DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
PUBLIC POLICY TOOLS TO PROMOTE CYBERSECURITY FOR CRITICAL
INFRASTRUCTURE PROTECTION
AUTHOR: Sergiu CONOVALU*
Introduction
On the other hand, the security of cyber
commons cannot be left only to the "visible
What can nation states do to affect the
conduct of private operators of critical
infrastructures in cyberspace? How can
national governments incentivise industry to
invest in their cybersecurity infrastructure
beyond what is necessary for meeting their
corporate business objectives, focused more
on profit and less on security? It is not
optional, but imperative, to take necessary
steps to address these challenges in the
current regulatory and ever-changing cyber
environment.
The purpose of this policy brief is to identify
common ground for developing the contours
of a future public-private partnership agenda
directed at harnessing private sector
resources and capabilities to promote vital
national cybersecurity interests that are
unattainable
with
direct
government
intervention.
1
As the cyber threat to nation states grows, it is
essential to consider that many critical
infrastructures that carry out public functions,
and the information systems on which they
rely, are owned and operated by private
industry. On the one hand, economic and
social externalities resulting from a potential
cyber incident might be too severe to leave
the security of those infrastructures to the
"invisible hand of the market”. Rather than
assuring uninterrupted operation of their
assets, infrastructure owners and operators
are concerned about securing their cyber
assets up to the value that is sufficient for
meeting their business objectives.
hand" of the state. Unilateral government
action is not able to guarantee uninterrupted
operation and safety of the cyber assets that
support their essential functions. Currently,
governments leverage their regulatory
powers and security standards to impose
cybersecurity compliance. However, industry
operators usually find the multitude of
complex
government
regulatory
requirements, standards, and guidelines to be
inconsistent and not adapted to the dynamic
threat environment.
Page
Today's
digital
information
and
communications technologies sustain our civil
infrastructures and provide vital support for
national and economic security. Critical
sectors of the economy, such as energy,
transport, agriculture or health, are adopting
the Internet as the main platform for
communication and information exchange
making them fully dependent on the
interconnected
network
of
networks.
However,
this
increased
level
of
interdependence entails new challenges for
policymakers and industry leaders operating
digital infrastructures around the world. Their
growing reliance on effective, yet relatively
defenceless,
cyberspace
makes
them
increasingly vulnerable to malicious exploits
that could degrade or disrupt their
operational capabilities.
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
1.
Improving
Cybersecurity
Cyber-Insurance Programs
through
The cyber-insurance market, albeit still
relatively new, is becoming an increasingly
attractive instrument for critical information
infrastructure
stakeholders
to
mitigate
probable losses resulting from unforeseen
events with damaging consequences for their
cyber assets, such as network intrusion,
communications network disruption, data
breaches, business interruption, cyberextortion and cyber-terrorism. According to
some reports, "insurance is an extremely
promising route to solving the identified
market failures in cyber security.” Cyber
insurance is a good mechanism that allows
equitable distribution of risks among the
parties involved, thus limiting the level of
security breaches and losses the infrastructure
stakeholder may face from a potential cyberattack.
Cyber-insurance companies are also one of
the main drivers for meeting regulatory
Even though there are proponents of
government support, there are disparate
views
among
critical
infrastructure
stakeholders as to the extent to which
governments
should
be
involved
in
sponsoring the cyber-insurance market. On
the one hand, there are voices in favour of
keeping cyber-insurance as a purely private
market incentive to ensure compliance with
cybersecurity standards through eligibility
criteria and premium rates. On the other
hand, when dealing with risks that are
regarded as “uninsurable in the private
market”,
like
a
"cyber-hurricane”,
government intervention might be crucial to
restore or stabilize the market.
Before adopting an insurance program, it is
important to consider that there are still
insufficient
insurance requests
in
the
marketplace. This is particularly because
companies in most developing and even in
many developed societies understand cyberthreats as solely a technological issue, being
unaware of the legal, economic, and
political implications of an information
security breach.
