President-elect Barack Obama needs to take a new approach to cybersecurity, with government providing incentives for private businesses to adopt security measures, a cybersecurity group said.
The Internet Security Alliance (ISA), a cybersecurity advocacy group, called on Obama to abandon the voluntary approach advocated by President George Bush's administration during the last eight years. "The voluntary partnership model of the Bush administration did not work adequately," said Larry Clinton, ISA's president. "However, a centralized set of regulatory mandates will not meet this international and quickly evolving problem, and might even be counter productive."
The Bush administration's 2002 National Strategy to Secure Cyber Space and later efforts contained "no serious attempt" to address incentives needed for private business to invest in cybersecurity, the report said.
Half of all senior executives do not know how much money their companies have lost from cyberattacks, the ISA said. One third of companies in a recent survey don't use firewalls and nearly half didn't use encryption, the group said.
A new ISA report, The Cyber Security Social Contract, released Tuesday, recommends that the U.S. government establish incentives -- tax breaks, small-business loans or lawsuit protection -- for private companies to invest in cybersecurity.
"We are now past the time when government can hope that industry will simply fulfill the role of fully funding cyber infrastructure security," the report said.
It's unclear how much the ISA's recommendations would cost.
The report also calls on the government to set up a comprehensive and "aggressive" cybersecurity education program targeted at senior executives at businesses. And it calls for an extensive program to improve the U.S. government's own cybersecurity efforts, targeted at fixing problems at many agencies receiving poor grades on annual Federal Information Security Management Act (FISMA) reports.
"A substantial government improvement program for all their cyber systems could provide a compelling model for the underachieving portions of industry and provide a platform to drive positive economics for improvements in nongovernment programs," the report said.
The report also lays out the cybersecurity challenges for several U.S. industries, including banking, communications and manufacturing. It asks representatives of those industries to detail what they'd tell Obama about cybersecurity needs.
For example, an unnamed representative of the banking industry said that U.S. cybersecurity "cannot be successfully defended or mitigated against using our current paradigm of thinking."
Instead, companies need better software quality and assurance, protection from lawsuits, a robust cyberinsurance program and better education programs, the banking representative said.
ISA officials said they're confident the Obama administration will be open to the recommendations.
"The good news is that we actually do know a great deal about how to secure our cyber systems," Clinton said. "Independent research and anecdotal reports from information security officials both indicate that as much as 80 to 90 percent of our current problem could be successfully addressed if we simply get people to adopt the security practices that have been demonstrated to work."