2009 07 00 Author Unknown CSCSWG Incentives Presentation

7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation

1/24

StartwithNa*onalStrategytoSecure

CyberSpace2002

Na*onalStrategyproposedprivatesectorwouldseeROI(e.g.businessefficiencyetc.)ininves*ngincybersecurity.

Somarketforceswouldefficientlyevolveandsolve---noincen*vesinNatStrategy

2009wehavebiggerproblemw/cybersecurityincludingna*onalsecurityissues

Thereforetherehasbeenamarketfailureincybersecurity


2/24

LackofCyberInvestmentisnotthe

resultofMarketFailure

EfficientMarketHypothisis(popularearly80-firsthalforthisdecade)saysmarketsactra*onallyasprovenbymathmodels

Henceprivatesectorshouldseethewisdomandefficientlyinvestincybersecurity EfficientmarkethasbeenreplacedbyBehavioralEconomics

Behavioraleconomicsholdsthatmarketsareeffectedbynon-ra*onalac*onsandrequireac*onstomovetheme.g.incen*ves&regula*on


3/24

CyberSecurityFitsintoBehavioral

Economics

Markethasworkedtoimprovecybersecurity---justnotefficiently(i.e.not100%)

NatSecurityisnotaPriv.SectorGoalhenceinvestmentisnotefficient(orsufficient)tofullymeetNa*onalSecuritydemands

Cybersystemsarenotbroken---theyareundera[ack,i.e.effectedbyindependentbehaviors

Goalofcybera[ackmaynotbepointofvulnerabilityexploited,henceinsufficientmarketincen*veatpointofini*ala[ack


4/24

Goals:BasedonComprehensive

Na*onalCyberIni*a*ve(Proj.12)Recommendasetofincen.ves,acrossallCri.calInfrastructureandKey

Resources(CIKR)sectors,todriveimprovementintheprivatesectorscybersecurityposturewheremarket

forcesaloneyieldaninsufficientvalue

proposi.on


5/24

ObamaCyberSpacePolicyReview

Ac*onPlanItem14:Refinegovernment

procurementstrategiesandimprovemarket

incen*vesforsecureandresilienthardware

andsowareproducts,newsecurity

innova*onandmanagementservices.


6/24


Ac*onPlans

Ac*onPlanItem2:Prepareanupdatedstrategytosecureinforma*oninfrastructure.

Thisstrategyshouldincludecon*nued

evalua*onoftheComprehensiveNa*onal

CyberIni*a*ve(CNCI)ac*vi*esandbuildon

itssuccesses.


7/24


Thegovernmentshouldiden*fyprocurement

strategiesthatwillincen*vizethemarketto

makemoresecureproductsandservices

availabletothepublic.Addi*onalincen*ve

mechanismsthatthegovernmentshould

exploreincludeadjustmentstoliability

indemnifica*on,taxincen*ves,newregulatoryrequirementsandcompliance

mechanisms.


8/24

CSCSWGProcess&Findings

Beganbi-weeklymee*ngsinFebruary Concluded:TheGovernmentcan,throughtheadop*onofincen*ves,changethevalue

proposi*onforcompaniesandencouragethebroadadop*onofsoundcybersecurityprac*cesacrossallCIKRsectors.

Differentincen*vesmaybeappropriatefordifferentsectors---orbusinesses

Researchshowsexis*ngprac*cescanproducedrama*cimprovementsincybersecurity


9/24

MacroIssuestobeAddressed

Aretherebehaviorsthatdeservetobeincented?

Howdowedecidewhatistobeincented Istherearoleforregulatorybodiesinthisprocess?

Whatshouldtheincen*vesbe?

Howdowemonitorcompliance?


10/24

Whodeterminesandrolefor

Regulators

Incen*vesoughttobeavailabletoproventechniquesasdeterminedby:

Federalregulators;or Recognizedstandardsengorganiza*ons(NIST/ANSI/ISOetc.);or

Accreditedsecuritycer*fiedorselfregulatoryorganiza*onssuchasPCI/NASD/insurance


11/24

HighRecommend/Recommend/

Consider/NotRecommended

BASEDON

Cost(money/people/*meetc.todevelopandimplement)

BreadthofImpact DepthofImpact Immediacyanddura*onofimpact Nega*veeffectsofadop*on


12/24

High:TieFed$toadop*ngproven

prac*ces/standardsandtech

Pros:lowcosttocompanies/nosigimpactonfedbudget/quickimpact/evolvetestfor

complianceas$isrenewed/reachbeyond

CIKR

Cons:Administra*vetodeterminewhatqualifies/Requirescoordina*onacrossgovt/

possiblebudgetincreaseifexpanded


13/24

High:DevelopCyberInsurance

Pros:Insurerswillrequireadequatesecuritybecausetheirmoneyisatstake/privatesectorcompliancetes*ngsavesgovt.$/Canquicklyevolverequirementstomeetnewthreats/off

setsgovt.riskinmajorevent/distributesriskbroadly

Cons:Marketneedsdevelopment.(butdatanowavailable)Mayrequireini*alGovt.revolvingfundasw/cropandfloodinsur.Mustbeperceivedbusinesscaseforbuyers


14/24

LeveragePurchasingPowerofFed

Govt.

