- Participants explained that ensuring accountability in cyberspace requires effective reporting of cyber security incidents. Given that most cyber infrastructure is owned and operated by the private sector, there was discussion of how toincentiviseindustry to report cyber security incidents and patterns of suspicious behaviour to appropriate authorities, and to assume more responsibility for cyber security beyond the protection of critical national infrastructure.
- There was also discussion of how to incentivise private actors to share resources and work better with regional organisations. A key theme emerging from this discussion was that the private sector needs to be incentivised to be proactive rather than reactive in addressing cyber threats and insecurity. One participant gave the example of the considerable cyber security benefits that have come from the introduction of multifactor authentication by Google and Microsoft. The question now is: how can instances of best practice be rolled out across the private sector and how can States encourage and support this process? Some participants explained that there needs to be a mixed methods approach to incentivisation. They suggested that negative incentives – through the passing of laws and regulations and the imposition of sanctions – can work and may be necessary, but that they can also be a blunt instrument and so positive incentives should be developed. Some participants identified a range of positive incentives that can be drawn on to galvanise the private sector into action: (i) economic incentives: only working with private actors that are trustworthy; (ii) market incentives: assisting trusted, private actors to access lucrative markets; and (iii) social incentives: championing companies who contribute to an open, peaceful and secure cyberspace.
