Balancing Cybersecurity and Trade

Danielle KrizDirector, Global Cybersecurity Policy

Information Technology Industry Council

Digital Agenda AssemblyBrussels – June 21, 2012

About ITI• One of the main high-tech trade associations in

Washington• 50 of the largest companies in the world– Hardware, software, and services– Mostly U.S., 4 European, 5 Japanese members– Companies have facilities all over the world

• Expertise in cyber: Cybersecurity Committee• Expertise in standards: Standards Policy Committee• Expertise in trade: Trade Policy Committee

ITI Member Companies

Apple, Inc.

ITI Cybersecurity Principles

• Inform the public cybersecurity discussion– Cybersecurity is rightly a priority for

governments– Interests of industry and governments are

fundamentally aligned• Principles provide an important lens for viewing

any efforts to improve cybersecurity

Six PrinciplesTo be effective, any efforts to improve cybersecurity must:• Leverage public-private partnerships and build upon

existing initiatives and resource commitments; • Reflect the borderless, interconnected, and global nature

of today’s cyber environment; • Be able to adapt rapidly to emerging threats,

technologies, and business models; • Be based on effective risk management; • Focus on raising public awareness; and• More directly focus on bad actors and their threats.

Global Trends in Cybersecurity & Commerce

• Governments often react to cybersecurity concerns without fully considering the global context or consequences of policy proposals– Cybersecurity: Catch-all term for cybersecurity, network

security, information security, encryption, security standards, etc

• Government actions on cybersecurity may create commercial barriers – intentionally or unintentionally– Mandating domestic standards or prescriptive

technologies, requiring use of domestic intellectual property (IP), forcing technology transfer, source code review

Global Trends in Cybersecurity & Commerce

• We recognize the need for cyber / national security– These concerns must be balanced with commercial

interests– But many times proposed policies decrease security

• Unique security standards and other requirements – Undermine security and resiliency– Raise costs & slow industry’s ability to innovate and meet

current and future security challenges– Impede global interoperability, fragment the Internet

• Governments may overlook the tremendous market incentive that the private sector has to secure networks and systems

• Large concern to ITI member companies and others

U.S. Cybersecurity Policies - Congress• Variety of legislative proposals in the Senate and House of

Representatives in last 12 months; none have passed• We support proposals that would improve cybersecurity

while preserving industry’s ability to innovate– Cyber threat information sharing, Federal Information Security

Management Act (FISMA) reform, cybersecurity R&D, cybercrime, national data breach standard

• Some proposals are overly regulatory and would decrease security- and also send the wrong message globally– Giving Department of Homeland Security additional power (including

to write standards), government regulation of ICT supply chains• We regularly urge the U.S. Congress to consider the global

implications of their proposals and to lead by example

U.S. Cybersecurity Policies - Administration

• Variety of U.S. Government Departments and Agencies have some responsibility related to cybersecurity– White House, Department of Homeland Security, Department of

Defense, Department of Commerce, Department of State, National Institute of Standards and Technology (NIST), etc.

• These Departments/ Agencies have various roles now• They also are considering new cyber policies• ITI supports some policy ideas, not others

– We support the Commerce Department helping to promote voluntary cybersecurity efforts in industry

– We support greater USG cybersecurity R&D– We oppose DOD regulating the ICT supply chain

• Overall, we oppose a regulatory approach because it will decrease security

China• Encryption regulations (1999)– Rules restrict or ban outright the use of

foreign encryption technology • ZUC algorithm for 4G LTE telecom networks– Although a globally accepted standard (3GPP), ZUC will

be mandatory for the China market, along with invasive testing requirements (source code review)

• Multi-Level Protection Scheme (MLPS) – For information security in China’s “critical

infrastructure” – Many requirements (e.g. domestic IP, testing) would

keep out foreign ICT products

India• New Preferential Market Access (PMA) rules – Procurement preference to domestically

manufactured electronic goods “due to security considerations and in Government procurement”

– Assumption that “made in India” is more secure• Telecom network security certification – Overreach- required source code/ technology transfer,

in-country testing (partially resolved in 2011)• Telecom Security Policy (draft)- 2012– Includes important principles to effectively address

India’s telecommunications security concerns– Simultaneously, a push toward Indian-specific security

standards and testing or linking security to domestic products/local manufacturing…

EU – Working on New Policies• Forthcoming European Strategy for Internet

Security • Revision of Data Protection Directive and

inclusion of “security by design”

• Industry urges the EU to balance security and commercial/trade interests

Recommendations for the EU, US• Pursue policies that recognize the global dimension of

Internet security– Aim to meet domestic security needs while recognizing the global

cyber marketplace

• The U.S., EU, and other governments should cooperate to promote policies that are a model for rest of the world– We don’t want to set bad examples (or decrease security)

• Pursue global standards and best practices, balance security and economics

• The best path is via public-private partnerships– The ICT industry seeks security – it is our bottom line– Sharing of knowledge and experience and promoting cooperation

to enhance cybersecurity

Thank you

Danielle KrizDirector, Global Cybersecurity PolicyInformation Technology Industry Council (ITI)dkriz@itic.org, +1-202-626-5731www.itic.org