IT industry calls for consistent global cybersecurity policies
IT industry associations representing Japan, Europe and the United States have agreed on a set of principles they hope can guide governments in establishing coherent, interoperable cybersecurity policies.
“We want to make sure governments approach cybersecurity in a way that provides security and also protects innovation,” said Danielle Kriz, director of global cybersecurity policy for the Information Technology Industry Council, which is based in the United States.
The recommendations also were approved in Brussels on June 21 by the Japan Electronics and Information Technology Industries Association and DigitalEurope.
Bipartisan cyber bill now the center of partisan turf war
Kriz said the principles are foundational and common sense. “I don’t think there is anything surprising or controversial about them.” The goal is to create a common cybersecurity policy landscape, rather than a balkanized approach. “We build globally and we sell globally, and we want cybersecurity to be global,” she said.
The 12 recommendations outline a cooperative approach between government and industry, with an eye toward leaving industry free to innovate and compete without being burdened by overly specific government regulation.
Kriz said government has a critical role to play in cybersecurity and that a partnership with industry is necessary. Although the private sector produces the hardware and software and operates the systems that make up the global cyber infrastructure, many elements of cyber risk are out industry’s hands, she said. “Our interests are fundamentally aligned.”
Although it generally is agreed that a public-private partnership is needed to adequately secure cyberspace, debate and disagreement over the exact nature of the partnership have stymied a number of cybersecurity bills now pending in the U.S. Congress.
Many Republicans favor a more hands-off approach focusing on voluntary cooperation and information sharing, while bipartisan legislation that has the support of many Democrats calls for establishing mandatory standards of security for privately owned critical infrastructure.
Kriz said her organization is working with Congress to get legislation passed. “There is so much Congress can do,” she said. ITI would like to see increased federal funding for cybersecurity research and development, better sharing of information between industry and government, a national data breach law to replace multiple state laws, reform of the Federal Information Security Management Act and new criminal laws specifically addressing online crime.
The principles offered by the industry groups are:
- Develop cybersecurity policies in a transparent manner and with relevant stakeholder input.
- Enable risk management and innovation, recognizing that the private sector can best manage and protect their networks, services through market forces, corporate responsibility, and ethical standards.
- Encourage the development and use of globally recognized, industry-led, voluntary consensus security standards, best practices, assurance programs and conformity assessment rules.
- Ensure the use of global standard tests and certifications.
- Ensure that cybersecurity requirements are technology-neutral.
- Ensure that cybersecurity requirements allow procurement regardless of the country of origin or the nationality of the vendor.
- Ensure that cybersecurity requirements do not require transfer or review of intellectual property such as source code.
- Limit prescriptive requirements to specific sensitive areas such as government intelligence and military networks.
- Strengthen institutions and develop contingency plans and cybersecurity strategies. Governments should have their own strong, stand-alone institutions, such as Computer Emergency Readiness Teams, to ensure effective cybersecurity.
- Focus on criminals and their threats, responding domestically and internationally, working in cross-border partnerships when possible and appropriate.
- Focus on education and awareness.