Carrot or stick on cybersecurity?

Interesting post from GovInfoSecurity.com’s Eric Chabrow a couple of days ago, in which he borrows some conclusions from a Frontline documentary on the airline industry called “Flying Cheap” and applies them to the current debate about the best way to get critical infrastructure providers — especially those in the private sector — to implement and follow better security practices. Broadly speaking, there are two methods the government could use to effect changes in cybersecurity approaches: regulate or incentivize. A possible third option is closer collaboration between public and private sector organizations, but partnerships of that sort tend to fall into the “incentive” category, even if the incentives offered aren’t monetary.

The path of cybersecurity regulation has precedents in both the government (FISMA) and the private sector (HIPAA, GLBA, Sarbanes-Oxley) but regulations in force are applied narrowly by industry and do not at present address most critical infrastructure providers, whether in telecommunications networks, SCADA, or public works. Even with well-defined applicability, legislating security requirements often gets bogged down in the details, resulting in rules that say what you should do, but not how to do it effectively. This doesn’t mean that the government isn’t working on new and revised security regulations — there are in fact multiple concurrent and sometimes overlapping legislative efforts pending in Congress — but if history is any guide, these will not be sufficiently explicit or detailed to raise the bar across the board. The alternative approach of providing incentives to companies to improve their security has more proponents in industry than in government, although the Cyberspace Policy Review commissioned by the Obama administration and released in May 2009 tends to favor incentives over mandates. No advocate of an incentive-based approach has been more visible or vocal than the Internet Security Alliance’s CEO Larry Clinton, who has been pushing this point since at least the 2008 presidential election.

The lesson learned from the airline industry and its legally mandated safety regulations is that complying with regulations, even when it’s in the best interest of customers, costs money and has an impact on the corporate bottom line. For organizations that may have their priorities arranged more for business drivers than for achieving the outcomes sought by regulation, some consideration ought to be given to positive compliance incentives (and not just potential penalties for non-compliance). The administration has its own example to follow in the Recovery Act and follow-on funding devoted to providing financial incentives for adoption of health information technology; the motivation switches from incentive to penalty after 2015, but the emphasis in making the new technology pervasive is positive incentives.