Using market incentives to improve cybersecurity

“The cybersecurity threats posed to the systems that control and operate the critical infrastructure on which we all depend are among the most significant and growing issues confronting our nation,” President Joe Biden said on July 28. He added: “The degradation, destruction, or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of the United States.”

President Biden’s direction in a National Security Memorandum on improving cyber security for smart technologies in U.S. critical infrastructure is clear: The Nation must focus on cyber protections to counter an existential threat to our power, our water, and other essential resources.

The administration noted that we must move with urgency — the federal government cannot do this alone.

Securing critical infrastructure needs a whole-of-nation effort. As we rely on smart technologies for our livelihood and, indeed our lives, we must aggressively mitigate cyber risk for the safety of our communities and families.

The president’s plan establishing common cyber protection performance controls is an essential first step. Voluntary adoption is an excellent second step. In contrast, government mandates, regulations, and minimal standards have proven to be ineffective, inefficient, and slow to respond to rapidly metastasizing cyber threats.

On the other hand, voluntary investments to mitigate cyber risk have historically not competed well in corporate boardrooms, as investors and shareholders favor revenue growth. While that priority drives this nation’s legacy of innovation, the list is growing daily of executives who lose the bet that a cyber-attack will never infect their business.

So, how do we incentivize voluntary adoption of performance controls? The president’s urgent call for action requires a market-based approach for voluntary adoption and certification of cyber protections. Specifically, performance incentive mechanisms should offer a return on investment for any owner or operator. This should apply not just to our nation’s critical infrastructure, but to every school, home, building, or hospital using smart technology to be more sustainable, efficient or offer better service.

Insurers want their clients to invest in cyber risk mitigations. Cybersecurity insurance rates have skyrocketed in 2021, particularly in response to ransomware attacks targeting high value assets with low cyber defenses. It’s not just the ransomware attacks seizing information technologies and crushing cyber insurance policies, but attacks to smart technologies, also known as cyber-physical systems (CPS), which can hurt people or cause catastrophic property damage.

The risk to the property and casualty insurance world is real and growing. Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023. This should be the first motivator for boardrooms. Gartner also predicts 75 percent of CEO’s will be personally liable for cyber-physical security incidents by 2024.

The liability is also expanding. Failing to properly maintain reasonable cyber security measures, procedures, and practices appropriate to the nature and scope of business operations has become the primary claim in a growing number of class action lawsuits, most recently filed against the Colonial Pipeline.

Every insurance company would prefer to incentivize their clients to better protect themselves rather than to pay claims or litigation. Insurers are already using incentives when we receive a reduction on our homeowner’s policy for a security system, or a good driver discount on car insurance. We need a national program to reward proactive cyber protections and behavior.

The private sector has the expertise and flexibility to develop common performance goals, incentives, and certification mechanisms to quickly raise cyber security defenses. Non-profit organizations like the International Society of Automation and BuildingCyberSecurity.org have partnered with the world’s leading risk managers and insurers to implement a framework of controls, best practices, and certifications that will be rewarded with reductions to insurance rates and business liability.

These are the returns that asset owners and operators can see on their balance sheets. Investors and shareholders also want risk protection against cyber threats that can devastate asset value instantly with one keystroke of an attack to an elevator, a smart car, water system, or pipeline.

The federal government alone cannot make our society more cyber resilient and safe. More laws and regulations will have limited effect. Securing our critical infrastructure and all aspects of the technology in our environment requires a whole-of-nation effort that harnesses the ingenuity and innovation of markets and the private sector.

The president has called us to action, and real, tangible solutions are available. The performance goals are ready to go now and will quickly raise cyber defenses without the need for government oversight or taxpayer funds. It is time to stop admiring the cyber threat and to support a national program run by the private sector for cyber performance goals and incentives across the entire built environment. 

Lucian Niemeyer is a former Assistant Secretary of Defense and is the Chief Executive Officer of BuildingCyberSecurity.org