Navtej Singh Kathuria, University of Illinois at Urbana-Champaign
The United States is engaged in deep and fierce battles over education, healthcare, immigration and international engagement, yet both the Biden and Trump administrations have embraced an undeniable truth: cybersecurity tantamount to national security. In May 2021, President Biden signed into law Executive Order 14028, in response to the Colonial Pipeline (and other) ransomware attacks, which defined a sweeping mandate on reforming and updating federal cybersecurity practices. Unlike many other Biden-era directives this order has not been altered, reversed, or diluted by the Trump administration–a unique point of policy continuance. The reason is quite simple: cybersecurity is a matter of national economic and strategic survival and the US government has a significant stake in the protection of the private sector.
At present, roughly 85% of national critical infrastructure (as defined by the Department of Homeland Security) is privately owned and operated. These systems include telecommunication, financial networks, energy grids, and healthcare services which serve as the backbone for everyday American life. As these systems rapidly digitize, they become increasingly susceptible to adversarial cyberattacks. The government can not remain passive in private sector cybersecurity–a data breach or ransomware attack at a hospital or gas pipeline has the same systemic impact as a bridge collapsing or a city lacking clean drinking water.
From an economic perspective, cybersecurity efforts fit the bill of a public good, generating positive externalities that benefit society at large. When a private firm strengthens its digital defenses, it results in a reduced probability for disruption for itself, but also for its customers, its suppliers and other connected adjacent firms. The benefits create an obvious spillover effect, yet the cost is borne entirely by each individual organization. The result of this isolationism is an evident market failure. Firms make the rational choice to underinvest into their own cybersecurity because they cannot capture the full value of their action. The real world impact can be seen by the severity and extensive damage done by a multitude of devastating cyberattacks.
The US government has been witness to this effect firsthand, especially over the past five years. In 2020, the SolarWinds breach, which was determined to be perpetrated by an Advanced Persistent Threat group acting on behalf of the Russian government, single handedly impacted over 18,000 organizations across both the private and public sector. Among the impacted were several federal agencies, major technology firms, and critical energy companies. Again in 2021, the Colonial Pipeline attack crippled the fuel supply chain on the East Coast leading to millions of dollars in economic disruption in addition to the regional fuel shortage. In both cases, one failure point caused cascading impacts of exponential proportion. The economics are evident: underinvestment into cybersecurity not only reduces the positive externality, but creates a negative externality.
Cybercriminals don’t discriminate by company size, but the defenses in place do–a significant and dangerous gap emerges from the small and medium enterprises (SMEs) who simply lack the funding to be able to defend themselves. A study from Accenture found that 43% of cyberattacks in the United States are aimed at SMEs, yet only about 14% are adequately set up to defend themselves. Most of these businesses are slow to the adoption of the latest technology especially in the healthcare, logistics, and agriculture sectors in part due to their thin (and thinning) margins. Although operating on critical national infrastructure, many of these firms cannot afford to have a Chief Information Security Officer, let alone a fulltime cybersecurity staff.
The government has not been entirely apathetic to this cause–EO 14028 was a significant step in the right direction for federal infrastructure and CISA (Cybersecurity and Infrastructure Security Agency) has begun to offer free cybersecurity tools and services for third-party firms that support federal or local critical infrastructure. These programs function as implicit subsidies for a broad set of firms, especially those that lack the ability to develop their own defense systems. However, given the clear market failure, it behooves the government to develop explicit private sector subsidies. There are numerous ways that this can manifest–three of the most compelling are:
- Cyber Hygiene Tax Credit–the federal government would offer tax incentives to SMEs to adopt and maintain industry standard best security practices–rewarding firms for their new as well as continued compliance; this program would mirror the similar existing credit issued to companies for energy efficiency and R&D
- Cyber “Starter Kits” for Critical Sectors–a federally funded program that gives firms operating in critical sectors access to a “plug-and-play” style cybersecurity toolkit which would lower the technical barrier to enterprise-grade security techniques; analogous to PPE distribution during COVID-19–a “digital PPE for SMEs”
- Accelerated Depreciation for Cyber CapEx–an IRS rule that creates an accelerated depreciation track for cybersecurity infrastructure so that businesses can write off 100% of cyber expenses in Year 1–encouraging immediate adoption of new standards and reducing the net cost of security investment; similar to the existing tax laws in IRS Section 179
The economic logic is airtight: cybersecurity investment creates significant spillover benefits that, without government support, firms cannot fully capture. Public investment is critical for market correction and to protect systems that are fundamental to the American way of life. Importantly, these subsidies would avoid the common problem of crowding out private development because they would simply unlock new security investments into segments of the market that were historically priced out.
The US government’s role in subsidising cybersecurity investments is not only justified, it is essential. The political will exists, given the overwhelming bipartisan support, and the economic rationale is obvious. It is in the interest of the nation to act with urgency and not wait for the next major breach or attack before acting. When private sector security protects public sector stability, public investment isn’t optional–it’s a necessity.