An information security industry trade association (the ISAlliance – Internet Security Alliance) has been promoting the notion of a social contract between government and the private sector to improve cybersecurity. The ISAlliance includes representatives from Verizon, the National Association of Manufacturers, Nortel, the CyLab at Carnegie Mellon University, Raytheon, and Northrop Grumman.
According to the ISAlliance – the free market-based, approach that the Bush administration has used to encourage companies to improve cybersecurity is not sufficient and the incoming Obama administration should form a cybersecurity social contract with industry based on economic incentives.
The US government would reward vendors by working cybersecurity into procurement and loan processes, along with marketing incentives.
The ISAlliance believes that –
“Industry and government must construct a mutually beneficial social contract which addresses, creatively and pragmatically, the security of our cyber infrastructure,”
Cybersecurity should be an enterprise risk management issue rather than an IT issue. The board said the “social contract” was similar to the approach government took with utilities in the early 1900s to encourage the companies to make the investments to make services universal.
I’m not sure what’s new here – the Defense Department has had stringent information security requirements in their procurement processes for years – regarding the government and marketing incentives – easy money always sounds good to me and getting businesses and government to think about security as a risk management issue is definitely a good idea.