The Federal government should provide economic incentives such as tax deductions or Federal grants to critical infrastructure providers and other organizations that adopt cybersecurity best practices, the National Security Telecommunications Advisory Committee (NSTAC) said in a March 7 report.

In its report on measuring and incentivizing the adoption of cyber best practices, NSTAC said the financial incentives are needed to close a gap between the cybersecurity investments some organizations make and what the government believes is necessary for national security.

The 65-page document, to be delivered to President Biden, also advocates among a series of recommendations that the government treat cybersecurity statistics like economic statistics by creating a Cybersecurity Measurement Center of Excellence. Such a center, to be housed in the Department of Commerce, would produce more effective metrics to determine which organizations are adopting cyber best practices, the report said.

NSTAC is a group of private sector experts that advises the White House on telecommunications issues that affect national security and emergency preparedness. Housed in the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), its mission is to provide policymakers with industry advice in telecommunications security.

NSTAC’s latest report was unanimously approved during its March 2024 member conference call. The report focuses on best cybersecurity practices for organizations including critical infrastructure providers, and warns of stark consequences if those providers don’t improve security.

“In recent years, the failure to adopt cybersecurity best practices, including basic cyber-hygiene practices by poorly resourced and less mature organizations, have led to more successful cyberattacks on critical infrastructure, including the Colonial Pipeline and SolarWinds incidents,” the report warned.

“The U.S. national security posture depends on the secure, reliable functioning of our nation’s critical infrastructure,” the document stated. “However, the continued drumbeat of significant cyber incidents suggests existing market forces may be insufficient to incentivize the adoption of cybersecurity best practices and standards at the level needed to … strengthen U.S. national security and emergency preparedness.”

In response, NSTAC said it was tasked with “recommending ways to incentivize cybersecurity best practices, reduce barriers to their implementation, and measure best-practice adoption.”

The report drew plaudits from CISA Executive Director Brandon Wales. “It’s more important now than ever that we develop ways we can continue to incentivize the adoption of cybersecurity best practices and standards … and measure those,” he said during a call with reporters.

Jamie Brown, Senior Director of Global Government Affairs at Tenable – which co-led the NSTAC working group tasked with delivering the report – said the document underscores “the importance of combining policy-based incentives with better measurement mechanisms to enhance national security outcomes.”

“Once implemented, these initiatives will better enable the U.S. to bridge the gap in national security preparedness,” Brown added. “We possess the collective capacity to facilitate implementation of NSTAC’s recommendations, but it will still be necessary for both industry and government to prioritize planning and resources to actively drive these priorities forward.”

Among the report’s other key recommendations:

  • The president should direct the Office of the National Cyber Director (ONCD) to coordinate with relevant Federal agencies to develop a nationwide education and outreach program targeted at critical infrastructure providers – especially resource-poor small and medium-sized businesses – to significantly increase use of the free cybersecurity-services programs offered by each agency;
  • The president should direct ONCD to develop a strategy, in coordination with the Department of Justice and other agencies and the private sector, to tie liability reform and safe harbors to the sharing of cyber-related information with the government by organizations that can demonstrate they have adopted cyber best practices; and
  • To simplify cybersecurity regulation, the president should direct the Office of Management and Budget (OMB) and the Office of Information and Regulatory Affairs to require Federal agencies to conduct and publish a mapping of any new proposed cybersecurity requirements to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, and its successor versions, in advance of the issuance of any new requirements.
Read More About
About
Jerry Markon
Tags