The number one incentive to driving private sector entities to strengthen their capabilities against cyber attacks is “fear,” the head of telecommunications giant AT&T [T] said Wednesday.
The threat of cyber attacks and their impacts are what “motivates us nonstop” and “just scares the living hell out of us,” Randall Stephenson, chairman and CEO of AT&T, said during a presentation at the White House related to the release of a framework of cyber security standards and best practices. He said that the cyber threat is a “viable risk and exposure to the business, therefore the greatest incentive we can do is making sure people are appropriately fearful.”
Stephenson also said it’s important for his and other companies to be evangelistic in communicating the need for greater cyber security within their companies and to their supplier and customer bases.
Marillyn Hewson, chairman president and CEO of defense contractor Lockheed Martin [LMT], said she agrees with Stephenson. The two corporate chiefs were joined by Joseph Rigby, the chairman, president and CEO of energy utility Pepco Holdings [POM], who said his industry does well at restoring power after natural disasters and such but hasn’t “built the muscle yet” around responding to cyber attacks.
Market-based incentives will be the primary driver in bolstering the overall cyber security posture of the nation’s critical infrastructure, which is primarily owned and operated by the private sector, a senior Obama administration official said yesterday during a background briefing introducing the Cybersecurity Framework.
“At the end of the day, it’s the market that’s got to drive the business case for the Cybersecurity Framework,” the official said.
The framework was created through a government and industry partnership during the past year and brings together existing standards and best practices that can be voluntarily adopted by the private sector to improve their cyber defenses. The framework also is meant to be flexible and adaptable, allowing businesses of any size to use it while also breaking down barriers within companies to enable clearer communication between technical personnel and executives about an organization’s security posture, the risks and how to better manage them.
The government will still have a role in creating incentives. Last summer several federal agencies release a list of potential incentives, some of which will likely require congressional legislation, such as liability protection.
Detailed plans for incentives that “relevant agencies” have been working will be made public in the coming months as will details about how industry can be involved, the senior administration official said. So far these agencies have “refined the scope and path forward for some incentives including technical assistance and process preference, cyber insurance, grants, cost recovery, public recognition, regulatory streamlining and government procurement,” the official said.
Halfway through President Barack Obama’s first term his administration largely considered government playing a greater role in motivating and regulating cyber security defenses, not just for the federal government but also for the private sector. But against a strong backlash from industry, the administration has a more flexible approach around the Cybersecurity Framework that doesn’t force standards on the private sector.
“For the administration, the goal is not to expand regulation,” the senior official said. “Rather, our goal is to streamline existing regulations wherever possible and to bring those regulations into alignment with the framework.”
This May agencies will “propose prioritized, risk-based, efficient and coordinated actions to mitigate cyber risks,” the official also said, adding that agencies are being encouraged to focus on voluntary programs to support adoption of the framework.
Given that the framework is voluntary, the government may never know how widely adopted it becomes in the private sector, another senior administration official said.
Jamie Barnett, a partner in Venable LLP’s Cybersecurity Practice, described the framework as “being beaten with a carrot.”
While the administration says there aren’t any sticks to compel companies to institute stronger cyber safeguards, companies that wish to contract with the government may risk losing federal business if they do not adopt the framework, Barnett suggested.
“That is the new price of poker to do business with the government,” he said.
Despite the administration’s position, Barnett said he wouldn’t rule out future audits of firms to assess their compliance.
“This is going to have the effect of setting a new minimum,” he said. “Not only are they going to have to make sure that their cybersecurity dealings with the federal government match this, but they’re going to have to reach across their whole enterprise.”
Industry may not like the costs of adopting the framework, but Barnett said it will appreciate certainty that comes along with the security standards. Firms will know exactly what they need to do to be regarded as cyber competent and a favorable choice for a contract.
The framework will also generate a security market of firms seeking to design products in fulfillment with its provisions.
“This is the discussion in essence that the federal government wanted to engender: ‘what is it going to take to get from where we are right now to get to a security market that is built in?’” he said.
Larry Clinton, president of the Internet Security Alliance, said in a statement that the most important development over the past year has been the move way from imposing government mandates toward industry developed standards and practices that can be voluntarily adopted. He also said more work has to be done to create economic incentives to promote greater use of the framework beyond companies that already use best practices.
“If we don’t make real progress in these areas quickly, all the work that went into developing the…framework will go to waste,” Clinton said.
AT&T’s Stephenson said that the government still needs to develop a sound legal framework that better enables information sharing by the private sector with the federal government related to cyber security. He said this information sharing is critical in the long-term to improving cyber security but that “robust protections an indemnification” for industry need to be in place.