Cybersecurity carrots and sticks

Abstract

In an unsustainable trend, each year is touted as the worst on record for data and system breaches. 2020's dubious top distinction was exceeded across numerous metrics in 2021, and 2022's numbers set another unwanted record. The growing epidemic of ransomware, data breaches, and cyber-enabled attacks pushes policymakers and business leaders to consider what can be done to reverse the cyber-insecurity spiral. Amidst the current cybersecurity landscape fraught with regulatory gaps, dependence on self-regulation, and resource constraints of small- and medium-sized businesses, policymakers should seize opportunities to reward reasonable cybersecurity postures and disincentivize underinvestment in cybersecurity best practices. Bold and coordinated actions are needed to dislodge the unsustainable trend of increasingly damaging cyberattacks, and to create a more holistically secure digital future. To move the needle toward a more robust cybersecurity ecosystem, this article proposes an incentive-based strategy that breaks the mandate-versus-self-regulation dichotomy, leveraging a carrots and sticks tax approach to spur stronger cybersecurity postures across the ecosystem. Such proposal outlines a framework for a Federal Cybersecurity Investment Tax Credit, tailored and mapped to select entity types, combined with a cyberinsecurity tax, thus promoting the principle that businesses have basic cybersecurity responsibilities and fundamental duties to operate securely in a digital society. In addition, this article introduces supplementary tools as part of an enhanced cybersecurity tax policy toolkit. Given pressing national and global cyber risks, this article continues a long-standing conversation about the operative use of tax policy as part of a holistic approach to reaching a secure and sustainable digital future.