Internet Security Alliance - Cyber Security Social Contract

Members, Partners, and Endorsements of the Internet Security Alliance

You need to upgrade your Flash Player This is replaced by the Flash content. Place your alternate content here and users without the Flash plugin or with Javascript turned off will see this. Content here allows you to leave out noscript tags. Include a link to bypass the detection if you wish.

JOIN THE ISAlliance

Already a Member? Click here to setup your account

Cyber Security Social Contract

ISAlliance President Larry Clinton and Board Members Mike Hickey, Vice President, Government Affairs and National Security Policy at Verizon; Tim McKnight, Vice President, Chief Information Officer at Northrop Grumman; Joe Buonomo, President of Direct Computer Resources; Dr. Sagar Vidyasagar, Executive Vice President, Advanced Technology at Tata Consulting Services and Marc-Anthony Signorino, Director of Technology Policy at the National Association of Manufacturers (pictured right to left) released a report advising the Obama administration and 111th congress on a twenty-first century model for protecting and defending critical technology systems and information.

The report, produced by the entire ISAlliance board of directors, includes chapters specific to cyber security issues within banking and finance, defense, higher education, information technology, international and manufacturing sectors.

The report notes that cyber security is no longer the domain of high school hackers but is populated by organized criminals, unfriendly nation states and terrorists. The problems we face are far more severe than compromised personal data. Our physical security is threatened by vulnerabilities in our electronic information systems.

The Internet Security Alliance (ISA) strongly urges the incoming Administration and Congress to consider change in four major areas of cyber security under the framework of a "social contract".

A social contract is essentially a deal between industry and government wherein both entities agree to provide services and receive benefits resulting in a larger social good.

The social contract ISA is proposing is based on the agreement between government and the utilities in the early 20th century which had the goal of providing universal phone, power and light service to Americans. That model worked.

In the early 1900s the government realized that there would be enormous public benefits to universal utility service ranging from economic development to enhanced public safety. Policy makers understood that much of the needed infrastructure development would be undertaken thanks to the market incentives inherent in providing these services. However, government also realized that these natural market incentives would not extend to the entirety of the population. Moreover, policy makers realized that it was completely impractical for the government to either fund the infrastructure enhancements needed for universal service themselves or simply mandate that it be done.

In an enlightened and pragmatic move, government struck a deal with the utilities. The utilities guaranteed to make the infrastructure upgrades necessary to provide universal service. In return government essentially guaranteed a return on the required private investment economically sufficient to make the investments good business decisions. The utilities maintained the investments over time because they were also provided exclusive franchises for the service area.

In this instance government harnessed the power of private investment to achieve vital social goals, which had the added benefit of stimulating greater economic growth. Meanwhile consumers were protected by the requirement to provide service at government regulated rates. A similar model can be developed for cyber security. The necessary infrastructure improvements, technical and otherwise, can be addressed through incentives for private investment while the cyber related consumer protection items (SPAM/personal identity) are addressed by regulation.

While not identical, the parallels with respect to cyber security are striking. As with public utility service, cyber security cannot be provided directly by the government. As with utility service, many companies do an excellent job with information security as required by their business plans. As with public utility service, the inherent market incentives are insufficient to provide the breadth of security required by the public’s compelling national economic and security interests.

Since a voluntary system will not provide adequate market incentives to accommodate the public interest, and due to the global nature of the Internet, a federally mandated system will not work either. A social contract wherein government provides incentives for the private sector to make cyber security investments that are not justified by current business plans is a pragmatic alternative.

This ISAlliance report outlines what the Internet Security Alliance Board of Directors believes are the most serious problems facing the nation with respect to cyber security in several critical sectors. It identifies what the government can best do, both long and short term to address these needs and specifies a series of steps the new Administration and Congress can take toward establishing a coherent, pragmatic, effective and sustainable system of cyber security.

Download a copy of The Cyber Security Social Contract - Click Here

Now Available!

Business Services

Technical Services

Legal & Policy Services