Private company involvement in military IT systems and cybersecurity regulations

Cyber Security

Conceptual or Substantive Assumptions

Cybersecurity is fast approaching a place where it is becoming a form of currency with consumers and clients. It is only in the past decade that digital environments became a normal and typical way to transact business. Consumers and clients quite rapidly adapted to the convenience of conducting business and managing their finances in online environments. Certainly, there were -- and are -- people who did not fully trust digital commerce, but consumers choices narrowed to a point where non-digital transactions were constrained. For instance, customers of banks were funneled into online transactions as some banks gave up a bricks-and-mortar presence. Consumers who wanted more choices when making everyday purchases found meager goods on the shelves but an abundance of inventory online. Patients learned to access their medical records and test results online, and many medical practitioners now keep online office hours for emergency communications and treatment advice. All manner of business and personal transactions have come to rely on the functions and services found in digital environments. One overarching attribute is necessary for this new way of accomplishing economic transactions: that attribute is trust.

Trust between the public and private companies is fundamental to sustaining the way business is conducted today, and for enabling technological innovations to continue being embedded in the quotidian lives of the American people. Yet, the essential ingredient of trust has been seriously eroded over the past several years as consumers and business have experienced the shock of expansive and pervasive cybercrime. In much the same way that the exchange of paper money in commerce is based on trust, and keeps economies functioning in predictable and understandable ways, commercial transactions that depend on secure and expedient information technology pivot on the notion of trust. Cybercrime impacts the bottom line of businesses in terms of the costs to restore secure IT functioning and pay reparations as required. But cybercrime also impacts the reputation of businesses, which can result in long-term losses from bleeding brand equity and diminished consumer loyalty. In the long run, it is likely that businesses will pay less upfront to ensure the cybersecurity of their systems than they will to repair damages resulting from cybercrime. The idea of businesses benefitting from expenditures to improve cybersecurity is neither unique nor new; however, a number of prophylactic commercial approaches for dealing with cybercrime are new -- and they may well capture the imagination of businesses concerned with meeting the high cost of cybersecurity out of their own coffers.

Several years ago the Internet Security Alliance (ISA) Cyber Security organization proposed a constellation of potential market incentives to evoke cooperation from private enterprise for voluntary adoption of innovative cyber security measures and programs. The recommendations for market incentives were conceived as part of a social contract with commerce. In October 2011, the House Republican Cyber Security Task Force released a report on cybersecurity report that largely mirrors the ISA recommendations. Other innovative market incentive recommendations from the House Task Force included the following:

The notion that regulation cannot keep pace with technological change;

The realization that not one set of cybersecurity standards will not apply equally across industries or even businesses;

Streamlined regulation, licensing, and permitting as an incentive;

Exploration of mechanisms to promote the usage of cyber insurance;

Tying taxes and grants to adoption of cybersecurity best practices and measures; and Limited liability for good actors ("ISA," 2014).

Rationale and Theoretical framework

New ways are needed for government and industry to collectively work to protect the technology infrastructure, national freedom, and bedrock commercial enterprise. A key component of these new approaches is the use of incentives that will entice enterprises to voluntarily adopt the new practices and measures, some of which are quite radical with regard to the degree and type of cooperation among the stakeholders. The value that industry attributes to the incentives is crucial for successful adoption, implementation, and sustainability. For that reason, proposed incentives steer clear of anything that could be considered paltry. The recommendations are impressive and substantial, and include the following: cybersecurity insurance, expedited assistance from the government during cyberattacks, grants, liability limitation, process preference, public recognition programs that help to establish recognized emblems of trust, rate recovery for price regulated industries, and streamlined regulations. There is also hope that business and industry can assist with efforts to research "the most pressing cybersecurity challenges where commercial solutions are not currently available" (Daniel, 2014).