Options for incentivizing private-sector cybersecurity


Less than a week into office, President Donald Trump was working on an executive order to address cybersecurity, highlighting the new administration’s early focus on shoring up the nation’s persistent vulnerabilities.

Leaked draft documents – first from the Washington Post, a second from the White House and a third through former Homeland Security Deputy Assistant Secretary Paul Rosenzweig – proposed a three-pronged approach, including: 1. Review of cyber vulnerabilities, 2. Review of cyber adversaries, and 3. Review of cyber capabilities.

Story: Assessing U.S. capabilities in cyberspace
Slideshow: 5 vulnerabilities that should be in Trump’s cyber review
Video: Top cyber threats for the U.S.

In addition, the first leaked order called for a report on “Private Sector Infrastructure Incentives.” The goal would be to report on “options to incentivize private sector adoption of effective cybersecurity measures.” The order called for the initiative to be co-chaired by the Secretary of Commerce, Secretary of the Treasury, Secretary of Homeland Security and Assistant to the President for Economic Affairs.

Cybersecurity is a unique policy challenge because over 80 percent of U.S. information technology infrastructure is owned and operated by private entities, according to former CIA Director John Brennan. Yet cybersecurity vulnerabilities in these systems, networks and products could have national security implications.

Past administrations have been reluctant to regulate cybersecurity. Meanwhile, many businesses have been slow to recognize emerging cyber threats and to implement proper safeguards. The U.S. government itself has been victim to multiple high-profile cyberattacks.

Trump’s first draft follows a similar initiative undertaken by the Obama administration to explore ways to incentivize the private sector to adopt better cybersecurity, as laid out in an August 2013 blog by Michael Denton, then-special adviser to the president and cybersecurity coordinator.

Historical options for incentivizing the private sector to beef up cybersecurity range from tax credits and grants to cyber insurance and streamlined regulations. To date, no administration has succeeded in rolling out a comprehensive package.

Jonathon Hauenschild, director of the communications and technology task force at the American Legislative Exchange Council, said Trump’s draft order poses several challenges.

“Definitions of terms in the draft order are quite unclear,” Hauenschild said. “Given the lack of clarity, the second policy challenge is to identify examples of inducements or incentives.”

Hauenschild suggests several options that could be considered, including “[tax] credits for physical infrastructure — spending on newer, more secure servers or the latest firewalls — and credits for investing in personnel, whether hiring cybersecurity contractors or in-house.”

Hauenschild also said he saw the possibility of grants focused on education or workforce retraining.

“That is to say, grants or tax credits to incentivize companies to invest in cybersecurity educational programs at local schools, whether high school, collegiate or trade schools,” he said.

A second concern, Hauenschild said, is the order’s lack of inclusion of private sector stakeholders in the report process. While the report “permits” various participants, “it neither mandates such consultation nor does it provide the private sector a seat at the table,” Hauenschild noted. “Without permitting private sector stakeholders to have a seat at the table, the report risks including mandates and incentives that will act contrary to the stated goal of ‘employing the full spectrum of our capabilities to defend U.S. interests in cyberspace,’” Hauenschild warned.

Separately, the Trump administration is working on an order to modernize government information technology. The administration emphasized that agency heads will be held accountable for their organization’s cybersecurity.

Modernizing federal IT was also a goal former President Barack Obama’s administration set out to achieve with the Modernizing Government Technology Act (MGTA). MGTA passed in the House last September but stalled in the Senate.