Upload
isalliance
View
215
Download
0
Embed Size (px)
Citation preview
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
1/24
StartwithNa*onalStrategytoSecure
CyberSpace2002
Na*onalStrategyproposedprivatesectorwouldseeROI(e.g.businessefficiencyetc.)ininves*ngincybersecurity.
Somarketforceswouldefficientlyevolveandsolve---noincen*vesinNatStrategy
2009wehavebiggerproblemw/cybersecurityincludingna*onalsecurityissues
Thereforetherehasbeenamarketfailureincybersecurity
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
2/24
LackofCyberInvestmentisnotthe
resultofMarketFailure
EfficientMarketHypothisis(popularearly80-firsthalforthisdecade)saysmarketsactra*onallyasprovenbymathmodels
Henceprivatesectorshouldseethewisdomandefficientlyinvestincybersecurity EfficientmarkethasbeenreplacedbyBehavioralEconomics
Behavioraleconomicsholdsthatmarketsareeffectedbynon-ra*onalac*onsandrequireac*onstomovetheme.g.incen*ves®ula*on
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
3/24
CyberSecurityFitsintoBehavioral
Economics
Markethasworkedtoimprovecybersecurity---justnotefficiently(i.e.not100%)
NatSecurityisnotaPriv.SectorGoalhenceinvestmentisnotefficient(orsufficient)tofullymeetNa*onalSecuritydemands
Cybersystemsarenotbroken---theyareundera[ack,i.e.effectedbyindependentbehaviors
Goalofcybera[ackmaynotbepointofvulnerabilityexploited,henceinsufficientmarketincen*veatpointofini*ala[ack
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
4/24
Goals:BasedonComprehensive
Na*onalCyberIni*a*ve(Proj.12)Recommendasetofincen.ves,acrossallCri.calInfrastructureandKey
Resources(CIKR)sectors,todriveimprovementintheprivatesectorscybersecurityposturewheremarket
forcesaloneyieldaninsufficientvalue
proposi.on
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
5/24
ObamaCyberSpacePolicyReview
Ac*onPlanItem14:Refinegovernment
procurementstrategiesandimprovemarket
incen*vesforsecureandresilienthardware
andsowareproducts,newsecurity
innova*onandmanagementservices.
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
6/24
ObamaCyberSpacePolicyReview
Ac*onPlans
Ac*onPlanItem2:Prepareanupdatedstrategytosecureinforma*oninfrastructure.
Thisstrategyshouldincludecon*nued
evalua*onoftheComprehensiveNa*onal
CyberIni*a*ve(CNCI)ac*vi*esandbuildon
itssuccesses.
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
7/24
ObamaCyberSpacePolicyReview
Thegovernmentshouldiden*fyprocurement
strategiesthatwillincen*vizethemarketto
makemoresecureproductsandservices
availabletothepublic.Addi*onalincen*ve
mechanismsthatthegovernmentshould
exploreincludeadjustmentstoliability
indemnifica*on,taxincen*ves,newregulatoryrequirementsandcompliance
mechanisms.
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
8/24
CSCSWGProcess&Findings
Beganbi-weeklymee*ngsinFebruary Concluded:TheGovernmentcan,throughtheadop*onofincen*ves,changethevalue
proposi*onforcompaniesandencouragethebroadadop*onofsoundcybersecurityprac*cesacrossallCIKRsectors.
Differentincen*vesmaybeappropriatefordifferentsectors---orbusinesses
Researchshowsexis*ngprac*cescanproducedrama*cimprovementsincybersecurity
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
9/24
MacroIssuestobeAddressed
Aretherebehaviorsthatdeservetobeincented?
Howdowedecidewhatistobeincented Istherearoleforregulatorybodiesinthisprocess?
Whatshouldtheincen*vesbe?
Howdowemonitorcompliance?
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
10/24
Whodeterminesandrolefor
Regulators
Incen*vesoughttobeavailabletoproventechniquesasdeterminedby:
Federalregulators;or Recognizedstandardsengorganiza*ons(NIST/ANSI/ISOetc.);or
Accreditedsecuritycer*fiedorselfregulatoryorganiza*onssuchasPCI/NASD/insurance
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
11/24
HighRecommend/Recommend/
Consider/NotRecommended
BASEDON
Cost(money/people/*meetc.todevelopandimplement)
BreadthofImpact DepthofImpact Immediacyanddura*onofimpact Nega*veeffectsofadop*on
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
12/24
High:TieFed$toadop*ngproven
prac*ces/standardsandtech
Pros:lowcosttocompanies/nosigimpactonfedbudget/quickimpact/evolvetestfor
complianceas$isrenewed/reachbeyond
CIKR
Cons:Administra*vetodeterminewhatqualifies/Requirescoordina*onacrossgovt/
possiblebudgetincreaseifexpanded
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
13/24
High:DevelopCyberInsurance
Pros:Insurerswillrequireadequatesecuritybecausetheirmoneyisatstake/privatesectorcompliancetes*ngsavesgovt.$/Canquicklyevolverequirementstomeetnewthreats/off
setsgovt.riskinmajorevent/distributesriskbroadly
Cons:Marketneedsdevelopment.(butdatanowavailable)Mayrequireini*alGovt.revolvingfundasw/cropandfloodinsur.Mustbeperceivedbusinesscaseforbuyers
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
14/24
LeveragePurchasingPowerofFed
Govt.