2
An
extensive "menu" of
government
incentives could be found in various sectors
of the economy that have been historically
subject to different security programs like
energy,
environment,
aviation,
telecommunications, agriculture, etc. Today,
policymakers can adapt many of these
incentive-based security programs to the
actual cybersecurity needs. However, unlike
other areas of the economy, cybersecurity is
a cross-sector issue involving various industries;
subsequently,
it
requires
a
carefully
considered government approach in assisting
those industries to protect their infrastructures
in cyber-space. The following section will
provide an analysis of several incentives that
could be employed by governments to
improve industry compliance with the
relevant cybersecurity standards.
requirements and adopting security best
practices. The insurer can play a meaningful
compliance role by establishing minimum
requirements for the beneficiary of the
insurance policy as a precondition for the
coverage provided. Insurers may incentivize
policyholders’
behaviour
by
applying
discounted insurance premium rates for
entities with more robust security measures
employed, and higher premiums for
infrastructure stakeholders exposed to a
greater cyber risk and with weaker security
measures in place. This measure would
encourage a higher level of self-protection
and, eventually, prevent the potential freerider problem when companies are prone to
underinvest in their own security knowing they
can reap the same benefits as everyone else
in the market.
Page
Government incentives as a
solution to promote cybersecurity
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
According to the US Cyberspace Policy
Review, "information is key to preventing,
detecting, and responding to cyber
incidents”. Various actors in cyberspace may
possess different sorts of information that can
be conducive to developing risk analysis and
capabilities for detecting sophisticated
intrusions.
On the one hand, government institutions,
through their intelligence collection and
investigation
mechanisms,
may
have
knowledge related to imminent threats in
cyberspace and the capabilities to provide
appropriate
countermeasures.
Private
enterprises, on the other hand, may have
specific information related to recent cyber
incidents that might be helpful in identifying
further vulnerabilities and inducing other
actors in cyberspace to take timely and
effective countermeasures to prevent a
catastrophic cyber event.
As a result, an effective measure would be to
bring the knowledge and insights from those
diverse sources together to the benefit of all
actors involved. Multidirectional and regular
information flow regarding imminent threats in
cyberspace, from government to industry
and vice-versa would provide critical
infrastructure owners and operators with a
clear picture of the cyber threat landscape.
This measure would allow infrastructure
operators to better assess the risks they are
exposed to in order to prioritize their
resources, and carefully design their
cybersecurity strategies and business plans to
make prudent investments in securing their
cyber assets. It would also provide
government
entities
with
a
better
understanding of the industry's challenges
and needs, so they could employ strategic
intelligence collection and dissemination
activities accordingly.
3.
Expediting
Processes
Security
Clearance
Security clearances are commonly used in
government institutions and specific industries
to grant eligible individuals authorized access
to classified information. Generally, national
governments, through their intelligence
establishments, would be in a better position
than the private sector to perform data
collection regarding potential cybersecurity
threats and incidents.
Correspondingly, they would grant instant
information access to qualified critical
infrastructure security personnel who would
be in a better position to leverage this threat
information to defend their cyber assets
appropriately. However, there are some
concerns
among
critical
infrastructure
stakeholders that clearance processes are
sometimes too slow to allow them to acquire
comprehensive knowledge about potential
threats facing their organizations in a timely
manner.
Expediting
and
prioritising
security
clearances, as a policy tool to overcome
information sharing hurdles, will facilitate
effective and regular information exchange
between government and industry. It would
create a more streamlined environment for
better coordination and information sharing
that will benefit both critical infrastructure
organizations in enhancing their capabilities
to protect their networks and systems, as well
as governments in providing adequate
economic and national security.
4.
Limiting Liabilities for Cybersecurity
Incidents
Every company providing public or private
services is subject to certain legal liabilities
under consumer protection and tort laws. In
our information-driven world, various liabilities
under the current laws are applied to
companies for cybersecurity breaches to
compensate for losses suffered by other
3
to
Page
2.
Promoting Information Sharing
Enhance Incident Response Capabilities
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
5.
Government Grant Funding
According to some industries, imposing
additional costs for purchasing advanced
cybersecurity products and services is a
serious barrier to implementing enhanced
cybersecurity measures. Therefore, the use of
government grants as a policy tool to
improve cybersecurity could be a positive
incentive to defray the costs associated with
additional expenses for compliance with
cybersecurity standards.
Governments can offer various kinds of grants
to the owners and operators of critical
infrastructures as potential inducements to
improve cybersecurity, including grants for
R&D,
innovation
grants,
grants
for
cybersecurity training, grants for enhancing
preparedness and response capabilities, etc.
6.
