White House Tackling the Economics of Cybersecurity

GovTechGuy writes "White House Cybersecurity czar Howard Schmidt will be hosting a meeting Wednesday with the Secretaries of DHS and Commerce in which he is expected to discuss the administration's new attempt to change the economic incentives surrounding cybersecurity. Right now, launching attacks on private companies is so cheap and relatively risk-free that there's almost no way that industry can win. The White House could be considering things like tax incentives, liability and insurance breaks, and other steps to try and get companies to invest in protecting their networks. It's also likely to dovetail with a step up in enforcement, so hackers be wary."

Re:

[Jawnn]

You mean like how, last year, they lowered taxes for most Americans for the first time in generations? May I suggest that you find a better source (several would be good) for your information about how your government operates?

Re:

[mldi]

Define "lowering" taxes. Are you considering the total tax burden, or just personal income tax? Yeah, I thought so.

Also, "lowering" taxes doesn't do any good if you don't cut spending, anyway.

Insurance?

[Monkeedude1212]

I mean, an insurance company won't insure your house if you don't put a lock on the door, so why should anyone care for cyber-security if a company doesn't take any measures to protect itself?

If you've got a network worthy of necessary security, it's not that hard to set up a linux firewall between your router and your gateway.

Re:

[MrEricSir]

So we should have insurance for security breaches? How would that even work?

Re:Insurance?

[Monkeedude1212]

I wasn't suggesting that - but it seems like we're paying people to try and lock their door, I don't remember any Tax break for putting locks on my door, even if my house was filled with other people's personal info.

So, if an Insurance company won't insure someone because they don't put forth the effort to show they even want their stuff protected, why should Tax payer dollars support people who never cared to protect it in the first place?

As an optional incentive, it seems pointless. Corporations will claim they set up security in order to save on taxes.

Re:

[ubrgeek]

> I don't remember any Tax break for putting locks on my door,

We get a break on our insurance for having an alarm on the house. And some insurance company's commercial says they'll give you cash back or a discount or something for having an accident-free driving record.

Re:

[stanlyb]

So, are the Insurance Companies going to be the FIRST ones with enforced door locks???

Re:

[Haffner]

Why should anyone care? Because that company is not the only victim if their weak network becomes compromised. Their customers are at risk, and likely won't ever know what happened to their compromised data. Also, hacked company networks could be used to run botnets. The company at fault is rarely the only victim of lax security policy.

Re:

[shentino]

That's called liability insurance.

fix the banks

[Lord Ender]

The major targets of hackers these days are financial in nature: account numbers or systems authorized to perform wire transfers.

The real solution to security is not to give companies more incentive to secure their information, but to give hackers less incentive to hack. Make a standard, PKI-based, government-regulated solution for financial transactions. Require that all transactions be digitally signed by smart cards, for example. Ensure that someone possessing your account numbers or even your passwords could not use them to transfer money from your account.

It sounds like they are going after the wrong incentives right now...

Re:

[naz404]

How about government need to start nationwide cybersafety campaigns to be taught in schools, offices and governments? This would go a long long way in stopping cybercrime, malware and tons of shenanigans and would be cost-efficient in the long run.

Re:fix the banks

[shentino]

ZOMG MARK OF THE BEAST MARK OF THE BEAST!!!1!!

Seriously, do you know how many tin foil hatters would scream bloody murder if the government even tried something like that?

Re:

[stanlyb]

What? You wanna every single individual to have secure, encrypted and independent communication channel??? Just forget it, in fact, the government wants you to be scared and afraid, and thus more "manageable".

Re:

[PopeRatzo]

the government wants you to be scared and afraid, and thus more "manageable".

The "government" only wants what the corporations that own it tell it to want.

You talk about the government as if it was some kind of independent entity that exists outside of the power-bubble of transnational corporations. Since at least 1980, there has not been such an entity.

Re:

[MoeDumb]

Moreover, any czar clueless enough to suggest 'tax incentives' (cuts!) will find himself spending more time with his family before the week is up.

Simpler Fix

[copponex]

Require banks to pay for every single breach that is their fault. Right now, it's the merchants who get screwed. If someone walks into one of the retail outlets I consult for with a fake ID, matching fake credit card, and walks out with the merchandise, 9 times out of 10 there is some obscure rule that wasn't followed that will allow the cardholder to get their money back, and the bank to get their money back, leaving the merchant with the option to take cash only or take the hit and continue doing business. "Cybercrime" -- or as I like to call it, 21st Century Crime -- only gets worse from here.

This is free market capitalism at it's finest, where the costs always find their way to the entity with enough money to pay the bill, but not enough to fight the system that forces them to pay. Unfortunately, the government not giving two shits about small businesses has been old news for some time. Hopefully people are going to wise up and realize that you don't do away with the government, just the lobbyists and corporate revolving door that is currently ruining it.

Re:

[PopeRatzo]

Require banks to pay for every single breach that is their fault. Right now, it's the merchants who get screwed.

Well, of course it's not going to be the banks that get screwed. Since September of 2008, we've seen the US government raid the treasury and borrow a couple of trillion dollars just to protect banks from having to face the losses arising from their own greed. The corporate holding companies that own banks are the government. It's never, ever going to be the banks that are responsible for their

1st step

[naz404]

First things first. I propose that the U.S. government tap the creative forces of the 4chan [4chan.org], worth1000 [worth1000.com] and Fark [fark.com] Photoshop communities for a cost-effective and highly creative solution to replace the godawful uninspiring motivational posters being distributed by the United States Office of the Director of National Intelligence, Office of the National Counterintelligence Executive [ncix.gov] :

Check 'em out here: http://www.ncix.gov/publications/posters/index.html [ncix.gov]

"ONCIX does not provide printed copies of our posters. These materials are NOT copyrighted, and you are welcome to download, print, and disseminate our posters freely to promote greater counterintelligence awareness."