Pros:Increasessecurityinhighvaluesystems/Buildsmarketforbakedinsecurity,thus
loweringcostsforothers.MakesUSaposi*ve
example
Cons:Willincreasecosttogovt./Couldpushoutotherwisequalifiedsuppliers/Requires
changestoFARandDFAR/Needinter-agencysupport
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
15/24
High:CreateCyberSafetyAct
Pros:Alreadyasuccessfulprogramforphysicalsecurity(providesmarke*ngandinsurancebenefits)BuildsonGovt.
cer*fica*on.Woulddrivedevelopmentandacceptanceofnewtechnologies&prac*ceskeepingupwiththreat.Inexpensive
Cons:NeedtoamendcurrentSAFETYAct.Mustdevelopcyberbasedcer*fica*onproceduresw/inDHS
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
16/24
Recommend:LinkCybersecurityto
smallbusinesscontracts/loans
Pros:Addressacri*calundersecuredarea.Lowcost.Fitswithoveralleduca*on
objec*ves
Cons:Couldraisecostofloans/contracts/Requiresbroadinter-agencybuyin/requires
changestoFARandDFAR
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
17/24
Recommended:Liabilityreformand
safeharbors
Pros:AppealstothehighestlevelsofbusinessEncouragesinnova*on.Rewardsgoodactors.Reducecostlyli*ga*on.Virtuallynoeconomic
cost.Canprovidevariouslevelsofprotec*onforlevelsofsecurity
Cons:Assessingliabilityisdifficult.Possiblypoli*callydifficult.Govt.orprivatesystemtocer*fyneedstobecreated
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
18/24
Recommend:GrantsforCyberR&D
Pros:Reducecosttoprivatesectorfordevelopinganddeployingtechnologies.
AllowsGovt.totargetR&Dmoney.Pushes
gamechangingtechnologies.
Cons:Increasedspending/Ques*onsastoifthisisproperroleforgovt(compe*ngwith
privatesector)andifitiscosteffec*ve
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
19/24
Recommended:Directfundingfor
CyberR&D
Pros:Reducecosttoprivatesectorfordevelopinganddeployingtechnologies.
AllowsGovt.totargetR&Dmoney.Pushes
gamechangingtechnologies.
Cons:Increasedspending/Ques*onsastoifthisisproperroleforgovt(compe*ngwith
privatesector)andifitiscosteffec*ve
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
20/24
Consider:TaxIncen*ves
Pros:Lowerscostofimprovingsecurity/rela*velyimmediateimpact/canbeadapted
tosizeandneedsastheychange/broadreach.
Cons:Costswouldbehigh/Ques*onablecosteffec*veness/poli*caldifficulty/newgovt.
audi*ng.
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
21/24
Consider:StreamlineRegula*on
Pros:Focusonsecurityasopposedtocompliance/increasedclarityreducecostsfor
industryincreasingcompliance/Eliminate
confusion
Cons:Difficulttoalignmul*tudeoflaws/Wouldchangesbesignificantenoughto
improvesecurity/pushbackfromstates&locals.Couldcreatealowceiling
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
22/24
Consider:AwardsforCyberSecurity
Pros:Consistentwitheduca*on/awarenesstheme/lowcost/providesmarketorienta*on
(Baldridge)
Cons:Ques*onableimpact/Createnewtargets/difficultyinsengcriteriaforawards
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
23/24
Consider:IncludeCybersecurityin
regulatorybase
Pros:Capturestruecostofservice/allowsratepayerstodeterminemarketvalueforcybersecurity
Cons:Strictratebaseregula*onislargelyoutmoded/newtechnologiessuchasVOIP
dontfitwellintoratebasecriteria/Mostsuchdetermina*onsareatstate&locallevelrequiringeduca*onofregulators
7/31/2019 2009 07 00 Author Unknown CSCSWG Incentives Presentation
24/24
NotRecommended:Manda*ng
Standards
Pros;Easilyadaptedtoregulatedsectors/Establishesminimumcriteria/promotescertainty
andclarity/Canactfast
Cons:Currentstandardshavelowcompliance/Complianceisoenchecktheboxw/nolinkto
improvedsecurity/costlyforgovt.andindustry/
failstokeeppacew/techandthreats/limitedscope/poli*callyweakened/woulddrivebusiness
offshore/providesfloorswhenweneedceilings