President Barack Obama’s plan to get utilities, banks and other essential services to bolster defenses against hackers will be filled with technical standards and guidance on responding to attacks.
One thing will be missing — financial incentives to help pay for computer and network security upgrades — and that could mean many companies decide not to take part in the voluntary program.
“If the framework isn’t cost effective and isn’t supported by incentives, it’s hard to see how it can work on a sustainable basis,” Larry Clinton, president of the Internet Security Alliance, which represents General Electric Co., Boeing Co. and Wells Fargo & Co., said in a telephone interview.
The U.S. plan, scheduled to be released tomorrow, will outline standards that companies providing critical services such as electricity and water can use in preventing hacker attacks that may cripple their networks. Trade groups say inducements such as tax breaks and legal protections are needed to help offset the cost of security upgrades.
Obama issued an executive order last year after failing to get Congress to require companies to better defend their networks. While the order called for incentives, the administration couldn’t work them out in time and some will require legislation or regulatory approval.
“Six months ago the message we were hearing is that incentives were coming,” Robert Dix, vice president of government affairs for Sunnyvale, California-based Juniper Networks Inc., said in a telephone interview. “Virtually nothing has been done to move the needle on any incentives that are going to be economic motivators for investments.”
Companies and government agencies spent more than $88 billion in 2013 on cybersecurity, more than double the $40 billion spent in 2006, according to research conducted by the Ponemon Institute based in Traverse City, Michigan.
The attack on Target Corp.’s payment processing system through a vendor shows that small and medium-sized companies might be used to begin attacks, Larry Ponemon, chairman and founder of the Ponemon Institute, said in a phone interview. They may not be able to afford to improve network security without incentives, Ponemon said.
“Companies are between a rock and a hard place,” he said. “A lot of very small companies are very attractive to cyber criminals because they will use that small company as a staging ground to larger companies.”
While the administration’s National Institute of Standards and Technology developed the framework with industry, it left out incentives. The Homeland Security Department will develop a program to encourage participation in the framework.
Companies need legal protections for sharing digital threat information with each other and the government, said Marillyn Hewson, chief executive officer of Bethesda, Maryland-based Lockheed Martin Corp., which sells cybersecurity services to companies and governments.
“The threats are very significant and can be hugely devastating for a company, whether they lose their intellectual property or their systems are shut down and they can’t perform their functions,” Hewson said at a Bloomberg Government breakfast yesterday.
An attack can open up a company to lawsuits from customers, partners or other parties.
Utilities might want to be authorized by regulators to raise rates in order to help pay for higher security spending, Scott Aaronson, director of national security policy for the Edison Electric Institute in Washington said in an e-mail.
Banks want to be protected from lawsuits if they follow the framework and still encounter an attack, as well as tax incentives and discounts on cybersecurity insurance, Doug Johnson, vice president for risk management policy at the American Bankers Association in Washington said in a telephone interview.
No decisions have been made on incentives and some are easier to do than others, Michael Daniel, White House cybersecurity coordinator, said in a phone interview.
The administration might be able to quickly come up with a way to publicly recognize companies that embrace the framework, which would represent a sort of federal seal of approval, Daniel said. Linking federal grants to improved cybersecurity also might be possible in the near term, he said.
Allowing utilities to recover costs through higher rates may be more difficult because it probably requires actions by state legislatures or regulators, Daniel said.
“The primary driver behind getting companies to use the framework is really going to have to be the market dynamics,” Daniel said. “This is about risk management. The framework is designed for companies to take a look at where they are currently and where they should be with regard to their cybersecurity posture.”
Honeywell International Inc., the technology and aerospace company based in Morris Township, New Jersey, “generally supports non-financial government incentives that establish a legal framework with limited liability, antitrust, and other protections for companies that share threat information and to ensure appropriate privacy protections,” Robert Ferris, a spokesman, said in an e-mail.
Intel Corp., the world’s largest chipmaker, and Sempra Energy, an energy-services holding company based in San Diego, also submitted comments to NIST calling for incentives.
Ann Beauchesne, vice president of national security and emergency preparedness for the U.S. Chamber of Commerce, said in an e-mail that companies “need certainty that threat and vulnerability information voluntarily shared with the government will not lead to frivolous lawsuits, will not be publicly disclosed, and could not be used by officials to regulate other activities.”
Breaking down legal barriers that impair information sharing will require congressional legislation, Daniel said.
That’s unlikely anytime soon. Many lawmakers are outraged at the reach of National Security Agency spy programs exposed in documents leaked by former government contractor Edward Snowden and may be reluctant to approve bills that would give the government more visibility into what’s happening on private networks.
“There’s been no question that the unauthorized disclosures have made life a lot harder for promoting things like information sharing,” Daniel said.
Homeland Security Secretary Jeh Johnson said in a February speech that Congress should move forward on cybersecurity legislation and that the administration could support “some form of limitation on potential civil liability for private sector entities.”
The executive order called for incentives to encourage use of the framework. Agencies issued recommendations in August that included legal protections, tax breaks, streamlined regulations and preferential treatment for federal grants and contracts.
One of the most important incentives for companies “is the assurance that the cyber framework will remain collaborative, flexible, and innovative in the long-term,” Beauchesne said. The Chamber is the nation’s largest business lobby and led opposition to legislation that would have created cybersecurity mandates.
The Washington-based Information Technology Industry Council, which represents technology companies like International Business Machines Corp. and Symantec Corp., said companies will find the framework useful even if incentives are still months or years away.
“While incentives might not be immediately available, they certainly warrant serious consideration,” Danielle Kriz, the council’s director of global cybersecurity policy, said in an interview. “We need to pinpoint options that are workable, that fill identified gaps, and that do not create unwieldy, compliance-based programs that undermine the voluntary nature of the framework and the program.”