“[When it comes to cybersecurity,] what you are dealing with here is the invention of gunpowder. Mandating thicker armor won’t work just like building broader moats didn’t stop invaders who had invented catapults . . . .
“[Accordingly,] trying to use 19th and 20th century models and federally regulating the Internet will not be effective. We need a much more contemporary and creative approach wherein the private sector is engaged, not controlled by our government partners.”
- ISA President Larry Clinton’s February 8, 2012 testimony before the House Energy and Commerce Subcommittee on Communications and Technology, before describing ISA’s alternative approach known as the “Social Contract.”
Much like the need for universal utility service a century ago, there now exists a universal need for cybersecurity. Recognizing this parallel as well as the parallels in encouraging private sector investment beyond that which is business justifiable, ISA proposed the Cyber Security “Social Contract.”
The ISA “Social Contract” model, much like the utility model a century before, recognizes that market incentives, not centralized government regulations, is the key to spur on private sector investment.
In 2008, ISA published its first Cyber Security “Social Contract.” Then, in 2009, following an in-depth study by the National Security Council Staff, the Obama Administration released its “Cyberspace Policy Review.” This document’s Executive Summary both began and ended by citing the ISA Cyber Security “Social Contract,” and, like the “Social Contract,” urged the government to look into the development of market incentives as a means to advance cybersecurity.
The ISA Cyber Security “Social Contract 2.0,” which provided an outline to implementing the President’s market incentive recommendations, followed in 2010.
In early 2011, a coalition of 5 industry and civil liberties groups – ISA, the U.S. Chamber of Commerce, TechAmerica, the Business Software Alliance (BSA), and Center for Democracy and Technology (CDT) – adopted a similar set of recommendations.
That same year, in October 2011, the House Republican Cyber Security Task Force released its cybersecurity report, a report which largely mirrors the ISA recommendations. It’s very first recommendation that Congress develop a “menu of market incentives tied to the voluntary adoption of cyber security measures,” is taken almost verbatim from ISA’s “Social Contract” and “Social Contract 2.0.”
In addition to adopting this core tenet, this House Task Force also included a number of other ISA “Social Contract” policy suggestions as part of their recommendations, such as:
- The notion that regulation cannot keep pace with technological change;
- The realization that not one set of cybersecurity standards will not apply equally across industries or even businesses;
- Streamlined regulation, licensing, and permitting as an incentive;
- Exploration of mechanisms to promote the usage of cyber insurance;
- Tying taxes and grants to adoption of cybersecurity best practices and measures; and
- Limited liability for good actors.
This approach has taken hold; the House has already begun to implement these recommendations into legislation. For example, the Rogers (R-MI) – Ruppersberger (D-MD) Bill, passed on a bipartisan vote of 248-168, utilizes liability incentives to encourage sharing of information among and between industry and government.
Moreover, following subsequent ISA testimony, the House Energy and Commerce Subcommittee on Communications and Technology formed a bipartisan task force to examine the usage of market incentives in enhancing cybersecurity. On June 19, 2012, Subcommittee Chairman Greg Walden (R-OR) met with the ISA Board and asked its members to help in developing this construct so that additional legislative action in this direction will be ready for the new Congress.
This same year, the World Institute for Nuclear Security (WINS) has begun examining how to implement this “Social Contract” model globally for the nuclear industry.