Incentives, Not Orders, Will Strengthen American Cybersecurity

Incentives, Not Orders, Will Strengthen American Cybersecurity

The Strengthening American Cybersecurity Act has the right goal, but achieving it will require legislation that embraces a market-based approach

This past month, President Joe Biden signed into law a $1.5 trillion omnibus bill that contained the “Strengthening American Cybersecurity Act,” one of the largest cybersecurity reforms in nearly two decades. Title II of the bill, the “Cyber Incident Reporting for Critical Infrastructure Act of 2022,” contains new requirements for companies involved in federally-designated critical infrastructure—broadly defined as including everything from banks and hospitals to power grids—to provide cybersecurity incident reports to the Cybersecurity and Infrastructure Security Agency (CISA) in a timely manner. Incident reporting is vital for a secure economy; we can’t expect to protect our most important assets if we do not understand the battlefield.

Unfortunately, the regulations in this act are not the most effective way to achieve these aims. Congress should revise it in a future bill to promote incident data production and consumption through improved incentives, not just directives. Such a law must address the three kinds of market failures present in the market for cybersecurity incident data—free-riding, externalities, and adverse selection—with targeted solutions for each: knowledge subsidies, negligence fines, and voluntary certifications.

This is a two-stage problem: why don’t companies effectively produce and consume incident data? In diagnosing market failure, one should always ask: why hasn’t someone already fixed it?

The reason private companies do not produce enough public incident data is due to free-riding. It doesn’t do much for a company to disclose its own incidents, but it benefits them greatly when others do. Public incident data is both non-rival and non-excludable, meaning that it does not become depleted and it cannot be denied to others. Therefore, companies would prefer to stay quiet and enjoy the efforts of others even though the net result leaves everyone worse off.

In addition, private companies fail to effectively consume public incident data because of externalities. A company that fails to act responsibly on relevant incident data will only bear a portion of the cost. The rest is borne by customers and suppliers due to supply chain disruptions and customer compromise. Cyberattacks are now responsible for 50 percent of supply chain disruptions, with a pre-pandemic annual cost of $2 trillion in the United States and the European Union. Most of these costs will not be borne by the shareholders of the targeted company; they will fall on customers as well as upstream and downstream companies within the supply chain. Because a company’s incentives are not aligned with the public’s, the natural tendency is to underutilize public incident data more than customers and suppliers would prefer.

Finally, the incentives to ignore public incident data are amplified by asymmetric information. Vendors, and especially customers, do not know the true level of risk within the firms they work with. This leads them to both over and under engage with firms depending on their risk tolerance, leading to business decisions they would not have made if they had the economically relevant information needed to fully incorporate security risks. This is a significant problem among consumers—less than a fifth of consumers consider themselves very well informed about cyber risks. This lack of knowledge limits the ability of the market to police imprudent behavior. At its worst, this drives out the companies willing to pay the extra cost of security and leaves the entire market worse off.

The core problem with Title II in the act is that it tries to solve these problems by simply mandating that firms provide incident data, backing it with the threat of legal action. Companies must report both cyber incidents and ransomware payments within seventy-two hours and twenty-four hours, respectively, to CISA when they experience a substantial cyberattack. Those that fail to comply may face both civil action and potential criminal investigation by the Department of Justice. Those that adhere to these rules receive immunity from any civil suits resulting from those breaches.

This act relies on the legal system to provide carrots (immunity) and sticks (subpoenas) for incident data production while doing nothing to incentivize consumption. Its reliance on the legal system generates uncertainty in terms of the costs and benefits of complying. Risk-averse, less-connected firms will over comply and divert resources away from building better products and services in order to focus on legal and regulatory compliance. Better connected, risk-seeking firms will believe that legal action is less likely and spend less on compliance. As a result, the act encourages the very firms who need the most regulation to under comply and encourages the firms that need it less to over comply.

In addition, blanket regulations impose high fixed costs that firms can struggle to adhere to, especially smaller, less-scalable ones. These uneven burdens reduce competition and discourage new actors from entering the marketplace, thereby protecting incumbents. A better solution would fix the incentives to encourage security while minimizing costs.

Fortunately, there’s an incentives-based solution that can address each of the three market failures more effectively than regulatory and legal mandates.

The first problem, free riders, is about the lack of incentive to create new knowledge—no different than the same problems in research and development. Therefore, a revised act would include a tax credit, like one for research and development, for companies that provide incident data. Participants could also vote to give bonus credits to companies that provide higher quality reporting to incentivize data sharing between companies. Some states, such as Maryland, already provide a tax credit for private investment in cybersecurity. The federal government should do the same for incident reporting, which is effectively a public investment by private sector participants.

The second problem, externalities, is caused by companies not making decisions that benefit the collective good. The classic solution to this problem is Pigouvian taxation, an approach that sets fines at the social cost of the bad action to disincentivize it. Unlike classic cases like air pollution, however, the costs in cyber are a function of risk and probability. A revised act would allow CISA to fine companies in proportion to the expected harm or risk of a breach if it was due to a vulnerability that was already captured in the public incident reporting system.

Finally, adverse selection can be addressed through a voluntary certification system. The act should empower CISA to work with private companies on developing a scorecard that shows whether companies effectively produce and consume public incident data. CISA can mimic the scoring design local health departments and the Department of Agriculture use for meat to make it intuitive for consumers. This scorecard would empower both suppliers and customers to make better decisions and punish negligent companies.

Professionals overwhelmingly agree that greater information sharing and better reporting within the private sector are necessary for companies to protect themselves from cyberattacks. The challenge is getting companies to play ball. The present act has the right goal: increasing the level of public cybersecurity knowledge. All it needs now is the proper mechanisms to compel private companies to produce and consume that information. Congress should reform the act by addressing the underlying market failures and providing CISA with targeted solutions to build the knowledge ecosystem needed to secure the U.S. economy.

Yameen Huq is the Director of Data & Analytics at CyberVista, LLC., a cybersecurity workforce training company. Previously, he was a consultant specializing in analytics, cybersecurity, and strategy for public and private-sector clients. He is a former Marcellus Policy Fellow at the John Quincy Adams Society and holds a Master's in Cybersecurity with a focus on technology policy. His previous writing has appeared in American Affairs and Exponents. Follow him on Twitter here.

Image: U.S. Air Force/Flickr.