Farewell, Federal Cybersecurity Incentives?

Administration Takes Private Sector Incentives Off the Table, While Obama Calls for $14 Billion in FY 2016 Budget to Strengthen Government’s Cybersecurity Efforts

The White House’s Cybersecurity Coordinator Michael Daniel announced on Monday that the government will not offer incentives for private sector businesses to adopt the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. Instead, Mr. Daniel declared that the free hand of the market is the best means to encourage the private sector to adopt NIST’s voluntary cybersecurity measures to better guard against cyber risks. Mr. Daniel’s announcement came in response to suggestions made by the departments of Commerce, Treasury, and Homeland Security in 2013 on how to incentivize private companies to adopt the NIST Framework. While Mr. Daniel did give mention to some of these methods, he plainly stated that “we [in the Administration] believe that the market offers the most effective incentives for the private sector to adopt strong cybersecurity practices” and that “developing a government program to award a ‘seal of approval’ would likely reduce the flexible use of the Framework.”

Curiously, Mr. Daniel’s announcement came the same day that the White House also released President Barack Obama’s proposed Fiscal Year 2016 Budget, that seeks Congressional approval of $14 billion in funding to support and strengthen the federal government’s cybersecurity efforts. The President’s Budget calls for a number of strategic federal investments in the cybersecurity space, including $149 million in private sector outreach. It is unclear whether any of the $149 million earmarked for private sector outreach would be spent to encourage private entities to adopt NIST’s Cybersecurity Framework. However, there does seem to be a slight disconnect between the Administration’s stated goal of improving the nation’s cybersecurity bulwark on the one hand – coupled with large appropriations proposals for federal cybersecurity resources – while, on the other, telling private businesses that are part of the country’s critical infrastructure to find their own incentives for avoiding the “growing [cyber] threat domestically and globally.”