While getting tax breaks for investing in cyber-security is a popular proposal, will these financial incentives actually improve security within enterprises or just reward a few?
A Congressman is
considering a bill that would offer financial incentives to companies that invest
in cyber-security. The proposal is starting a debate about whether tax breaks
would actually improve security within enterprises.
Tax breaks and liability protection may spur companies to
improve cyber-security on their networks more than new regulations, Rep. Greg
Walden (R-Ore) told Bloomberg
Feb. 8. As the chairman of the House Energy and Commerce Communications and
Technology Subcommittee, Walden is considering introducing such a bill,
according to Bloomberg.
Businesses favor having the federal government involved in
combating cyber-threats, such as information-sharing, but are opposed to
additional regulations. They are also less likely to support restrictive
legislation that would be focused on punishing them for not taking appropriate
steps. "Bad regulation could be counterproductive, leading companies to
expend their limited resources on building in-house efforts to meet regulatory
demands over actually dealing with the threat proactively," Larry Clinton,
president of the Internet Security Alliance, wrote in written testimony to
There is a sense among industry officials that offering
federal incentives may result in organizations having better security. "We
need to provide a right mix of incentives and regulation," said Clinton.
Anything that spurs businesses to voluntarily improve their
cyber-security posture is "OK in my book," said Andrew Brandt,
director of threat research at Solera Networks Research Labs. The enormous cost
to the economy in the wake of a large-scale cyber-attack is worth the cost of
subsidizing security measures through tax breaks, said Brandt.
Tim Keanini, CTO of nCircle concurred, noting that calling the U.S. Secret Service or FBI after a data breach was "surely
more expensive for taxpayers than a tax break."
While there is a long list of regulatory requirements on
what organizations have to do protect their data and networks, they are
routinely violated or flat out ignored with little or no penalties, said AlienVault
CTO Roger Thornton. Organizations that do the "right thing" wind up
paying more than those that don't do anything. The proposed incentives in
exchange for security "would turn the tables and give the financial
rewards to those that actually do the right things," said Thornton,
calling the proposal "basic economics."
There were some concerns that incentives wouldn't have much
of an effect. Leading organizations are already proactively securing network
configurations to limit their exposure, said Sam Erdheim, director of marketing
at AlgoSec. But it's being proven over and over again that "the good guys
will never win playing cat-and-mouse with motivated attackers."
Another problem with cyber-security tax breaks is what
happens if companies make the security investment and a breach still occurs.
Companies already spend a lot on security, but the question is whether they are
investing in the right things. Instead of focusing on securing the network, the
focus should be on protecting the data so that even if it is stolen, the
protected data is useless to a cyber-attacker, said Mark Bower, vice president
at Voltage Security.
It would be "challenging" to validate that the
company has earned the incentives, said Michael Sutton, vice president of
security research at Zscaler ThreatLabZ. Before offering tax breaks or loans,
lawmakers would have to define what "good cyber-security practices"
would look like, which is a challenge in itself.
To make such an incentive program possible, the government
would have to develop a fair and balanced cyber-security rating system, said Andrew
Storms, director of security operations at nCircle. "Our governments
track record in that area is not encouraging, said Storms.
A tax break could make sense if it included a prescriptive
approach, much like the Payment Card Industry rules that cover how credit card
data is secured, said Rob Rachwald, director of security strategy at Imperva.
However, incentives alone would not improve the security of
critical infrastructure, said Brian Ahern, CEO of Industrial Defender.
Information-sharing between organizations and government agencies would be
critical to identifying sources of threats and defending against them. There
needs to be legislation in place to protect organizations from liabilities for
sharing data, Ahern said.
The House is already discussing a bill, proposed by Rep.
(R-Calif.) that would offer safe-harbor protections for
organizations that voluntarily share information about cyber-threats.