Featured eBooks
CDM
Special Ops Technology
Intel and Analytics
Insights & Reports
From legacy to cloud-ready
Presented By Clovity
Download Now
The Hidden Threat of Malicious Open-Source Packages
Presented By Checkmarx
Download Now
On The Record

Larry Clinton

Larry Clinton is chief operating officer at the Internet Security Alliance, an international nonprofit consortium aimed at improving information security sponsored by the Electronic Industries Alliance and the CERT Coordination Center at Carnegie Mellon University's Software Engineering Institute.

V

irtually all Americans did exactly the same thing when they heard about the terrorist attacks on Sept. 11, 2001-they sought information. Some picked up the phone, some turned on the TV, some went on the World Wide Web and some sent e-mail. All of those channels are tied in some way to the Internet.

If someone really wanted to terrorize America, they would take away its information. Imagine how much more frightening Sept. 11 would have been if it had been coupled with a cyberattack. Without a steady flow of information, no one would have known whether simultaneous attacks were being carried out in California or Texas or London.

The Internet is one of our most critical infrastructures and possibly the most difficult to defend. It is inherently international, interactive and interdependent, and it is constantly changing. And no one owns it. If a traditional regulatory structure were used to control the Internet, many regulations would be outdated before they were published. Even worse, such a regulatory process could provide nefarious users a roadmap of Internet vulnerabilities. Moreover, strict technological regulations could strangle the world economy, which is what many terrorists want.

It is not only terrorists we need to worry about. The number of vulnerabilities and attacks on the Internet grew by nearly 500 percent in each of the past two years. Private industry has lost tens, maybe hundreds, of billions of dollars to various forms of Internet attacks. Many experts fear the worst lies ahead.

We need a new model to secure the Internet. Between 80 percent and 90 percent of the Internet is operated by private industry, so it should be private industry's responsibility to provide leadership in developing a model that uses market incentives, rather than regulatory mandates, to ensure cybersecurity. Such a system could provide the dynamics needed to keep up with the rapid evolution of the Internet and transcend the international boundaries that the Internet does not recognize.

In June, the Internet Security Alliance hosted a briefing on Capitol Hill and outlined some of the market incentive programs ISAlliance member companies are developing. For example, AIG, the largest provider of cyber insurance in the world, will discount its premiums by 15 percent for any company that joins the ISAlliance and adopts its "Best Practices for Cyber Security" (published in 2002). Thus, any participating company can significantly lower its business costs by increasing its security. Much like good-driver or nonsmoker benefits, the program provides the incentive to improve behavior.

Other companies are using the market in different ways. Visa has developed the "digital dozen" security program. If a merchant wants the privilege of being an affiliate that accepts Visa credit cards, it must adhere to 12 specific cybersecurity practices. Nortel Networks has developed a similar program for companies that want to sell Nortel's products. Also recognizing the market need for security, Verizon offers expanded security education and training as part of the package of telecom- communications services it sells to business and residential consumers.

These companies realize it's in their corporate interest to provide security incentives to others. If their business partners are insecure, their business is insecure. The market can and must be used to provide cybersecurity incentives, and industry has begun to rise to that challenge.