Start

with Na*onal Strategy to Secure Cyber Space 2002

Na*onal Strategy proposed private sector would see ROI (e.g. business eciency etc.) in inves*ng in cyber security. So market forces would eciently evolve and solve ---no incen*ves in Nat Strategy 2009 we have bigger problem w/cyber security including na*onal security issues Therefore there has been a market failure in cyber security

Lack of Cyber Investment is not the result of Market Failure

Ecient Market Hypothisis (popular early 80- rst half or this decade) says markets act ra*onally as proven by math models Hence private sector should see the wisdom and eciently invest in cyber security Ecient market has been replaced by Behavioral Economics Behavioral economics holds that markets are eected by non-ra*onal ac*ons and require ac*ons to move them e.g. incen*ves & regula*on

Cyber Security Fits into Behavioral Economics

Market has worked to improve cyber security--- just not eciently (i.e. not 100%) Nat Security is not a Priv. Sector Goal hence investment is not ecient (or sucient) to fully meet Na*onal Security demands Cyber systems are not broken---they are under a[ack, i.e. eected by independent behaviors Goal of cyber a[ack may not be point of vulnerability exploited, hence insucient market incen*ve at point of ini*al a[ack

Goals: Based on Comprehensive Na*onal Cyber Ini*a*ve (Proj. 12)

Recommend a set of incen.ves, across all Cri.cal Infrastructure and Key Resources (CIKR) sectors, to drive improvement in the private sectors cyber security posture where market forces alone yield an insucient value proposi.on.

Obama Cyber Space Policy Review

Ac*on Plan Item 14: Rene government procurement strategies and improve market incen*ves for secure and resilient hardware and soaware products, new security innova*on and management services.

Obama Cyber Space Policy Review Ac*on Plans

Ac*on Plan Item 2: Prepare an updated strategy to secure informa*on infrastructure. This strategy should include con*nued evalua*on of the Comprehensive Na*onal Cyber Ini*a*ve (CNCI) ac*vi*es and build on its successes.

Obama Cyber Space Policy Review

The government should iden*fy procurement strategies that will incen*vize the market to make more secure products and services available to the public. Addi*onal incen*ve mechanisms that the government should explore include adjustments to liability indemnica*on, tax incen*ves, new regulatory requirements and compliance mechanisms.

CSCSWG Process & Findings

Began bi-weekly mee*ngs in February Concluded: The Government can, through the adop*on of incen*ves, change the value proposi*on for companies and encourage the broad adop*on of sound cyber security prac*ces across all CIKR sectors. Dierent incen*ves may be appropriate for dierent sectors---or businesses Research shows exis*ng prac*ces can produce drama*c improvements in cyber security

Macro Issues to be Addressed

Are there behaviors that deserve to be incented? How do we decide what is to be incented Is there a role for regulatory bodies in this process? What should the incen*ves be? How do we monitor compliance?

Who determines and role for Regulators

Incen*ves ought to be available to proven techniques as determined by: Federal regulators; or Recognized standard seing organiza*ons (NIST/ANSI/ISO etc.); or Accredited security cer*ed or self regulatory organiza*ons such as PCI/NASD/insurance

High Recommend/Recommend/ Consider/Not Recommended

BASED ON * Cost (money/people/*me etc. to develop and implement) Breadth of Impact Depth of Impact Immediacy and dura*on of impact Nega*ve eects of adop*on

High: Tie Fed $ to adop*ng proven prac*ces/standards and tech

Pros: low cost to companies/no sig impact on fed budget/quick impact/evolve test for compliance as $ is renewed/reach beyond CIKR Cons: Administra*ve to determine what qualies/Requires coordina*on across govt/ possible budget increase if expanded

High: Develop Cyber Insurance

Pros: Insurers will require adequate security because their money is at stake/private sector compliance tes*ng saves govt. $/Can quickly evolve requirements to meet new threats/o sets govt. risk in major event/distributes risk broadly Cons: Market needs development. (but data now available) May require ini*al Govt. revolving fund as w/crop and ood insur. Must be perceived business case for buyers

Leverage Purchasing Power of Fed Govt.

Pros: Increases security in high value systems/ Builds market for baked in security, thus lowering costs for others. Makes US a posi*ve example Cons: Will increase cost to govt./Could push out otherwise qualied suppliers/Requires changes to FAR and DFAR/Need inter-agency support

High: Create Cyber Safety Act

Pros: Already a successful program for physical security (provides marke*ng and insurance benets) Builds on Govt. cer*ca*on. Would drive development and acceptance of new technologies & prac*ces keeping up with threat. Inexpensive Cons: Need to amend current SAFETY Act. Must develop cyber based cer*ca*on procedures w/in DHS

Recommend: Link Cyber security to small business contracts/loans

Pros: Address a cri*cal under secured area. Low cost. Fits with overall educa*on objec*ves Cons: Could raise cost of loans/contracts/ Requires broad inter-agency buy in/requires changes to FAR and DFAR

Recommended: Liability reform and safe harbors

Pros: Appeals to the highest levels of business Encourages innova*on. Rewards good actors. Reduce costly li*ga*on. Virtually no economic cost. Can provide various levels of protec*on for levels of security Cons: Assessing liability is dicult. Possibly poli*cally dicult. Govt. or private system to cer*fy needs to be created

Recommend: Grants for Cyber R & D

Pros: Reduce cost to private sector for developing and deploying technologies. Allows Govt. to target R&D money. Pushes game changing technologies. Cons: Increased spending/Ques*ons as to if this is proper role for govt (compe*ng with private sector) and if it is cost eec*ve

Recommended: Direct funding for Cyber R & D

Pros: Reduce cost to private sector for developing and deploying technologies. Allows Govt. to target R&D money. Pushes game changing technologies. Cons: Increased spending/Ques*ons as to if this is proper role for govt (compe*ng with private sector) and if it is cost eec*ve

Consider: Tax Incen*ves

Pros: Lowers cost of improving security/ rela*vely immediate impact/can be adapted to size and needs as they change/broad reach. Cons: Costs would be high/Ques*onable cost eec*veness/poli*cal diculty/new govt. audi*ng.

Consider: Streamline Regula*on

Pros: Focus on security as opposed to compliance/increased clarity reduce costs for industry increasing compliance/Eliminate confusion Cons: Dicult to align mul*tude of laws/ Would changes be signicant enough to improve security/push back from states & locals. Could create a low ceiling

Consider: Awards for Cyber Security

Pros: Consistent with educa*on/awareness theme/low cost/provides market orienta*on (Baldridge) Cons: Ques*onable impact/Create new targets/diculty in seing criteria for awards

Consider: Include Cyber security in regulatory base

Pros: Captures true cost of service/allows rate payers to determine market value for cyber security Cons: Strict rate base regula*on is largely outmoded/new technologies such as VOIP dont t well into rate base criteria/Most such determina*ons are at state & local level requiring educa*on of regulators

Establishes minimum criteria/promotes certainty and clarity/Can act fast Cons: Current standards have low compliance/ Compliance is oaen check the box w/no link to improved security/costly for govt. and industry/ fails to keep pace w/tech and threats/limited scope/poli*cally weakened/would drive business o shore/provides oors when we need ceilings

Not Recommended: Manda*ng Standards Pros; Easily adapted to egulated sectors/ r