Pros:Increasessecurityinhighvaluesystems/Buildsmarketforbakedinsecurity,thus

loweringcostsforothers.MakesUSaposi*ve

example

Cons:Willincreasecosttogovt./Couldpushoutotherwisequalifiedsuppliers/Requires

changestoFARandDFAR/Needinter-agencysupport


15/24

High:CreateCyberSafetyAct

Pros:Alreadyasuccessfulprogramforphysicalsecurity(providesmarke*ngandinsurancebenefits)BuildsonGovt.

cer*fica*on.Woulddrivedevelopmentandacceptanceofnewtechnologies&prac*ceskeepingupwiththreat.Inexpensive

Cons:NeedtoamendcurrentSAFETYAct.Mustdevelopcyberbasedcer*fica*onproceduresw/inDHS


16/24

Recommend:LinkCybersecurityto

smallbusinesscontracts/loans

Pros:Addressacri*calundersecuredarea.Lowcost.Fitswithoveralleduca*on

objec*ves

Cons:Couldraisecostofloans/contracts/Requiresbroadinter-agencybuyin/requires

changestoFARandDFAR


17/24

Recommended:Liabilityreformand

safeharbors

Pros:AppealstothehighestlevelsofbusinessEncouragesinnova*on.Rewardsgoodactors.Reducecostlyli*ga*on.Virtuallynoeconomic

cost.Canprovidevariouslevelsofprotec*onforlevelsofsecurity

Cons:Assessingliabilityisdifficult.Possiblypoli*callydifficult.Govt.orprivatesystemtocer*fyneedstobecreated


18/24

Recommend:GrantsforCyberR&D

Pros:Reducecosttoprivatesectorfordevelopinganddeployingtechnologies.

AllowsGovt.totargetR&Dmoney.Pushes

gamechangingtechnologies.

Cons:Increasedspending/Ques*onsastoifthisisproperroleforgovt(compe*ngwith

privatesector)andifitiscosteffec*ve


19/24

Recommended:Directfundingfor

CyberR&D

Pros:Reducecosttoprivatesectorfordevelopinganddeployingtechnologies.

AllowsGovt.totargetR&Dmoney.Pushes

gamechangingtechnologies.

Cons:Increasedspending/Ques*onsastoifthisisproperroleforgovt(compe*ngwith

privatesector)andifitiscosteffec*ve


20/24

Consider:TaxIncen*ves

Pros:Lowerscostofimprovingsecurity/rela*velyimmediateimpact/canbeadapted

tosizeandneedsastheychange/broadreach.

Cons:Costswouldbehigh/Ques*onablecosteffec*veness/poli*caldifficulty/newgovt.

audi*ng.


21/24

Consider:StreamlineRegula*on

Pros:Focusonsecurityasopposedtocompliance/increasedclarityreducecostsfor

industryincreasingcompliance/Eliminate

confusion

Cons:Difficulttoalignmul*tudeoflaws/Wouldchangesbesignificantenoughto

improvesecurity/pushbackfromstates&locals.Couldcreatealowceiling


22/24

Consider:AwardsforCyberSecurity

Pros:Consistentwitheduca*on/awarenesstheme/lowcost/providesmarketorienta*on

(Baldridge)

Cons:Ques*onableimpact/Createnewtargets/difficultyinsengcriteriaforawards


23/24

Consider:IncludeCybersecurityin

regulatorybase

Pros:Capturestruecostofservice/allowsratepayerstodeterminemarketvalueforcybersecurity

Cons:Strictratebaseregula*onislargelyoutmoded/newtechnologiessuchasVOIP

dontfitwellintoratebasecriteria/Mostsuchdetermina*onsareatstate&locallevelrequiringeduca*onofregulators


24/24

NotRecommended:Manda*ng

Standards

Pros;Easilyadaptedtoregulatedsectors/Establishesminimumcriteria/promotescertainty

andclarity/Canactfast

Cons:Currentstandardshavelowcompliance/Complianceisoenchecktheboxw/nolinkto

improvedsecurity/costlyforgovt.andindustry/

failstokeeppacew/techandthreats/limitedscope/poli*callyweakened/woulddrivebusiness

offshore/providesfloorswhenweneedceilings

2009 07 00 Author Unknown CSCSWG Incentives Presentation

Documents