02/13/2012 -

In order to effectively combat today’s cyber threats, the U.S. needs to focus more on creating new market-based incentives--allowing companies to develop their own cyber defenses--rather than creating new kinds of security regulations that can sometimes be burdensome and ineffective, according to Larry Clinton, president of the Internet Security Alliance.

The private sector is already being “extremely responsive” to cyber threats, said Clinton, speaking at a House Energy and Commerce subcommittee hearing Wednesday. He noted one estimate that the private sector will spend $80 billion on cyber security in 2011; by comparison, the Department of Homeland Security’s entire spending request for 2012 is just $57 billion.

But the current sophistication and frequency of ongoing cyber attacks has become overwhelming to many private sector organizations, he said. Attacks including Advanced Persistent Threats are carried out by highly sophisticated attackers. And, “[p]erhaps most indicative of these attacks, is that if they target a system, they will invariably compromise, or ‘breach’ it.” Clinton gave his testimony at a time when Congress is increasingly debating several major bills aimed at strengthening the country’s cyber security.

Companies presently have many sophisticated technologies and best practices to strengthen their defenses, Clinton said. The main challenge to cyber security is, in fact, more about economics than technology, he said. Many of these tools and strategies “are not…used because of cost and complexity.”

But creating new security requirements can be expensive and challenging to apply across diverse industries and organizations, he said. They can also be too slow to keep pace with the rapidly-evolving cyber threat.

The government could more effectively assist the private sector by creating new types of market incentives that could help companies take advantage of existing tools and best practices, he said. Incentives could come in the form of tax breaks, grants, and liability reforms that could help private sector organizations take greater advantage of security practices including information sharing, he said.

One existing House bill, from the Intelligence Committee, aims to increase public-private information sharing and create new market incentives for security. Another bill, from the Homeland Security Committee, aims to strengthen information sharing and to clarify the government’s authority over cyber security. 

♦ Photo bycongresscheck/Flickr