When it comes to cybersecurity, the government’s role in things is a little uncertain. While requiring businesses to add cybersecurity measures was once tried with things like CISPA—and it didn't work out so well—the government is looking to take another stab at promoting the protection of critical infrastructure systems in private businesses' hands: incentives to bring such measures in place.

Recently, Michael Daniel—cybersecurity coordinator for President Obama—brought out a blog post describing a slate of incentives being considered to offer companies that brought in cybersecurity measures according to the government's standards. Those standards in turn are set to be part of a larger framework of measures that are expected to be in place February of 2014. Some of the incentive set to be offered included a kind of cybersecurity insurance, as well as things like liability limitations—businesses could only be sued in certain cases and for only so much, as a possible example—or even a Federal legal privilege that actually supersedes state requirements of disclosure in exchange for certain security standards put in place. There's even the potential for grants and process preferences to step into the field, offering some substantial potential benefit.

The need for such programs is actually well on the radar for IT professionals; a recent study from Experian Data Breach Resolution and the Ponemon Institute (News - Alert)—which addressed 18.829 professionals in the field—shows that 76 percent of surveyed professionals said that cybersecurity threats actually ranked higher in terms of priority than several other types of disruption including natural disaster. There's also some protection being considered in the field privately, with 31 percent of respondents claiming that some kind of cyber insurance was in place already, and another 39 percent planning to get it in place at some point in the future. That left 30 percent with no such insurance in place and no plans to get it, a pretty big gap in the overall structure and likely where the government is looking in terms of getting some incentives in place.

Naturally, these incentives aren't in place yet, and aren't even completely decided, but the discussions are taking place with an eye toward bringing out a full slate in February. Though it's worth wondering just how much incentive is actually necessary here; with 70 percent of firms either carrying some kind of cyber insurance or planning to in the near term future, much of the field is working to protect itself. Perhaps a more hands-off approach would be viable here, especially considering how much of the field is making a move in that direction. But by like token, this is the kind of thing that's more an all-or-nothing approach—just considering the idea of the power grid is a big step; one plant goes down the whole Eastern Seaboard might go with it—maybe some note of incentive is worthwhile.

It's a difficult issue, sure enough. As is increasingly often the case these days, both sides have a point, and that makes reaching a decision particularly hard. But one way or another, it's looking more like some kind of incentive plan will come into place soon.