 efforts) looking like limited federal role for good but a lot for bad. Betting by fall of 2017 the then two decades old identification of cyber security as rivaling or of even more important than physical security model will have been well established by catastrophic cyber and computer security real-world events! I really wonder if WMD will become Weapons of Mass Disruption? Time will tell!

Comment by William R. Cumming

December 4, 2009 @ 7:03 pm

Post script: I rate cyber security just below WMD attacks as the preminent challenge to US national security. Running down AQ and the Taliban in AF-PAK Theatre is only important as they relate to these issues and subjects! IMO of course. Discussion?

Pingback by ARCHIVED 12/4/09 | Internet Security Alliance

July 25, 2012 @ 1:32 pm

[…] To view the original article please click here. […]

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>