Back when I testified with the L0pht to the Senate in 1998 we suggested the government use incentives as a way to get businesses to improve their security. The Senate was Republican controlled at the time and even us political newbies knew that regulation was going to be a non-starter at the time. We also proposed that the government use its purchasing power to require the vendors it buys from to have good security. Today, the Obama administration is proposing lower taxes, liability protection, and insurance discounts to help improve security. Insurance discounts are an interesting addition to the mix. We are all familiar with safe driver and alarm system discounts for cars. The same could be applied to businesses. The safe driver is akin to having properly trained people and following the correct security policies. Alarm systems are much like having the correct security technology installed and functioning properly. Cybersecurity for an organization is much more complex than a driver in a car and car insurance is mandated in most states and cyber insurance is not, but insurance discounts could be a good incentive. I would like to see the topic of using the government's buying power to incent vendors to build security in the software development lifecycle raised to the level of the tax, insurance, and liability incentives. There could even be a tie in with the insurance incentives. Many people don't know that Underwriters Labratories (UL) was founded by insurance companies. The companies wanted to incent their customers with lower fire insurance rates if they installed fire safety equipment such as sprinkler systems, fire extinguishers, and fire doors. But what if customers gamed the system and bought substandard fire doors that didn't really work? So the UL was created to rate fire doors so that the insurance company knew it would help protect the buildings they were insuring. Only UL listed products gave the discount. Like the car insurance to cyber insurance analogy, a cyber UL would have limitations compared to UL we know today but the basic concept is there. Products that meet certain security standards are acceptable to purchase and would garner the insurance discount.