New study calls for cybersecurity overhaul in U.S.

U.S. cybersecurity efforts need to focus on incentives and enterprise education, the report says

The U.S. government and private businesses need to overhaul the way they look at cybersecurity, with the government offering businesses new incentives to fix security problems, the Internet Security Alliance said.

The alliance, in a report released Thursday, also called for permanent international cybersecurity collaboration centers, new security standards for VoIP (voice over Internet Protocol) communications and programs to educate corporate leaders about the benefits of enhanced cybersecurity efforts.

Lots of groups have called for better information security education for students, but education for enterprise leaders is often overlooked, said Joe Buonomo, president and CEO of Direct Computer Resources, a data security products vendor.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The U.S. government and private businesses need to overhaul the way they look at cybersecurity, with the government offering businesses new incentives to fix security problems, the Internet Security Alliance said.

The alliance, in a report released Thursday, also called for permanent international cybersecurity collaboration centers, new security standards for VoIP (voice over Internet Protocol) communications and programs to educate corporate leaders about the benefits of enhanced cybersecurity efforts.

Lots of groups have called for better information security education for students, but education for enterprise leaders is often overlooked, said Joe Buonomo, president and CEO of Direct Computer Resources, a data security products vendor.

"At some point, almost every public official who addresses this subject stresses the need to train our kindergarten to 12th-graders on this topic," he said. "In many instances, these officials also note the need to upgrade cyber expertise in the federal workforce. Something else is necessary."

The report, intended as a response to U.S. President Barack Obama's call in May for increased cybersecurity efforts, proposes to create more educational programs on risk management for C-level executives. ISA has already begun an education effort aimed at chief financial officers and other executives.

The report as a whole focuses largely on changing the economics of cybersecurity with incentives and other programs.

"When it comes to cybersecurity, all the of the economic incentives favor the attackers," said Larry Clinton, ISA's president. "Attacks are relatively easy, cheap, and the gains from them can be enormous. On the other hand, defense can be costly."

Part of the problem is that many individuals and corporations often see indirect benefits from greater cybersecurity efforts, Clinton said. Consumers don't worry when their credit cards are hacked, because credit card companies cover most of the loss, but all consumers end up paying for the losses in higher interest rates and fees, he said.

Meanwhile, U.S. lawmakers have generally focused on regulations as ways to improve cybersecurity efforts, Clinton said. But regulations are an old way to deal with problems, and cybersecurity is a "21st-century problem that's going to require a 21st-century solution," he said.

In April, U.S. Senators Jay Rockefeller, a West Virginia Democrat, and Olympia Snowe, a Maine Republican, introduced a wide-ranging bill that would have the U.S. government create cybersecurity standards for private businesses. Rockefeller has argued that private businesses have largely downplayed major cybersecurity problems.

"I regard [cybersecurity] as a profoundly and deep troubling problem to which we are not paying much attention," he said earlier this year. "The problem is America is unacceptably exposed to massive cybercrime."

ISA is opposed to the original version of that bill, Clinton said. The trade group, representing U.S. companies from several sectors, has long advocated for incentives and opposed new regulations, but the new report offers several suggestions. The report calls on the U.S. Congress to pass a law providing marketing and insurance benefits to companies creating new cybersecurity technology and standards.

The IDG News Service is a Network World affiliate.