A Cyber Security Social Contract? ISAlliance Proposes a New Way Forward

The Internet Security Alliance (ISAlliance) is proposing a new model for protecting and defending critical technology systems and information.  These policy recommendations for the Obama Administration and the 111th Congress are called "The Cyber Security Social Contract."

In a 44 page document, the ISAlliance covers a broad range of issues ranging from defense to banking to higher education. The six page executive summary includes the following items:

- Overview of The Problem

- Government Must Embrace Some Inconvenient Truths

- The Cyber Security Social Contract

- Why the Internet is Different

- Why the National Strategy is Not Working

- Why the Regulatory Models Won't Work

- The Good News - We Do Know What Works

- Core Components of the Cyber Security Social Contract

I want to highlight the central piece of the Internet Security Alliance approach - the social contract. ISAlliance's model is based upon the agreement between government and the utilities in the early 20th century to provide phone, power and light service to Americans. Here's an excerpt: 

"The utilities guaranteed to make the infrastructure upgrades necessary to provide universal service. In return, government essentially guaranteed a return on the required private investment economically sufficient to make the investments good business decisions. The utilities maintained the investments over time because they were also provided exclusive franchises for the service area."

The report goes on to describe why voluntary approaches and regulatory models are not working. The report offers several excellent solutions and lays out proposed government roles, business roles and incentives for businesses that implement best practices.   

My response - I like the Internet Security Alliance proposal. We do need to move in this direction. I certainly encourage you to read their full report. 

Although these recommendations are far-reaching, my only criticism is that that they may not go far enough. We also need a social contract regarding cyber ethics with all Americans. The conduct of each person online is actually our weakest link. I offer an outline for a new national strategy on cyber ethics in the appendix of my book, Virtual Integrity. Just as we do for emergency preparedness,  we must engage individuals, families, non-profits, K-12 schools - as well as universities, businesses and the others mentioned in this plan.

Bottom line: We do need to take bold action. This social contract is a good idea.

What are your thoughts?