Governance & Risk Management , Government , Industry Specific
White House Advisory Team Backs Cybersecurity Tax Incentives
NSTAC Report Calls for Federal Cybersecurity Tax Deductions and Financial GrantsThe federal government should extend tax incentives to critical infrastructure owners and operators as part of an effort to drive enhanced cybersecurity, a White House advisory board recommended Thursday.
See Also: Securing the Nation: FedRAMP-Authorized Identity Security
The president's National Security Telecommunications Advisory Committee approved a report that calls on the administration to "make recommendations on impactful financial incentives," such as tax deductions and federal grants, "for organizations that adopt appropriate cybersecurity best practices."
The report also warns that current market forces are "insufficient" to incentivize the adoption of cybersecurity best practices and standards as evidenced by "the continued drumbeat of significant cyber incidents" across critical infrastructure sectors.
"Market forces are not designed to reach a level of cybersecurity commensurate with goals of the administration and NSTAC with regard to national security and emergency preparedness," the report says. "The gap between what markets naturally provide and what national security and emergency preparedness require is increasingly problematic."
Technology trade groups and cybersecurity experts have long called for financial incentives to help drive the implementation of new cybersecurity standards, but proposals differ on how to best encourage industries to prioritize cybersecurity investments. A white paper published in 2011 by the U.S. Chamber of Commerce, the Center for Democracy and Technology and other industry groups urged the federal government to focus on cybersecurity incentives over mandates, warning that "a more government-centric set of mandates would be counterproductive to both our economic and national security."
In April 2023, the Federal Energy Regulatory Commission approved a rule allowing utility companies to include cybersecurity spending as part of their calculation for settling rates. FERC acting Chairman Willie Phillips said at the time that financial incentives must accompany federal mandates "to encourage utilities to proactively make additional cybersecurity investments in their systems."
While the FERC rule allows utilities to recover cybersecurity expenses through customer rates, the NSTAC model suggests providing tax incentives upfront so critical infrastructure operators pay less when they spend money on enhanced cybersecurity standards.
NSTAC did not respond to questions about which cybersecurity expenses would count as deductible expenditures or how critical infrastructure owners and operators would document and justify those payments. The report also did not indicate whether certain organizations - such as small and medium-sized critical infrastructure entities - would receive additional financial incentives to implement improved cybersecurity standards under the NSTAC framework.
The report did recommend that the Office of the National Cyber Director coordinate with the Cybersecurity and Infrastructure Security Agency and other federal cyber authorities to develop a nationwide education and outreach program targeting resource-poor small and medium-sized critical infrastructure providers. The goal of the outreach program is "to significantly increase the use of the many free services" offered by CISA and other agencies, according to NSTAC.
NSTAC also encouraged the administration to establish virtual national cyber academies that offer free training in exchange for services and to launch a mobilization campaign to recruit retired computer security professionals to support a "cyber corps" for small businesses. The report also calls on the president to direct CISA to identify "highly effective security use cases" for artificial intelligence and machine learning systems to help organizations deploy those tools using cloud infrastructures.