Introduction

The Internet Security Alliance has consistently advocated that the United States federal policy should endorse providing incentives to companies in the private sector to develop and maintain effective internet security programs and infrastructure.

Anchor Principles

Consistent with previous Internet Security Alliance work, including through coalition vehicles such as the Corporate Information Security Working Group, the “Wye II” process, the National Infrastructure Protection Plan (“NIPP”) process and the various Sector Coordinating Councils in which Internet Security Alliance members participate, the following principles serve as the policy anchors for a proposed legislative framework for the incentives advocated by the Internet Security Alliance:

• The Federal government must recognize that the Internet is a distinctive, inherent part of our national infrastructure.  Due to the interdependence and reliance of the entire economy and government on the Internet for communication, commerce and homeland security, the Internet deserves a continued priority and attention in national homeland security initiatives and preparedness activities.

• The Federal government should advance homeland security preparedness through reliance on existing published standards and best practices, and defer to the private sector to continue to invest in and develop appropriate general and industry-specific standards for improved security. 

Specific Incentive Recommendations and Benefits

Based on the preceding principles, the Internet Security Alliance recommends the following specific incentives, together with an explanation of the benefits each incentive offers: 

• Establish a mechanism which will enable companies that adopt standards-based information security programs or best practices to be qualified to receive the specified incentives (“Qualified Companies”). 

Analysis

The availability of incentives requires some type of baseline as a criterion to be met for the incentives to be available.  The ISA has long advocated that private sector standards and best practices are already in place that can be adopted by DHS as a basis for incentives, rather than engage in the development of new regulatory standards.

• Qualified Companies should be able to acquire additional cyber-security insurance to cover losses arising from CINS-related catastrophic events, and limit their liability to third-parties to the amount of that insurance.   The amount of the insurance acquired must be reasonable in order to qualify for the limited liability.

Analysis

Many companies defer investments in improved security out of a concern that, even with improved security, they are not protected from liability for losses that occur despite the quality of their security controls.  Businesses are encouraged to invest in becoming Qualified Companies when they are offered the protection that is provided by a) assuring the availability of insurance to cover losses from CINS-related catastrophic events and b) limited their liability to the amount of insurance that has been obtained. 

The principles of limiting liability to encourage improved homeland security are similar to the structures used to induce new homeland security technologies under the SAFETY Act which was enacted as part of the Homeland Security Act of 2002.  By contrast, S.4 provides no economic incentives to encourage corporations to invest in security preparedness that may be standards-based in nature.

• To support the preceding insurance market, the Federal government should create within DHS a national program for temporary, short term reinsurance, through which insurers may purchase reinsurance coverage for their exposure to CINS-related catastrophic losses under policies issued to Qualified Companies. 

Analysis

Insurance carriers have been reluctant to create a vigorous marketplace for cyber-security insurance. The chief reason is that the insurance companies lack sufficient experience with cyber-terrorism to effectively evaluate the overall risks in order to determine effective premium levels, particularly for CINS-related catastrophes. 

The proposed established of a reinsurance program provides underwriting for the insurance companies.  In the event losses are incurred by the purchasing insurance carrier is greater than their reinsurance deductible, the insurer would be entitled to coverage under the reinsurance agreement with the Federal program. The program administrator would have the right to increase future reinsurance premiums as deemed necessary to accomplish a revenue neutral goal.  Over time, the program could be sunsetted as the insurance market gains experience with cyber-security coverage.  This solution is similar to Federal legislation that enhances the airline transport industry. 

• Qualified Companies with appropriate insurance will also have litigation-related incentives available, excluding liability for consequential and punitive damages and limiting their liability for non-economic losses. 

Analysis

Similar to the incentive provided by a limitation on losses to the available insurance, the limitation of liability for consequential and punitive damages, and limited liability for non-economic losses removes a serious inhibitor to information security investments—i.e., the risk of losses for which responsibility is assigned notwithstanding a company’s good faith investments in adequate information security.  Eliminating that inhibitor encourages a more secure preparedness, company-by-company.

• Create, in connection with privacy reform legislation (such as uniform breach notice laws), a Federal limitation of liability for Qualifying Companies that would limit their liability for breaches of personal information that occur, notwithstanding their use of standards-based security and best practices.

Analysis

Information security is closely associated with privacy protection. Many companies otherwise eligible to be Qualified Companies have large volumes of personal information requiring protection under various Federal and state laws.   Those companies will not be motivated to move forward with their cyber-security investments if they still are exposed to liability when breaches occur notwithstanding good security practices. As a final piece of the litigation-related incentives, this incentive eliminates the inhibitor of continued privacy-related liability for Qualifying Companies.

• Establish Federal Acquisition Regulations (FARs) and other legal frameworks through which private sector companies do business with the United States government that require the agencies to specify published standards and best practices as required elements for any contract relating to information security, data protection or similar services. 

Analysis

On many occasions, the Federal government has employed its influence as a major purchaser from the private sector to encourage companies to develop and implement improved business practices.  Establishing criteria tied to providing services to the government offers new market opportunities to Qualified Companies and, in doing so, provides strong economic incentives to improving their cyber-security.

• Establish a “Baldridge Award” for information security quality and excellence, coordinated with specific industry organizations to develop and create awareness of information security as a competitive differentiator.  

Analysis

The Malcolm Baldridge Award by the US Department of Commerce has become a cherished recognition of excellence in the marketplace.  A similar program, perhaps recognizing information security excellence within industry sectors, will greatly increase awareness of the value of information security and its function as a competitive differentiator, thereby encouraging new investments.

• Create and fund an industry/government/university consortium to stimulate the needed research, development and adoption of security protocols that can, in turn, stimulate improved technologies for adoption across the private sector and government computer systems. 

Analysis

In the late 1980’s, the Federal government provided matching funding to create an industry-government cooperative consortium that collaborated in accelerating solutions to common manufacturing problems in semi-conductor production (SEMATECH). This successful model revitalized the U.S. semiconductor industry and continues to generate industry leadership and innovation long after Federal funding was voluntarily terminated by the consortium.
 

A similar program today will enable government, academia and industry to work together to replace today’s security poor Internet protocols with security-rich protocols.  Those protocols can enhance the quality and integrity of the hardware devices, switches and other components from which the Internet is constructed.