We believe Congress should adopt a menu of voluntary incentives to encourage private companies to improve cybersecurity. Some incentives may have a cost and would have to be offset. Others do not. However, incentives should be largely voluntary, recognizing that most critical infrastructures are privately owned. Many of these incentives could also be utilized by companies that do not own critical infrastructures. We also have to recognize that different companies and sectors will need different incentives – one size does not fit all. Committees should evaluate incentives that will be effective within.
