From: Politico

By TONY ROMM

The Obama administration has weighed whether to back tax breaks, insurance perks and other legal benefits for businesses that make meaningful improvements to their digital defenses.

Those incentives — considered in May and not yet final — would aim to entice power plants, water systems and other forms of critical infrastructure to adopt the voluntary cybersecurity standards that the government and industry are drafting in response to President Barack Obama’s executive order.

The Department of Homeland Security first raised the ideas in a May 21 presentation, labeled “preliminary,” which POLITICO obtained last week. DHS declined to comment on its report, and an Obama administration official cautioned that the presentation is a “snapshot in time” — and that it only “reflects some preliminary analysis.”

Still, businesses could find much to like in the proposed perks. They include limited protections from legal liability, for example, and new tax incentives for companies — presumably for demonstrating good cyber behavior.

But many of the incentives suggested in the presentation could require action by Congress, which failed repeatedly to approve any cybersecurity legislation last year.

Speaking Thursday, a top DHS cybersecurity official indicated to House lawmakers that nothing is final. “We’re still having conversations,” said Robert Kolasky, director of the agency’s Implementation Task Force, when asked about details of the unreleased presentation.

In the absence of a strict cybersecurity law, the president’s 2013 executive order relies heavily on industry cooperation. It tasks DHS and the National Institute for Standards and Technology to work with businesses on a security framework that Obama hopes companies will choose to implement on their own volition.

To spur adoption, though, the administration is evaluating potential legal and market incentives. The president’s order relies on top federal agencies, including DHS and the Treasury Department, to help figure out what the White House can offer both with and without the help of Congress.

Those early recommendations had to be submitted to the administration last month, and the White House’s final report is forthcoming.

But the May 21 briefing from DHS — fashioned as an economic analysis — at least sheds some light on what’s under consideration.

The 12-page document includes incentives familiar to those who followed the legislative debate last year — including limited lawsuit protection for participating companies.

A more recent idea reflected in the report: cybersecurity insurance. Companies adopting the government’s cybersecurity standards could get insurance breaks, some experts have long believed, or they could point to the standards as evidence that they’re following best practices.

The DHS document doesn’t specify how, exactly, it hopes to catalyze, then leverage that fledgling cyber insurance market, but the analysis does suggest that any insurance-focused changes be incorporated as part of “new legislation.”

At the very least, federal officials have been publicly warm to the idea. Asked about cybersecurity insurance during Thursday’s congressional hearing, Kolasky said the administration believes “the best incentives are market-based incentives.” And he added explicitly that the agency is “very much in favor of the cybersecurity insurance market.”

Other items on the list include “procurement considerations,” including “cybersecurity in rate base for price-regulated industries” and “prioritized technical assistance,” but those possible incentives are not defined — and it’s not clear whether the administration is still considering them.

The White House declined this week to discuss any of the proposals. One official, however, emphasized the Obama administration is not writing legislation for Congress.

But the document itself illustrates the paradox of the cybersecurity debate. On one hand, the president’s executive order relies on voluntary standards because lawmakers couldn’t approve anything with mandates. However, the most highly sought perks — especially liability protection — also depend on Capitol Hill if the White House actually seeks to woo the broadest base of participants.

For now, the White House has not officially unveiled any new guidance on incentives. DHS indicated in its May report it would provide an updated analysis later in the summer, and the agency communicated its intentions with industry during at least one June workshop.