Tax Incentives
Tax incentives are defined as government
measures
to
provide
taxpayers
with
favourable tax treatment, by reducing the
amount of the tax or exempting taxpayers
from tax liability, in order to encourage
specific behaviour towards achieving public
Tax incentives have the potential to address
market failures resulting from underinvestment
in strengthening cybersecurity capabilities,
especially when governments cannot afford
to subsidize critical infrastructure organizations
or allocate additional resources for the
national
cybersecurity
agenda.
Large
varieties of tax incentives are currently
available in different sectors of the economy
of many developing and developed
countries, for companies engaged in the
agriculture, energy, manufacturing or food
industry. These incentives can be adapted to
support critical infrastructure security in
cyberspace. These financial incentives take
several forms including tax credits for R&D
activities to increase cyber resilience of
critical infrastructures; refundable tax credits
for additional outlays in complying with
cybersecurity standards; or tax deductions for
purchasing cybersecurity products and
services.
7.
Mandate
Disclosure
Cybersecurity
Breach
Disclosure mechanisms are commonly used in
various industries to incentivize compliance to
certain norms and standards imposed by
public authorities. According to some
findings, reputational concerns proved to be
a strong motivator to make organizations
provide safe services and adopt security best
practices. In the food industry, for example,
compliance with hygiene and safety
standards are constantly monitored and
irregularities
are
exposed.
Mandatory
disclosure of security breaches and cyber
incidents can be an effective inducement to
influence organizations’ behaviour across
various critical infrastructure industries.
4
Therefore, reducing or eliminating certain
liabilities, in exchange for meeting established
government standards, would prove to be an
effective policy tool that would encourage
information
sharing
across
critical
infrastructures about exploited breaches and
damages resulting from a cyber-incident. This
measure would promote cybersecurity
practices and minimize the risk of potential
loss.
interest objectives. Providing tax incentives is
another potential public policy tool to
encourage critical infrastructure organizations
to undertake additional investments in
following cybersecurity best practices that
would otherwise be deemed unprofitable.
Page
parties. These liabilities serve to prevent
unexpected damages to others or redress a
situation following a cyber-incident. Many
infrastructure organizations are hesitant to
share information about security breaches,
and inflicted damages, out of concern that
this information might be used against them
during litigation.
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
Recommendations
Critical infrastructure protection is essential for
basic service provision, accurate government
and private organizations’ functioning,
economic well-being, and public safety. To
prevent potential threats targeting critical
infrastructures, securing cyberspace must be
a paramount policy and technology topic on
governments’ agendas. Considering that in
today’s
hyper-connected
world
every
country is becoming an important node of
communication at the regional or global
In
light
of
current
global
trends,
internationally,
a
majority
of
critical
infrastructure is owned and operated by
private companies. Yet, within the Balkan
region, there are countries where critical
infrastructure enterprises are still owned by
the state, due to the state-centralized
governance models of internal security.
However, following this global tendency, a
large-scale entry of new private enterprises is
expected in these countries’ markets.
For strengthening regional cybersecurity
capabilities , policy makers in Balkan
countries should consider the following
recommendations for developing public
policy tools that will engage critical
infrastructure
organizations
and
other
stakeholders in the region to demonstrate
effective adoption of cybersecurity best
practices.
Define critical infrastructures
cyber risk
exposed to
Considering the highly interconnected world
that we live in, almost every public and
private infrastructure that supports vital
functions of the national economy is
susceptible to various cyber exposures.
Nonetheless, not every cyber asset disruption
will affect the national and economic security
to the same degree in the event of a cyberincident. It is important that these
infrastructures remain secure and able to
withstand and rapidly recover from all
hazards. Therefore, based on appropriate
cyber risk assessments, governments should
work closely with industry to identify those
parts of critical infrastructures that would
have disastrous effects on public safety or
would cause serious economic distress with
5
Nevertheless, mandatory security breach
disclosure might be regarded as more of a
coercive rather than a voluntary policy tool
applied by governments to compel owners
and operators of critical infrastructure to
abide by cybersecurity standards. As it relates
to nation states where most critical
infrastructures are privately owned, this
measure might raise even greater noncompliance out of private sector discontent
about
perceived
drastic
government
measures to control the market. Therefore,
this type of incentive is not strongly
recommended; however, it can be applied
as a purely voluntary mechanism to promote
information exchange between infrastructure
owners and operators regarding potential
threats, risks and vulnerabilities facing the
critical infrastructure community.
level, this policy brief is primarily addressed to
Balkan countries where a lack of partnership
between the private and public sectors for
critical infrastructure protection exists.
