The US government and private businesses need to overhaul the way they look at cybersecurity, with the government offering businesses new incentives to fix security problems, the Internet Security Alliance said.
The alliance, in a report released Thursday, also called for permanent international cybersecurity collaboration centres, new security standards for VoIP (voice over Internet Protocol) communications and programs to educate corporate leaders about the benefits of enhanced cybersecurity efforts.
Lots of groups have called for better information security education for students, but education for enterprise leaders is often overlooked, said Joe Buonomo, president and CEO of Direct Computer Resources, a data security products vendor.
"At some point, almost every public official who addresses this subject stresses the need to train our kindergarten to 12th-graders on this topic," he said. "In many instances, these officials also note the need to upgrade cyber expertise in the federal workforce. Something else is necessary."
The report, intended as a response to US President Barack Obama's call in May for increased cybersecurity efforts, proposes to create more educational programs on risk management for C-level executives. ISA has already begun an education effort aimed at chief financial officers and other executives.
The report as a whole focuses largely on changing the economics of cybersecurity with incentives and other programs.
"When it comes to cybersecurity, all the of the economic incentives favor the attackers," said Larry Clinton, ISA's president. "Attacks are relatively easy, cheap, and the gains from them can be enormous. On the other hand, defense can be costly."
Part of the problem is that many individuals and corporations often see indirect benefits from greater cybersecurity efforts, Clinton said. Consumers don't worry when their credit cards are hacked, because credit card companies cover most of the loss, but all consumers end up paying for the losses in higher interest rates and fees, he said.
Meanwhile, US lawmakers have generally focused on regulations as ways to improve cybersecurity efforts, Clinton said. But regulations are an old way to deal with problems, and cybersecurity is a "21st-century problem that's going to require a 21st-century solution," he said.
In April, US Senators Jay Rockefeller, a West Virginia Democrat, and Olympia Snowe, a Maine Republican, introduced a wide-ranging bill that would have the US government create cybersecurity standards for private businesses. Rockefeller has argued that private businesses have largely downplayed major cybersecurity problems.
"I regard [cybersecurity] as a profoundly and deep troubling problem to which we are not paying much attention," he said earlier this year. "The problem is America is unacceptably exposed to massive cybercrime."
ISA is opposed to the original version of that bill, Clinton said. The trade group, representing US companies from several sectors, has long advocated for incentives and opposed new regulations, but the new report offers several suggestions. The report calls on the US Congress to pass a law providing marketing and insurance benefits to companies creating new cybersecurity technology and standards.
The US government should also tie federal grants, loans and stimulus money to cybersecurity standards, and it should push for greater security in the technology products it buys, the ISA report said. In addition, the US government should create tax incentives for companies that comply with privately developed cybersecurity standards and technologies, the ISA said.
The report also explores ways to address malicious firmware embedded in hardware the government purchases from overseas. While not a huge problem currently, malicious firmware could be used to disrupt US weapon systems and other computer-based systems, said Scott Borg, director and chief economist at the US Cyber Consequences Unit, an independent cybersecurity analysis group.
Malicious firmware could be a "nightmare" for the US government, but the ISA is attempting to work with suppliers to improve their overall cybersecurity protections, in turn reducing the potential for malicious firmware, Borg said.
"This is a very unusual effort," Borg said. "It's not one of those gestures that industry makes to go through the motions and make people feel better or forestall regulation. This is an effort to do something really substantive."