Treasury Department Summary Report to the President on Cybersecurity Incentives Pursuant to Executive Order 13636
Date of Publication
2022 12:00 AM
Security Theme
Cybersecurity
Keywords
Cybersecurity, cybersecurity, critical infrastructure
Description
The cyber threat to our nation’s critical infrastructure is growing and represents one of the most significant challenges facing the United States. On February 12, 2013, President Obama signed Executive Order 13636, directing the federal government, in conjunction with the private sector, to develop a “Cybersecurity Framework”(hereinafter, “the Framework”). The Executive Order also directed the Secretary of the Treasury to identify and recommend a set of incentives that would encourage critical infrastructure organizations to adopt the Framework. This report is the result of that effort, and its findings may be applicable not only to critical infrastructure organizations but also to a broader group of private sector participants. The report lays out an approach for policymakers to evaluate government incentives in promoting the adoption of the Framework, and then briefly assesses seven potential policy options in areas where the Treasury Department has significant or recent experience. It is not intended to provide an analysis of all available policy options. The report outlines several principles for policymakers to use in assessing the benefits and relative effectiveness of government cybersecurity incentives. Generally, government incentives should be considered when private market incentives are insufficient to provide an appropriate level of cyber security. Ideally, these incentives should: (i) be appropriately tailored and scaled to the magnitude of the under-investment in cybersecurity; (ii) protect taxpayers by being cost-effective while still achieving the policy objectives; (iii) adjust to changing circumstances and the availability of new information; (iv) be coordinated, so as not to duplicate other incentives; and (v) motivate private sector entities to expend their own to further protect their critical infrastructure assets. The report then applies these principles to the seven policy options identified below to assess their relative effectiveness as a government incentive. It describes the advantages and disadvantages of each policy option and attempts to evaluate the extent to which each would incentivize critical infrastructure organizations to improve cybersecurity. It also attempts to gauge the extent to which each policy option would encourage critical infrastructure organizations to voluntarily adopt the Framework, including whether additional legislation would be required. Engagement with critical infrastructure stakeholders, through formal comment letters and more informal panel discussions, helped to inform these findings. Of the seven policy options that were evaluated, Treasury identified an initial set of five that warrant further consideration as government incentives following the issuance of the preliminary Framework. Although these policy options generally adhere to the principles above, full assessment of whether they could be effective incentives for encouraging adoption of the Framework must take place with reference to the terms of the Framework itself.
Treasury Department Summary Report to the President on Cybersecurity Incentives Pursuant to Executive Order 13636
The cyber threat to our nation’s critical infrastructure is growing and represents one of the most significant challenges facing the United States. On February 12, 2013, President Obama signed Executive Order 13636, directing the federal government, in conjunction with the private sector, to develop a “Cybersecurity Framework”(hereinafter, “the Framework”). The Executive Order also directed the Secretary of the Treasury to identify and recommend a set of incentives that would encourage critical infrastructure organizations to adopt the Framework. This report is the result of that effort, and its findings may be applicable not only to critical infrastructure organizations but also to a broader group of private sector participants. The report lays out an approach for policymakers to evaluate government incentives in promoting the adoption of the Framework, and then briefly assesses seven potential policy options in areas where the Treasury Department has significant or recent experience. It is not intended to provide an analysis of all available policy options. The report outlines several principles for policymakers to use in assessing the benefits and relative effectiveness of government cybersecurity incentives. Generally, government incentives should be considered when private market incentives are insufficient to provide an appropriate level of cyber security. Ideally, these incentives should: (i) be appropriately tailored and scaled to the magnitude of the under-investment in cybersecurity; (ii) protect taxpayers by being cost-effective while still achieving the policy objectives; (iii) adjust to changing circumstances and the availability of new information; (iv) be coordinated, so as not to duplicate other incentives; and (v) motivate private sector entities to expend their own to further protect their critical infrastructure assets. The report then applies these principles to the seven policy options identified below to assess their relative effectiveness as a government incentive. It describes the advantages and disadvantages of each policy option and attempts to evaluate the extent to which each would incentivize critical infrastructure organizations to improve cybersecurity. It also attempts to gauge the extent to which each policy option would encourage critical infrastructure organizations to voluntarily adopt the Framework, including whether additional legislation would be required. Engagement with critical infrastructure stakeholders, through formal comment letters and more informal panel discussions, helped to inform these findings. Of the seven policy options that were evaluated, Treasury identified an initial set of five that warrant further consideration as government incentives following the issuance of the preliminary Framework. Although these policy options generally adhere to the principles above, full assessment of whether they could be effective incentives for encouraging adoption of the Framework must take place with reference to the terms of the Framework itself.
