With regard to privacy, regulators are licensed to impose fines on underperformers. Shouldn’t that also be the case with cyber risk in general? Somehow the ethics and economics of cyber risk follow a different path. The regulatory imperative that acts as an incentive for improvement in many sectors, seems to be non-existent when it comes to cyber risk. One might say that we need more incentives for maturing analysis of cyber risk. Initiatives in that area can come from governments or can be triggered by public opinion.
One encouraging initiative is that of CyberGreen(1). This global community measures cyber health and makes a serious effort to improve it. CyberGreen shows which countries cause the biggest pollution – botnets and the spreading of viruses – on the internet. Countries that actively participate in hack prosecutions and cooperate on other cyber-risk initiatives get better scores. Their website shows an index that indicates how countries perform. The goal is to come to joint agreements. Just like the CERT-initiatives in insurance banking and healthcare, CyberGreen is a nonprofit organization.
Being a collaborative organization, their mandate and their means of persuasion are limited. Nevertheless, it can influence public opinion and that is likely to stimulate governments to take action to improve the rating of their country.
The impact of an incident can generate negative publicity, direct and indirect damage, or a fine from a regulator. A major lesson from practical examples so far is don’t try to cover up. An organization that doesn’t come clean to the outside world after an attack may see the confidence of shareholders and customers evaporate in an instant. Think of what happened to Equifax. Somehow the idea is still out there that your reputation will suffer if you have to admit that your company has been attacked. The fact that you have been hacked is no indication of the quality of your security. Companies such as Gemalto and ASML immediately came forward about what had happened, who was behind the attack, and explained that things were under control again. If you can do that, you can demonstrate both good leadership and effective security.
The incentive for leading companies to become CyberGreen is obvious. But how do you motivate small and medium-sized businesses? Financial incentives still have the most effect. So why not incentivize organizations to improve their cyber-risk efforts through tax reduction. A government could impose a cybertax, which can vary according to the cyber-risk performance of a company.
Governments could perhaps get a reduction on their NATO contribution or their EU membership contribution (for European countries) or on any other international fee, depending on their CyberGreen rating. As always, this requires leadership and vision.
Are there perhaps smarter ways to invest our money via tax reduction?
The government invests millions in the growth of our cyber security sector. Multi-millions of euros go to research and development of techniques and methods to make the Netherlands more resilient to the risks of cyber-attacks. The question then arises whether sufficient techniques and methods have not yet been developed. According to Potomacs’ cyber report on the Netherlands(2) we have many initiatives but little leadership, coordination, or aligned benefits. So why not spend our government money the other way around on rewarding companies that use the existing methods and techniques? This would demonstrably make the Dutch economy more resilient to risks and give the economy a boost. Two birds with one stone.
Businesses are currently insufficiently able to protect themselves properly against cyber influences. The question therefore arises as to whether the proposed millions poured in research is the right form of financing to help the Netherlands cope with the cyber crisis? Should we not work in the food processing chain like in the 70s with a HACCP-like standard for “cyber-resilience”? Wearing this standard could give certain privileges. For example, only give an organization a Chamber of Commerce registration or corporate financing if it meets a cyber-resilience level or standard: a quality mark. This cyber “due diligence” would cause more than 60% of Dutch companies to fail at their first exam and thus be “out of business.”
Greater resilience is needed to better protect our economy and to grow at the same time. Investing in even more new methods and techniques therefore doesn’t seem to be a solution. The solution should rather be sought in the direction that companies are rewarded that increase this level of resilience. We may have to opt for tax cuts for companies that are demonstrably making progress in their cyber-resilience. After all, these companies make less use of our judicial system. As a result, the €50 million in extra spending on a “cyber army” could perhaps also be used for tax deduction schemes.
Reward organizations, such as municipalities, that are struggling with the implementation of government policy for cybersecurity (for example, the mandatory DigID audits in the Netherlands(3)) while their government funds are cut back. Reward these municipalities, instead of punishing them by closing down their digital citizen services. Reward Dutch companies that actively share experiences and knowledge with other companies about incidents, attacks, and hacks and what they have done about them. Promote whistleblowers and consider the role of insurers. Can digital security become part of insurance agreements in which organizations and companies are encouraged to take preventive measures? Could economic incentives be built in to influence laconic and irresponsible behavior? For years there have been organizations and institutions that make the resilience of organizations measurable and thus demonstrably increase. Why does the government not link a reward mechanism to the improvement of a demonstrable increase in resilience? For example, a tax reduction or advance deduction. In order to strengthen the motto “the government can’t do it on its own” based on entrepreneurship. Allowing tax money to circulate, from the government to companies and vice-versa, in rewarding organizations. All this instead of (over) regulation and more cyber agents who tell corporate Netherlands how to do it. And write big research reports and policies that are rarely read and are prone to become outdated due to the swift changes in the cyber world.
2 The Potomac Institute for Policy Studies is an independent, nonpartisan, not-for-profit, science and technology (S&T) policy research institute. https://www.potomacinstitute.org/academic-centers/cyber-readiness-index and publishes their view on Dutch initiatives on: https://www.thehaguesecuritydelta.com/media/com_hsd/report/139/document/CRI-Netherlands-Profile-PIPS.pdf
3 The Central identification and Authentication system for the Dutch Government