Re:

[Haffner]

If 4chan were satirizing spy posters, I think that those would fit right in.

Re:

[Kvasio]

why?

I liked http://www.ncix.gov/images/publications/posters/hanssen_poster_100.jpg [ncix.gov] ;-)

Two words: CyberMonkey ArmyCorps!

[countSudoku()]

Why are we still trying to do this job with inefficient humans! We just need one good CyberMonkey Officer to train the rest of the Corps, and viola! Peace through superior MonkeyPower!

Right

[chris mazuc]

Anything with the word cyber in it is automatically bullshit as far as I'm concerned, so lets dig a little deeper. Who is coming to this meeting?

Among those invited is Larry Clinton, president of the Internet Security Alliance, which represents a range of critical private security industries concerned about cybersecurity.

Ah, the Internet Security Alliance. And who do they represent? No major software or hardware companies are listed. [avectra.com] (Symantec doesn't count) Funny enough, I see companies like Raytheon, Boeing, and Lockheed Martin. I'm just speculating (you know, this being /. and all), but something tells me the good ol' boys of the defense industry are trying to get another gravy train started up here.

Re:

[e9th]

Well, based on their publication Social Contract 2.0: A 21st Century Program for Effective Cyber Security [avectra.com], p. 29 (.PDF)

For example, an anti-virus vendor who might report a lot of C2 URLs based on all the malware could become upgraded to a they get would be Platinum Certified Threat Reporters. A large company with robust internal capabilities might be achieve Gold level.

they certainly don't represent speakers of coherent English.

Re:

[rfelsburg]

Why would this be modded off topic? It's a valid point, I certainly want someone who can write a coherent document in their specialty, protecting critical sensitive data. Not these idiots who seem like they are just picking buzz words and filling in the gaps madlibs-esque.

Re:

[moeinvt]

"Anything with the word cyber in it is automatically bullshit as far as I'm concerned . . ."

AFAIC, anything coming out of Washington D.C. these days is automatically bullshit. Screw the White House and their cyber-security crapola.

There are some very intelligent, knowledgeable people in academia and the private sector working on computer security issues. I'm open to discussion, but I question the basic role of government in this arena. Furthermore, I'm certain that whatever laws, madates, Presidential or

how about getting off of windows? to bad OS/2 died

[Joe The Dragon]

how about getting off of windows? to bad OS/2 died as why is the hole filled windows have to run on ATM's?

if getting of windows is to hard about the fixing the apps with big security holes in them / apps that need admin mode to run.

Re:

[Anonymous Coward]

WHAT?!

Re:

[casings]

I see you are still working on your mastery of "of/off." I would keep practicing your "to/too" though.

Perfect!

[casings]

I love this idea!

If the companies take taxpayer money to secure their networks and their networks become compromised, does that mean we (the taxpayers) get to sue for breach of contract?

Incentivizing Good Behavior

[Doc Hopper]

I think this is a step in the right direction. In the US, we've long faced problems with trying to figure out how to incentivize good behavior, rather than simply discouraging the bad. Yet one of the largest problems facing down the threat of hacking and corporate espionage is acknowledging when there's been a breach. Nobody wants to admit it!

My dad used to call an approach of rewarding appropriate behavior and non-rewarding inappropriate behavior as the "carrot and stick" approach: dangle the carrot, if

Re:

[casings]

I would actually argue that certifications are one source of the problem right now.

Re:

[Doc Hopper]

Sure, on the side of the people doing the security stuff. But audits for compliance with regulations is really the minimal standard applied at my work -- a VERY large software company -- and little else. If there's no financial repercussion for lack of a security implementation, that thing is never, ever put in. Not even if it's "best practice". If we have to have it, good, put it in, but if we don't absolutely have to, the security request rots forever in the hell of a planned upgrade some day.

We recen

Re:

[mister_dave]

I remember Cringely suggesting that Microsoft got serious about security when they perceived their 'insecure software' reputation as a marketing problem.

I wouldn't expect gov't regulations to be any magic pill. They tend to become box ticking exercises, rather than proactive measures.

Re:

[account_deleted]

Comment removed based on user account deletion

Make them liable

[yuna49]

I'm amused this appears on the same page as the discussion about liability for breaches. We all know that enforcing large, public, and expensive fines is the only solution that corporations will pay any attention to. In fact, why not make CIOs (and CEOs?) personally liable.

Leave it to the Market

[Anonymous Coward]

If companies were at risk of "cyber-attack", they'd take appropriate precautions. If they're not at risk, they wont; it's a waste of money.

If it was feasable to attack corporations for profit, people would be doing it. if it's not, they wont try.

"Right now, launching attacks on private companies is so cheap and relatively risk-free that there's almost no way that industry can win"
If that were true, then companies would be getting ransacked right now. ... and yet, it's business as usual.

The market forces are

Lower taxes?

[admintpj]

When is the government going to lower taxes? It certainly won't be in this lifetime....

A joke

[fulldecent]

Preparedness for cyber attacks is currently a joke. I have experience in cooperating with the FBI, SEC, and FINRA to address vulnerabilities at online banks and stock brokers. Is anyone aware of companies or agencies that are hiring in this line of work that I could apply to?