Cybersecurity strategy needs a global approach
Federal efforts to create cybersecurity frameworks for government and for critical private infrastructures have had an impact on international views about cybersecurity, says J. Paul Nicholas, Microsoft’s senior director of global security and diplomacy.
“When I meet with customers in other parts of the world, it always surprises me how much they know about FISMA and FedRAMP,” Nicholas said, referring to the Federal Information Security Management Act and the Federal Risk and Authorization Management Program.
But there still is no common template for cyber policies, and various international development efforts are progressing separately. In the United States, the National Institute of Standards and Technology is creating the Cybersecurity Framework, a set of voluntary security recommendations for critical infrastructure. Across the ocean, the European Commission is creating the Network and Information Security Platform. And as nations develop strategies for securing their cyber environments, there is a risk that unaligned policies could create a fragmented or poorly secured global infrastructure.
Some differences among national policies are inevitable, Nicholas said. “Cybersecurity is going to vary country by country,” because each nation faces a unique set of risks and has its own needs. To help create a common foundation on which policies can work together, Microsoft has produced a whitepaper, “Developing a National Strategy for Cybersecurity.” The paper advises focusing on the basics and building on established best security practices. It advises that any strategy be:
- Outcome focused
- Respectful of privacy and civil liberties
- Globally relevant.
Although the Government Accountability Office has rated federal IT security as a high-risk area since 1999, Nicholas, co-author of the Microsoft paper, praised the progress being made in this country to establish a regulatory regime for cybersecurity, including FISMA.
“FISMA has really been a journey,” and important work is being done under it, he said. “Could it be better? Yes. But it is being fine-tuned to improve risk management.”
NIST has come through in providing guidance in its 800-series of reports on IT security, Nicholas said. Although FISMA and the NIST guidance are aimed at the U.S. government, their influence extends well beyond. “There is a framework and mentality that did not exist 10 years ago. FISMA better enables the U.S. government to have a risk dialog with the private sector. They are able to discuss things with a similar set of experiences.”
This is not to say that FISMA, which is far from perfect, is or should be the model for national strategies. The challenge to come up with some kind of functioning global system for securing cyberspace involves as much diplomacy as technology. “It’s about deciding what needs to be done and how to move forward,” Nicholas said.
Posted by William Jackson on Oct 09, 2013 at 11:39 AM