Skip to main content
July 23, 2013

Government Has Power to Improve Security With Incentives

youtubeBack when I testified with the L0pht to the Senate in 1998 we suggested the government use incentives as a way to get businesses to improve their security. The Senate was Republican controlled at the time and even us political newbies knew that regulation was going to be a non-starter at the time. We also proposed that the government use its purchasing power to require the vendors it buys from to have good security. Today, the Obama administration is proposing lower taxes, liability protection, and insurance discounts to help improve security. Insurance discounts are an interesting addition to the mix. We are all familiar with safe driver and alarm system discounts for cars. The same could be applied to businesses. The safe driver is akin to having properly trained people and following the correct security policies. Alarm systems are much like having the correct security technology installed and functioning properly. Cybersecurity for an organization is much more complex than a driver in a car and car insurance is mandated in most states and cyber insurance is not, but insurance discounts could be a good incentive. I would like to see the topic of using the government's buying power to incent vendors to build security in the software development lifecycle raised to the level of the tax, insurance, and liability incentives. There could even be a tie in with the insurance incentives. Many people don't know that Underwriters Labratories (UL) was founded by insurance companies. The companies wanted to incent their customers with lower fire insurance rates if they installed fire safety equipment such as sprinkler systems, fire extinguishers, and fire doors. But what if customers gamed the system and bought substandard fire doors that didn't really work? So the UL was created to rate fire doors so that the insurance company knew it would help protect the buildings they were insuring. Only UL listed products gave the discount. Like the car insurance to cyber insurance analogy, a cyber UL would have limitations compared to UL we know today but the basic concept is there. Products that meet certain security standards are acceptable to purchase and would garner the insurance discount.

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.