Voluntary cybersecurity approach not good enough

Find opportunities — and win them.

The approach laid out by the Bush administration is missing incentives to encourage companies to invest beyond their corporate interests, according to a new report.

The market-based, voluntary approach that the Bush administration has used to encourage companies to improve cybersecurity is not sufficient and the incoming Obama administration should form a cybersecurity social contract with industry based on economic incentives, according to a new report by a trade association.

The Internet Security Alliance (ISAlliance) released a report yesterday suggesting a cybersecurity social contract through which government would encourage and reward corporations by potentially working cybersecurity into procurement and loan processes, along with possible awards programs that could be used as marketing advantages.

The group said the voluntary approach laid out by the Bush administration has not been sufficient because it is missing incentives to encourage companies to invest beyond their corporate interests and for the greater public good of cybersecurity. The organization said government mandates were not the right approach, in part because of the global nature of the Internet and the negative effects they could have on U.S. industry.

The report urged the incoming Obama administration to move beyond the "informal, Washington, D.C.-centered partnerships of the past."

"Industry and government must construct a mutually beneficial social contract which addresses, creatively and pragmatically, the security of our cyber infrastructure," ISAlliance said.

The group's board includes representatives from Verizon, the National Association of Manufacturers, Nortel, the CyLab at Carnegie Mellon University, Raytheon, and Northrop Grumman.

The ISAlliance report said that a conceptual framework of the "social contract" would identify and address the government's role, industry's role and the incentives that government will provide industry and what behaviors will be motivated.

The report said cybersecurity needed to be understood as an enterprise risk management issue rather than an IT issue. The board said the "social contract" was similar to the approach government took with utilities in the early 1900s to encourage the companies to make the investments to make services universal.

Bush administration officials have said involvement with the private sector is a key focus of the multiyear, multibillion-dollar Comprehensive National Cybersecurity Initiative the president kicked off by signing a classified directive in January.

Larry Clinton, president of the ISAlliance, said that although corporations have been working with the Homeland Security Department, there is still work to be done. He said the engagement between government and industry on the issue needed to extend beyond council groups to develop products.

"There is a public interest in the entire system being upgraded and government needs to deal with industry at the business plan level," he said.

Ben Bain writes for Federal Computer Week, an 1105 Government Information Group publication.