New incentives are needed, he said, because "right now, all the incentives favor the attackers."
The new paper features some ideas that ISA and other groups have talked about in the past, but it offers new analysis and details about some proposals, Clinton said. In addition, the paper represents a "broad consensus" from the five well-known groups, he added.
The paper suggests that the U.S. government could use several incentives to help private companies pump up their cybersecurity efforts. Incentives could include tax breaks, grants, lawsuit liability protections, or eased regulatory obligations as incentives, the paper said. The best approach would be a "menu" of incentives, the paper said.
"The R&D tax credit may be the most attractive option for an IT security vendor, while a defense firm may be more interested in procurement options, and electric utility in a streamlined regulatory environment, or and IT-user enterprise in an insurance discount and risk transfer," the paper said.
The paper echoes the Obama cybersecurity plan in talking about approaching cybersecurity with a risk management perspective. But government and private companies will have different approaches to risk management, Clinton said.
A retail store may lose 10% of its inventory to theft, but may realize that it costs more to significantly reduce theft, Clinton said. Government, with a broader focus on protecting U.S. interests, can't take that approach, he said.
Both sides need to recognize the differing perspectives, he added. "There is not one correct statement of what the risk is," he said. "We realize that it may be necessary for industry to move much more toward the government's conceptualization of risk because industry and government are operating on the same Internet."
The paper also recommends a new national cybersecurity research and development plan, with priorities set by the government and private industry. An R&D plan should balance short- and long-term objectives, the paper said.
Sign up for Computerworld eNewsletters.