A New Cyber Information Sharing Tax Credit Would Incentivize Critical Infrastructure Businesses to Join Information-Sharing Organizations to Strengthen Their Cyber Security
On the tenth anniversary of the release of the 9/11 Report last week, the report’s authors outlined current threats to our national security in a document called “Reflections on the Tenth Anniversary of The 9/11 Commission Report.” The authors – members of the original 9/11 Commission – concluded that the country now has “a September 10th ability to guard against cyber-attacks.”
In response to this assessment, Senator Gillibrand introduced the Cyber Information Sharing Tax Credit Act, new legislation that would address critical cyber security vulnerabilities and incentivize businesses of all sizes to join sector-specific information sharing organizations, known as Information Sharing and Analysis Centers, or ISACs. The bill would provide refundable tax credits for all costs associated with joining the ISACs.
“Businesses should take the same precautions to defend their data as they do with their buildings and inventory. Just as they purchase insurance and security systems, they should enter into agreements with information sharing organizations to help defend against cyber-threats,” said Senator Gillibrand. “From financial institutions and health care systems, to our electric grids and grocery stores, we are losing billions of dollars and putting our critical infrastructure at risk because of inaction. We must do more to strengthen our defenses online, and information sharing among businesses is a critical step that must be taken.”
The authors of the 9/11 report identified domestic cyber readiness as one of the five most pressing national security issues facing the country. The report highlights that senior leaders were “uniformly alarmed by the cyber threat to the country,” comparing currently policies to “September 10th levels.” The report also states, “One lesson of the 9/11 story is that, as a nation, Americans did not awaken to the gravity of the terrorist threat until it was too late. History may be repeating itself in the cyber realm.”
The Cyber Information Sharing Tax Credit Act would incentivize information sharing about security vulnerabilities, and would also facilitate the dissemination of sector-specific cyber protection. The bill would encourage this through a refundable tax credit for any business that joins an ISAC. The refundable tax credit would cover personnel participation costs, product and service costs directly related to sharing information with the ISAC, as well as other costs reasonably associated with participation.
Membership in an ISAC will give a small business access to real-time alerts about ongoing cyber threats to their systems, or newly discovered vulnerabilities in their networks that hackers might exploit, along with technical advice on how to protect against these attacks and eliminate their vulnerabilities..
Over the last decade, there have been almost four thousand separate security breaches, comprising over half a billion records containing sensitive personal information, many of which have led to identity theft and other crimes. The financial sector alone has experienced 250 attacks since 2011. With lost records costing an average of $188 per record, the potential U.S. losses add up to $112 billion since 2005.
Further, recent reports have outlined how foreign actors infiltrated the NASDAQ stock exchange through the use of malware. While there appeared to be minimal data loss, this instance highlights how vulnerable global financial systems are to cyber-attacks. Another report outlined how a “sophisticated threat actor” gained access to an unnamed U.S. utility. The Department of Homeland Security report warns of inadequate protection and, “as tools and adversary capabilities advance, [they] expect that exposed systems will be more effectively discovered, and targeted by adversaries.”
A spring 2014 report by the New York State Department of Financial Services (DFS) identifies sector-specific information sharing “as a key component of an effective cybersecurity framework.” The report also points out that there is a significant disparity in participation between large and small businesses, “with more than 60% of large institutions reporting an ISAC membership as compared to only 25% of small institutions.”
In a speech to financial industry leaders in July 2014, Treasury Secretary Jack Lew reiterated the importance of information sharing. He pointed to the 2012 attacks by state actors on American financial institutions, and how actions by state actors could cause a significant disruption of the financial system.