CyberEye

Blog archive
global security

Cybersecurity strategy needs a global approach

Federal efforts to create cybersecurity frameworks for government and for critical private infrastructures have had an impact on international views about cybersecurity, says J. Paul Nicholas, Microsoft’s senior director of global security and diplomacy.

“When I meet with customers in other parts of the world, it always surprises me how much they know about FISMA and FedRAMP,” Nicholas said, referring to the Federal Information Security Management Act and the Federal Risk and Authorization Management Program.

But there still is no common template for cyber policies, and various international development efforts are progressing separately. In the United States, the National Institute of Standards and Technology is creating the Cybersecurity Framework, a set of voluntary security recommendations for critical infrastructure. Across the ocean, the European Commission is creating the Network and Information Security Platform. And as nations develop strategies for securing their cyber environments, there is a risk that unaligned policies could create a fragmented or poorly secured global infrastructure.

Some differences among national policies are inevitable, Nicholas said. “Cybersecurity is going to vary country by country,” because each nation faces a unique set of risks and has its own needs. To help create a common foundation on which policies can work together, Microsoft has produced a whitepaper, “Developing a National Strategy for Cybersecurity.” The paper advises focusing on the basics and building on established best security practices. It advises that any strategy be:

  • Risk-based
  • Outcome focused
  • Prioritized
  • Practicable
  • Respectful of privacy and civil liberties
  • Globally relevant.

Although the Government Accountability Office has rated federal IT security as a high-risk area since 1999, Nicholas, co-author of the Microsoft paper, praised the progress being made in this country to establish a regulatory regime for cybersecurity, including FISMA.

“FISMA has really been a journey,” and important work is being done under it, he said. “Could it be better? Yes. But it is being fine-tuned to improve risk management.”

NIST has come through in providing guidance in its 800-series of reports on IT security, Nicholas said. Although FISMA and the NIST guidance are aimed at the U.S. government, their influence extends well beyond. “There is a framework and mentality that did not exist 10 years ago. FISMA better enables the U.S. government to have a risk dialog with the private sector. They are able to discuss things with a similar set of experiences.”

This is not to say that FISMA, which is far from perfect, is or should be the model for national strategies. The challenge to come up with some kind of functioning global system for securing cyberspace involves as much diplomacy as technology. “It’s about deciding what needs to be done and how to move forward,” Nicholas said.

Posted by William Jackson on Oct 09, 2013 at 11:39 AM


Reader Comments

Fri, Nov 22, 2013 Don O'Neill

Cyber Security measures are not fully effective nor are security standards whether government or industry. The problem is that security experts don't know enough to offer full protection dampening the incentive for senior executives to pony up the resources to even try. At least Cloud Computing vendors are honest when they refuse to offer Service Level Agreements guaranteeing the protection and safeguarding of proprietary data and information an organization cannot afford to lose. Then there is there is the role of NIST. Security is all about trust. NIST has been the keeper of trust artifacts. And so it is necessary that NIST be trusted in both word and deed. But is it?
 1. Deed: The NIST encryption incident. 
 2. Deed: The Internet Governance community no longer listens to NIST. 
 3. Word: Will the U.S. domestic Cyber-based industry trust a NIST Cyber Framework advertised as voluntary compliance now that the specter of regulation has been raised?

Thu, Oct 17, 2013 pdarose The Netherlands

@Pierre Quesnel: Well said! All concerned desperately need to take this to the next level and beyond!

Mon, Oct 14, 2013 Pierre Quesnel Ottawa, Canada

It is somewhat concerning that Microsoft, which has never truly shown concern for cybersecurity as attested by the continued forced openness and vulnerability of its offerings, has deemed it necessary to combine the position of director of global cybersecurity, which of itself warrants a much higher level of attention of simply a director, with that of diplomacy. The combination can only be perceived, rightly or wrongly, as lip service and public relations damage control to what is arguably the singlemost prevalent and dangerous threat by far to industry and government today. Notwithstanding this, Mr. Nicholas is quite correct in stating that while there is a lot of information available, there is still no real consensus nor even uniformity of approach in dealing with the subject and he is also quite correct in his advice that not only should any approach begin with the basics but that the ultimate solution must be global in nature. In the current borderless world of international commerce, of telecommunications and of informatics and knowledge-based technologies, it is perhaps naïve to expect governments, who ultimately will always have differing agendas, to take the lead in establishing such a global standard whereas a corporate based solution, especially one that would originate from companies which occupies a significant, universal presence in virtually all governments and corporations. That Microsoft at least has a director of cybersecurity is encouraging, but I would submit for consideration that they and Mr. Nicholas, with their unique market presence, now have a responsibility to take the issue to the next level and investigate how to initiate and coordinate the effective development of a global cybersecurity strategy.

Thu, Oct 10, 2013

Den Bock zum Gärtner machen - good joke!!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities