December 03, 2009, 6:10 PM — The U.S. government and private businesses need to overhaul the way they look at cybersecurity, with the government offering businesses new incentives to fix security problems, the Internet Security Alliance said.
The alliance, in a report released Thursday, also called for permanent international cybersecurity collaboration centers, new security standards for VoIP (voice over Internet Protocol) communications and programs to educate corporate leaders about the benefits of enhanced cybersecurity efforts.
Lots of groups have called for better information security education for students, but education for enterprise leaders is often overlooked, said Joe Buonomo, president and CEO of Direct Computer Resources, a data security products vendor.
"At some point, almost every public official who addresses this subject stresses the need to train our kindergarten to 12th-graders on this topic," he said. "In many instances, these officials also note the need to upgrade cyber expertise in the federal workforce. Something else is necessary."
The report, intended as a response to U.S. President Barack Obama's call in May for increased cybersecurity efforts, proposes to create more educational programs on risk management for C-level executives. ISA has already begun an education effort aimed at chief financial officers and other executives.
The report as a whole focuses largely on changing the economics of cybersecurity with incentives and other programs.
"When it comes to cybersecurity, all the of the economic incentives favor the attackers," said Larry Clinton, ISA's president. "Attacks are relatively easy, cheap, and the gains from them can be enormous. On the other hand, defense can be costly."
Part of the problem is that many individuals and corporations often see indirect benefits from greater cybersecurity efforts, Clinton said. Consumers don't worry when their credit cards are hacked, because credit card companies cover most of the loss, but all consumers end up paying for the losses in higher interest rates and fees, he said.
Meanwhile, U.S. lawmakers have generally focused on regulations as ways to improve cybersecurity efforts, Clinton said. But regulations are an old way to deal with problems, and cybersecurity is a "21st-century problem that's going to require a 21st-century solution," he said.
In April, U.S. Senators Jay Rockefeller, a West Virginia Democrat, and Olympia Snowe, a Maine Republican, introduced a wide-ranging bill that would have the U.S. government create cybersecurity standards for private businesses. Rockefeller has argued that private businesses have largely downplayed major cybersecurity problems.