Trade, civil liberties groups urge cybersecurity incentives

Incentives, not government mandates, will help drive cybersecurity forward in the U.S., a new paper says

The U.S. government should look to incentives as a way to encourage businesses to adopt better cybersecurity practices, instead of creating mandates, recommends a new paper from four trade groups and a civil liberties group.

Although some cybersecurity experts have called for new regulations, "a more government-centric set of mandates would be counterproductive to both our economic and national security," said the paper, released Tuesday by the Internet Security Alliance (ISA), the U.S. Chamber of Commerce, TechAmerica, the Business Software Alliance and the Center for Democracy and Technology.

U.S. President Barack Obama's Cyberspace Policy Review, released in May 2009, focuses on partnerships between private companies and the government, and recommends that private industry drive cybersecurity standards. Abandoning Obama's review and the National Infrastructure Protection Plan, released in 2009 by the U.S. Department of Homeland Security, for a more regulatory approach would "erode trust," the paper said.

"There is concern ... that new policy initiatives may consider replacing the current model with an alternate system more reliant on government mandates directed at the private sector," the paper said. "This change of direction would both undermine the progress that has been made and hinder efforts to achieve lasting success."

The paper isn't aimed at any specific proposals for more government mandates, said Larry Clinton, ISA's president. But in February, James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, called for the U.S. government to take a bigger role in protecting cyberspace.

"We've had market failure when it comes to cybersecurity," Lewis said in a story at "Security doesn't come out of voluntary actions and market forces."

Lewis wasn't available Tuesday to comment on the new report.

The report wasn't targeted at cybersecurity legislation introduced by members of the U.S. Senate Governmental Affairs and Homeland Security Committee, Clinton added. That legislation would allow the U.S. president to take emergency actions, including possibly shutting down or quarantining parts of the Internet, to protect against massive cyber-attacks, and it would establish a new cybersecurity center at DHS, which would work with private businesses to establish cybersecurity standards.

Regulatory mandates are "clearly part of the discussion," Clinton said. "What we're saying is, that system would be antisecurity. We think that mandates would not be responsive to changes in technology."

Some cybersecurity critics seem to want to blame the technology by suggesting the Internet is broken, Clinton added. "That's not really the problem here," he said. "It's not that the system is a bad system, it's that the system is under attack. The Internet, in normal use, is wonderful -- the problem is when people attack it."

New incentives are needed, he said, because "right now, all the incentives favor the attackers."

The new paper features some ideas that ISA and other groups have talked about in the past, but it offers new analysis and details about some proposals, Clinton said. In addition, the paper represents a "broad consensus" from the five well-known groups, he added.

The paper suggests that the U.S. government could use several incentives to help private companies pump up their cybersecurity efforts. Incentives could include tax breaks, grants, lawsuit liability protections, or eased regulatory obligations as incentives, the paper said. The best approach would be a "menu" of incentives, the paper said.

"The R&D tax credit may be the most attractive option for an IT security vendor, while a defense firm may be more interested in procurement options, and electric utility in a streamlined regulatory environment, or and IT-user enterprise in an insurance discount and risk transfer," the paper said.

The paper echoes the Obama cybersecurity plan in talking about approaching cybersecurity with a risk management perspective. But government and private companies will have different approaches to risk management, Clinton said.

A retail store may lose 10 percent of its inventory to theft, but may realize that it costs more to significantly reduce theft, Clinton said. Government, with a broader focus on protecting U.S. interests, can't take that approach, he said.

Both sides need to recognize the differing perspectives, he added. "There is not one correct statement of what the risk is," he said. "We realize that it may be necessary for industry to move much more toward the government's conceptualization of risk because industry and government are operating on the same Internet."

The paper also recommends a new national cybersecurity research and development plan, with priorities set by the government and private industry. An R&D plan should balance short- and long-term objectives, the paper said.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags regulationlegislationJames LewisTechAmericabusiness software allianceInternet Security AllianceintrusionLarry ClintonCenter for Strategic and International StudiessecurityU.S. Chamber of CommerceCenter for Democracy and TechnologyU.S. Senate Governmental Affairs and Homeland Security Committeegovernmentdata protection

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Cool Tech

D-Link PowerLine AV2 2000 Gigabit Network Kit

Learn more >

ASUS ROG Swift PG279Q – Reign beyond virtual world

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Crucial® BX200 SATA 2.5” 7mm (with 9.5mm adapter) Internal Solid State Drive

Learn more >

D-Link TAIPAN AC3200 Ultra Wi-Fi Modem Router (DSL-4320L)

Learn more >

Xiro Drone Xplorer V -3 Axis Gimbal & 1080p Full HD 14MP Camera

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >


Learn more >

Family Friendly

ASUS VivoPC VM62 - Incredibly Powerful, Unbelievably Small

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Stocking Stuffer

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Best Deals on Good Gear Guide

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?