IT industry calls for consistent global cybersecurity policies

IT industry associations representing Japan, Europe and the United States have agreed on a set of principles they hope can guide governments in establishing coherent, interoperable cybersecurity policies.

“We want to make sure governments approach cybersecurity in a way that provides security and also protects innovation,” said Danielle Kriz, director of global cybersecurity policy for the Information Technology Industry Council, which is based in the United States.

The recommendations also were approved in Brussels on June 21 by the Japan Electronics and Information Technology Industries Association and DigitalEurope.


Related coverage:

Bipartisan cyber bill now the center of partisan turf war


Kriz said the principles are foundational and common sense. “I don’t think there is anything surprising or controversial about them.” The goal is to create a common cybersecurity policy landscape, rather than a balkanized approach. “We build globally and we sell globally, and we want cybersecurity to be global,” she said.

The 12 recommendations outline a cooperative approach between government and industry, with an eye toward leaving industry free to innovate and compete without being burdened by overly specific government regulation.

Kriz said government has a critical role to play in cybersecurity and that a partnership with industry is necessary. Although the private sector produces the hardware and software and operates the systems that make up the global cyber infrastructure, many elements of cyber risk are out industry’s hands, she said. “Our interests are fundamentally aligned.”

Although it generally is agreed that a public-private partnership is needed to adequately secure cyberspace, debate and disagreement over the exact nature of the partnership have stymied a number of cybersecurity bills now pending in the U.S. Congress.

Many Republicans favor a more hands-off approach focusing on voluntary cooperation and information sharing, while bipartisan legislation that has the support of many Democrats calls for establishing mandatory standards of security for privately owned critical infrastructure.

Kriz said her organization is working with Congress to get legislation passed. “There is so much Congress can do,” she said. ITI would like to see increased federal funding for cybersecurity research and development, better sharing of information between industry and government, a national data breach law to replace multiple state laws, reform of the Federal Information Security Management Act and new criminal laws specifically addressing online crime.

The principles offered by the industry groups are:

  • Develop cybersecurity policies in a transparent manner and with relevant stakeholder input.
  • Enable risk management and innovation, recognizing that the private sector can best manage and protect their networks, services through market forces, corporate responsibility, and ethical standards.
  • Encourage the development and use of globally recognized, industry-led, voluntary consensus security standards, best practices, assurance programs and conformity assessment rules.
  • Ensure the use of global standard tests and certifications.
  • Ensure that cybersecurity requirements are technology-neutral.
  • Ensure that cybersecurity requirements allow procurement regardless of the country of origin or the nationality of the vendor.
  • Ensure that cybersecurity requirements do not require transfer or review of intellectual property such as source code.
  • Limit prescriptive requirements to specific sensitive areas such as government intelligence and military networks.
  • Strengthen institutions and develop contingency plans and cybersecurity strategies. Governments should have their own strong, stand-alone institutions, such as Computer Emergency Readiness Teams, to ensure effective cybersecurity.
  • Focus on criminals and their threats, responding domestically and internationally, working in cross-border partnerships when possible and appropriate.
  • Focus on education and awareness.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Thu, Jul 5, 2012 MargaretBartley Seattle

I don't understand how companies (and countries) that buy chips and computers manufactured in China, and core software developed by outsourced teams in India, Russia, China and Eastern Europe, can even begin to talk about "security". For tweny years, Europe and the US have been transferring their high-tech sectors to Asia and Eastern Europe. NOW they act all concerned about security? This has been in the works for decades, and is part of an unfolding, deep-seated social change. The concern about security plays well with technically incompetent bureaucrats and politicians, but is really a cover-story and excuse for a pan-opticon society where everyone, in the name of "security" is under constant surveillance. Control in the hands of the private sector allows them to avoid compliance with FOIA and other open-government requests.

Sat, Jun 23, 2012 jutebox USA

cyber security policies are only good if you have ethical people trying to enforce it. The number of white hats vs black hats is unknown and there are many grey hats too. The hackers are using our social media facebook, twitter, LinkedLn etc.. to access any data they need or want. How do we enforce the global ethics in the cyber world? Cyber blockades??

Fri, Jun 22, 2012

They should recommend to have closer international ties with other cyber security global associations and alliance ie malaysia's global cyber security alliance www.gcsa.org.my

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above