DHS Analysis of Cybersecurity Incentives Highlights Compensation and Liability Protections
A preliminary Department of Homeland Security analysis of cybersecurity incentives found that grants to non-price-regulated industries, as well as including the cost of cybersecurity in the base rate for services in price-regulated industries, were the “most effective and efficient” incentives to encourage industry participation in the Obama administration’s efforts to improve cybersecurity in critical infrastructure -- but they also respectively carry the highest cost for the government and consumers, according to a copy of the study we obtained Friday. The document, circulated May 21 among members of the DHS Integrated Task Force’s incentives working group, was a precursor to formal incentive recommendations DHS submitted to the Office of Management and Budget June 12.
The DHS recommendations, along with similar recommendations from the departments of Commerce and Treasury, are undergoing an internal White House review (CD July 9 p8). Other incentives included in the study were possible legislation, government subsidies and tax incentives, as well as special government procurement considerations. DHS’s final recommendations on cybersecurity incentives are likely to closely follow the findings in the preliminary analysis; the incentives that appear favored have a limited likelihood of becoming a reality in the near future, said James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy Program.
The grants to non-price-regulated industries and the addition of cybersecurity costs in the base rates charged by price-regulated industries were listed as having the highest probability of encouraging industry to adopt the forthcoming Cybersecurity Framework. The grants would include “direct federal funding for investment in cybersecurity products and services for framework owners and operators,” DHS said; the grants could also include existing grants that could be subsequently tied to a company’s adoption of the framework. Including cybersecurity costs in the base rate charged by price-regulated industries would allow those industries to recover the cost of implementing cybersecurity measures, DHS said. It was smart for DHS to separate price-regulated and non-price-regulated industries because “it’s much easier to have price-regulated industries pass along costs, and you have far greater leverage over them from a regulatory perspective,” said Allan Friedman, research director at the Brookings Institution’s Center for Technology Innovation.
The DHS study found that four other possible incentives presented a “second tier” probability of encouraging framework adoption. A “New Cyber SECURITY Act,” described as legislation authorizing new insurance requirements, liability protections and legal benefits, would be moderately effective and would result in moderate cost to the government, the DHS document said. Any new liability protections should be carefully thought through, and may have to be “tied to insurance requirements,” Robert Kolasky, DHS director-Implementation Task Force, told a House Cybersecurity Subcommittee hearing Thursday. Preferential government consideration in the procurement process for companies that adopt the framework would be moderately effective at “little government cost,” DHS said. Government-subsidized purchases of cybersecurity products and tax incentives for companies that adopt the framework would be “less effective than other cost-sharing incentives and inefficient due to moral hazard with highest government cost,” DHS said.
Four other possible incentives were seen as having the lowest probability of encouraging framework adoption. Allowing the Industrial Control Systems Cyber Emergency Response Team and others to provide prioritized technical assistance to companies that adopt the framework would provide moderate loss avoidance at little government cost, while streamlining information security regulations would provide “ancillary benefits” at little government cost, DHS said. There’s “little evidence” that public recognition of companies that adopt the framework would be an effective incentive, and it has the “potential for unintended consequences such as cyber targeting,” DHS said. There’s similarly scant evidence that requiring public notification about cybersecurity disclosures would encourage critical infrastructure owners and operators to avoid breaches, and such a requirement posed the potential for unintended consequences and “perverse incentives,” DHS said.
The most effective incentives “have to involve money or maybe liability protection,” Lewis told us. “Those are the only real things you could do. And that means they need to either get something like tax cuts or they need to come up with money out of the federal budget to compensate companies for strengthening their networks.” But this is “not a good year to be looking for extra money or tax cuts,” Lewis said. “We can’t even pay the Department of Defense this year. What makes them think they'll get extra money for cybersecurity?"
The DHS analysis “makes it clear that you can’t do anything without legislation” -- and gridlock on Capitol Hill means that effective incentives “are not in the cards for this year,” Lewis said. “There are no matching cyber bills in the House and the Senate. The bills are too far apart.” Until Congress “returns to a place where people can make deals, we're not going to see much in the way of incentives,” he said.