Page
There may be different methods on how this
policy measure could be implemented. For
example, new legislation on cyber-breach
notification might be enacted that would
impose specific requirements on all critical
infrastructure organizations that fall victim to
a security breach. Another method would be
to differentiate between complying and noncomplying entities and apply mandatory
disclosure measures on non-complying
victims
of
a
security
breach,
thus
encouraging everyone to abide by security
best practices and standards.
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
if
Promote the need for a cybersecurity
compliance framework at the national level
Considering the diversity of stakeholders
involved in critical infrastructure protection, a
national framework must be developed that
would identify areas of concern to be
addressed. As part of this framework,
governments must engage all critical
infrastructure
cybersecurity
stakeholders,
including regulatory bodies, standardsdeveloping organizations, the insurance
industry, etc., in a consultative process to
coordinate and decide upon common
cybersecurity standards, information security
practices, implementation guidance, and
control measures across all sectors.
Partner with the insurance industry to
stimulate the cyber insurance marketplace
Governments should understand the public
policy necessity for a robust cyber insurance
market that would be able to enhance
critical
infrastructure
cybersecurity.
Policymakers
must
educate
critical
infrastructure owners and operators on the
importance of incorporating cyber insurance
policies
into
their
risk
management
frameworks, the same way they would in
approaching other types of unanticipated
force majeure events like earthquakes or fires.
For the cyber-insurance market to be
functional there must be a reasonable level
of
information
sharing
between
the
government and the insurance industry.
Enhance information sharing among critical
infrastructure stakeholders
To assist critical infrastructure organizations in
protecting their cyber assets, governments,
through their law enforcement bodies and
intelligence establishments, must create an
appropriate
environment
for
effective
information flow. This will provide critical
infrastructure stakeholders with real-time
intelligence and investigation results about
the threats they are exposed to and the
potential consequences of not taking
appropriate measures to secure their cyber
assets.
Expedite security clearances for qualified
critical infrastructure personnel
To facilitate information sharing efforts,
appropriate access controls should be
provided to qualified security personnel within
eligible critical infrastructure organizations
and providers offering security products to
these infrastructures. Thus, nation state
governments must review current statutory
documents and policies governing security
classification and clearance requirements
that currently inhibit the effective sharing of
classified cybersecurity-related data.
Provide civil liability protection to complying
infrastructures
Since civil liabilities are generally a matter of
concern for information sharing, these should
be assessed in terms of whether they are
encouraging or, on the contrary, creating
obstacles for vulnerabilities disclosure or
incident
reporting.
Consequently,
an
appropriate legal context must be provided
to protect critical infrastructure organizations
from being inadvertently penalized for
security breaches in the event of a cyberincident beyond their control.
Implement a grant funding program
Government
grants
would
benefit
organizations with lower levels of funding,
which are unable to include additional
expenses
for
increasing
cybersecurity
capabilities into their corporate business
plans. Therefore, governments must consider
cybersecurity as an important evaluation
criterion when developing their grant
programs for advancing national security
objectives. Any potential government grant
6
security,
Page
implications
on
national
incapacitated or destroyed.
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
proposal must stipulate minimum compliance
requirements for grantees, as a precondition
for eligibility to receive government funds.
Analyse the practical feasibility of providing
tax incentives
Government bodies should analyse the
practical feasibility of implementing tax credit
mechanisms for assuring cybersecurity of
critical
infrastructure,
considering
the
examples of such incentives as applied to
other sectors of the economy.
Lead by example in cyberspace
Ultimately, governments must lead by
example through integrating cybersecurity
compliance into their strategic planning and
decision-making procedures. Public sector
institutions must be early adopters of
cybersecurity by sourcing certified products
and services for their own assets' security. At
the same time, policymakers must become
more conversant regarding the threats and
risks that dominate cyberspace and are
constantly evolving; policymakers must
educate themselves on what constitutes
good cyber-hygiene for the national critical
infrastructure.
applied, when appropriate, to ensure
consumer protection. However, governments
should employ their market powers through
incentive policy tools that are economically
feasible for private infrastructure owners and
can accommodate the ever-changing threat
environment in cyberspace. An incentivebased
model
to
encourage
better
cybersecurity will allow each infrastructure
operator to implement industry-tailored
security solutions that are relevant for the
effective operation of their assets. These
incentives should complement, rather than
substitute
for,
the
existing
regulatory
framework and security standards. At the
same time, these public policy tools, though
aimed at promoting safe and secure
infrastructures, must reduce potential liabilities
from legal action, and maintain a cyberenvironment
that facilitates
economic
growth, encourages innovation, promotes
competitiveness and assures free flow of
information.
