White House Incentivizes Cybersecurity Framework Adoption

The White House this week released a set of incentives designed to encourage private companies to join the administration in its efforts to cut down on cyberattacks.

The initiatives are a follow-up to the cybersecurity executive order President Obama signed in February, following Congress’ failure to agree on cybersecurity legislation last year. The order was intended to facilitate more information-sharing between the government and private companies regarding cyberattacks, as well as to set up a framework for cybersecurity initiatives.

The primary incentive proposed by the administration is cybersecurity insurance, particularly for networked infrastructure operations like electric power or water companies. The White House said it is working with the insurance industry to be able to provide a type of cybersecurity insurance that would “promote the adoption of cyber risk-reducing measures.”

Many of the other incentives are vague — perks such as public recognition or access to cybersecurity research for companies that participate in setting up the framework. They may include federal grants and expedited government services such as technical assistance for critical infrastructure companies in the case of cyberattacks.

Prioritizing Security

The White House’s move to incentivize companies to join in its efforts against cyberattacks is a sign the government is increasingly aware of the cybercrime threat, said Kati Rodzon, manager of security behavior design for MAD Security.

“The fact that the White House is trying to encourage large companies to sign on to cybersecurity initiatives is definitely a sign that the administration is prioritizing cybersecurity,” she told the E-Commerce Times. “After the recent attacks on larger virtual companies in the states, it looks like the White House is realizing how dangerous it is when large companies don’t make cybersecurity a priority.”

It’s also an admission that the looming threat of cybercrime is too formidable for the government to battle alone, said Michael Cernyar, cybercrime attorney based in Los Angeles.

“The government is conceding that they can’t fight it alone and/or that they have no interest in pursuing cyberenforcement on a large scale, so they are offering incentives to private companies to do it on their behalf,” he told the E-Commerce Times. “It’s a lackluster effort to a growing problem. It’s all lip service.”

More Than Just Checking the Box

The offer of cybersecurity insurance might not be enough to effectively address the threat of cybercrime or how to prevent it, Rodzon warned.

“An insurance incentive will be alluring for companies that are primarily concerned with cyberattacks causing physical damage,” she pointed out. “Unfortnately, if the company was not concerned with cybersecurity before, I worry that they will just check the box to meet the requirements rather than actually make it a priority.”

That’s largely because even with government perks designed to help companies increase their efforts against cybercrime, the responsibility still lies with the private companies, said Rodzon. Complying with a few security rules won’t keep all the cybercriminals at bay.

“The White House has started to embark on an uphill battle to make companies care about cybersecurity,” Rodzon noted. “While many organizations, large and small, may fulfill training or security requirements to receive the incentives, many will do the bare minimum … . This is the hardest part about fighting against cyberattacks, and it is no new battle to the security industry. Hopefully the White House’s efforts will help bring more companies into the conversation.”