[ISN] Cybersecurity group calls for new government approaches

From: InfoSec News (alerts@private)
Date: Wed Apr 11 2007 - 23:09:57 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9016298

By Grant Gross
April 11, 2007 
IDG News Service

The U.S. government should explore new incentives for companies to 
invest in cybersecurity instead of focusing on regulation, a 
cybersecurity trade group said.

The Internet Security Alliance (ISA), made up of IT vendors and 
customers, called on the government to abandon old regulatory approaches 
in favor of incentives such as cybersecurity insurance, awards programs 
and caps on legal liability for companies that adopt cybersecurity best 
practices.

The alliance, in a white paper [1] released Wednesday, said legislation 
that requires the government to create cybersecurity standards, 
including the Improving America's Security Act passed by the Senate in 
mid-March, takes the wrong approach. The Improving America's Security 
Act would authorize the Department of Homeland Security to develop 
standardization and certification programs for critical U.S. 
infrastructure, including the Internet.

"That approach will not work ... due to factors within the Internet 
itself," said Larry Clinton, president of the ISA. "The Internet is 
inherently international, it changes much too quickly, and it's under 
constant attack."

By contrast, a regulatory approach would be limited to U.S.-based 
divisions of companies, and it's slow to react to new threats, Clinton 
said.

Instead, the government should encourage companies to invest in 
cybersecurity and adopt best practices already outlined by a number of 
private organizations, he added. Incentives that reduce costs would help 
companies get over the attitude that investing in cybersecurity is a 
"cost center," he said.

"Government regulations can't keep up with Internet threats, but the 
profit motive can," Clinton added.

The incentives outlined in the ISA white paper could encourage companies 
to invest in cybersecurity not only in their U.S. divisions but also in 
their foreign ones, Clinton said.

Among the proposed incentives:

* Companies following best practices should be able to buy additional 
  insurance for cybersecurity-related events. Some companies have 
  deferred investments in cybersecurity because they are concerned that 
  they aren't protected from liability, the white paper says.

* The U.S. government should limit legal liability for companies 
  following best practices.

* U.S. government agencies should set cybersecurity standards in its 
  procurement practices, creating new business opportunities for 
  companies that follow best practices.

* The U.S. government should establish an awards program recognizing 
  companies with strong cybersecurity programs.

"What we need to do is get more people to adopt [best practices]," 
Clinton said. "These investments are not being made aggressively 
enough."

The ISA is not calling for fewer penalties for cybercriminals or fewer 
consumer protection laws, Clinton said. "We're not saying, do less," he 
said. "We're saying, do more."

The ISA is a collaboration of the Electronic Industries Alliance and 
Carnegie Mellon's CyLab and works closely with the CERT Coordination 
Center. ISA helps organizations in several industries develop best 
practices in Internet security.

[1] http://www.isalliance.org/content/view/92/229


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Wed Apr 11 2007 - 23:22:58 PDT