Page
Private sector companies hold most critical
infrastructure information systems; if anything,
governments administer a very small part of
these systems. Therefore, in order to influence
the market dynamics towards improving
cybersecurity and ensuring viable and
resilient critical infrastructures, governments
should build effective partnerships with
infrastructure
owners
and
operators.
Together, governments and infrastructure
owners and operators should define a
common security vision and establish
mutually agreed-upon cybersecurity best
practices
and
protective
measures.
Traditional regulatory models must be
7
Conclusions
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans
Bibliography
ALLIANT. Cyber Liability Inurance. New York: Alliant
Executive Risk Group, 2013.
Bodungen, Clint, Jeff Whitney, and Chris Paul.
"SCADA Security, Compliance, and Liability - A
survival guide." Pipeline and Gas Journal, 2009:
Vol.236 No.9.
Chabrow, Eric. Cyber-Insurance Not One-Size-Fits-All.
Many Are Still Weighing the Value of Coverage.
Information Security Media Group, 2013.
Dvaidovic, Dusan, Kesetovic, Zelimir, and Pavicevic,
Olivera. "National Critical Infrastructure Protection in
Serbia: The Role of Private Security" Journal of
Physical Security, 2012.
DHS. Executive Order 13636: Improving Critical
Infrastructure Cybersecurity. Incentives Study Analytic
Report. Washington, DC: Department of Homeland
Security Integrated Task Force, 2013.
DHS. National Infrastructure Protection Plan. US
Department of Homeland Security, 2009.
DOC. Cybersecurity, Innovation and the Internet
Economy. Washington, DC: The Department of
Commerce Internet Policy Task Force, 2011.
DOT. Report to the President on Cybersecurity
Incentives Pursuant to Execuritve Order 13636.
Washington, DC: United States Department of the
Treasury, 2013.
ISA. The Cyber Security Social Contract Policy
Recommandations for the Obama Administration
and 111th Congress. A Twenty-First Century Model for
Protecting and Defending Critical Technology
Systems and Information. Internet Security Alliance,
2008.
Jin, Ginger Zhe, and Phillip Leslie. "Reputational
Incentives for Restaurant Hygiene." American
Economic Journal: Microeconomics, 2009: 237-67.
Kaesan, Jay P, Ruperto P Majuca, and William J
Yurick. Cyberinsurance as a Market-Based Solution to
the Problem of Cybersecurity - A Case Study.
University of Illinois at Urbana-Champaign: National
Center for Supercomputing Applications, 2005.
NTIA. Discussion of Recommendations to the
President on Incentives for Critical Infrastructure
Owners and Operators to Join a Voluntary
Cybersecurity Program. Washington, DC: National
Telecommunications & Information Administration,
United States Department of Commerce, 2013.
TechAmerica. "Comments of TechAmerica in the
Matter of Cybersecurity, Innovation and the Internet
Economy before the Department of Commerce
Internet Policy Task Force." 2010.
USTelecom. "Comments of The United States Telecom
Association in the Matter of Incentives to Adopt
Improved Cybersecurity Practices." 2013. White House
Cyberspace Policy Review. White House. 2009.
http://www.whitehouse.gov/assets/documents/Cybe
rspace_Policy_Review_final.p.
* Mr. Sergiu Conovalu was a policy analysis specialist at the Ministry of Defense of the Republic of
Moldova when taking part in the DCAF Young Faces Network 2014 cycle. All opinions and evaluations
contained in the paper are those of the author and cannot be attributed to DCAF or any institution to
which he is affiliated. The factual background for the paper might have been overtaken by events since
early 2015.
Page
8
http://www.dcaf.ch/Region/Southeast-Europe/DCAF-Southeast-Europe-Regional-Young-Faces-Network