Cyber-Security and Tax Breaks: Is It Worth the Cost?

A Congressman is considering a bill that would offer financial incentives to companies that invest in cyber-security. The proposal is starting a debate about whether tax breaks would actually improve security within enterprises.

Tax breaks and liability protection may spur companies to improve cyber-security on their networks more than new regulations, Rep. Greg Walden (R-Ore) told Bloomberg Feb. 8. As the chairman of the House Energy and Commerce Communications and Technology Subcommittee, Walden is considering introducing such a bill, according to Bloomberg.

Businesses favor having the federal government involved in combating cyber-threats, such as information-sharing, but are opposed to additional regulations. They are also less likely to support restrictive legislation that would be focused on punishing them for not taking appropriate steps. "Bad regulation could be counterproductive, leading companies to expend their limited resources on building in-house efforts to meet regulatory demands over actually dealing with the threat proactively," Larry Clinton, president of the Internet Security Alliance, wrote in written testimony to Walden's subcommittee.

There is a sense among industry officials that offering federal incentives may result in organizations having better security. "We need to provide a right mix of incentives and regulation," said Clinton.

Anything that spurs businesses to voluntarily improve their cyber-security posture is "OK in my book," said Andrew Brandt, director of threat research at Solera Networks Research Labs. The enormous cost to the economy in the wake of a large-scale cyber-attack is worth the cost of subsidizing security measures through tax breaks, said Brandt.

Tim Keanini, CTO of nCircle concurred, noting that calling the U.S. Secret Service or FBI after a data breach was "surely more expensive for taxpayers than a tax break." 

While there is a long list of regulatory requirements on what organizations have to do protect their data and networks, they are routinely violated or flat out ignored with little or no penalties, said AlienVault CTO Roger Thornton. Organizations that do the "right thing" wind up paying more than those that don't do anything. The proposed incentives in exchange for security "would turn the tables and give the financial rewards to those that actually do the right things," said Thornton, calling the proposal "basic economics."

There were some concerns that incentives wouldn't have much of an effect. Leading organizations are already proactively securing network configurations to limit their exposure, said Sam Erdheim, director of marketing at AlgoSec. But it's being proven over and over again that "the good guys will never win playing cat-and-mouse with motivated attackers."

Another problem with cyber-security tax breaks is what happens if companies make the security investment and a breach still occurs. Companies already spend a lot on security, but the question is whether they are investing in the right things. Instead of focusing on securing the network, the focus should be on protecting the data so that even if it is stolen, the protected data is useless to a cyber-attacker, said Mark Bower, vice president at Voltage Security.

It would be "challenging" to validate that the company has earned the incentives, said Michael Sutton, vice president of security research at Zscaler ThreatLabZ. Before offering tax breaks or loans, lawmakers would have to define what "good cyber-security practices" would look like, which is a challenge in itself.

To make such an incentive program possible, the government would have to develop a fair and balanced cyber-security rating system, said Andrew Storms, director of security operations at nCircle. "Our government’s track record in that area is not encouraging,” said Storms.

A tax break could make sense if it included a prescriptive approach, much like the Payment Card Industry rules that cover how credit card data is secured, said Rob Rachwald, director of security strategy at Imperva.

However, incentives alone would not improve the security of critical infrastructure, said Brian Ahern, CEO of Industrial Defender. Information-sharing between organizations and government agencies would be critical to identifying sources of threats and defending against them. There needs to be legislation in place to protect organizations from liabilities for sharing data, Ahern said.

The House is already discussing a bill, proposed by Rep. Dan Lungren (R-Calif.) that would offer safe-harbor protections for organizations that voluntarily share information about cyber-threats.