Balancing Cybersecurity and Trade Danielle Kriz Director, Global Cybersecurity Policy Information...
-
Upload
vanessa-hill -
Category
Documents
-
view
214 -
download
1
Transcript of Balancing Cybersecurity and Trade Danielle Kriz Director, Global Cybersecurity Policy Information...
Balancing Cybersecurity and Trade
Danielle KrizDirector, Global Cybersecurity Policy
Information Technology Industry Council
Digital Agenda AssemblyBrussels – June 21, 2012
About ITI• One of the main high-tech trade associations in
Washington• 50 of the largest companies in the world– Hardware, software, and services– Mostly U.S., 4 European, 5 Japanese members– Companies have facilities all over the world
• Expertise in cyber: Cybersecurity Committee• Expertise in standards: Standards Policy Committee• Expertise in trade: Trade Policy Committee
ITI Member Companies
Apple, Inc.
ITI Cybersecurity Principles
• Inform the public cybersecurity discussion– Cybersecurity is rightly a priority for
governments– Interests of industry and governments are
fundamentally aligned• Principles provide an important lens for viewing
any efforts to improve cybersecurity
Six PrinciplesTo be effective, any efforts to improve cybersecurity must:• Leverage public-private partnerships and build upon
existing initiatives and resource commitments; • Reflect the borderless, interconnected, and global nature
of today’s cyber environment; • Be able to adapt rapidly to emerging threats,
technologies, and business models; • Be based on effective risk management; • Focus on raising public awareness; and• More directly focus on bad actors and their threats.
Global Trends in Cybersecurity & Commerce
• Governments often react to cybersecurity concerns without fully considering the global context or consequences of policy proposals– Cybersecurity: Catch-all term for cybersecurity, network
security, information security, encryption, security standards, etc
• Government actions on cybersecurity may create commercial barriers – intentionally or unintentionally– Mandating domestic standards or prescriptive
technologies, requiring use of domestic intellectual property (IP), forcing technology transfer, source code review
Global Trends in Cybersecurity & Commerce
• We recognize the need for cyber / national security– These concerns must be balanced with commercial
interests– But many times proposed policies decrease security
• Unique security standards and other requirements – Undermine security and resiliency– Raise costs & slow industry’s ability to innovate and meet
current and future security challenges– Impede global interoperability, fragment the Internet
• Governments may overlook the tremendous market incentive that the private sector has to secure networks and systems
• Large concern to ITI member companies and others
U.S. Cybersecurity Policies - Congress• Variety of legislative proposals in the Senate and House of
Representatives in last 12 months; none have passed• We support proposals that would improve cybersecurity
while preserving industry’s ability to innovate– Cyber threat information sharing, Federal Information Security
Management Act (FISMA) reform, cybersecurity R&D, cybercrime, national data breach standard
• Some proposals are overly regulatory and would decrease security- and also send the wrong message globally– Giving Department of Homeland Security additional power (including
to write standards), government regulation of ICT supply chains• We regularly urge the U.S. Congress to consider the global
implications of their proposals and to lead by example
U.S. Cybersecurity Policies - Administration
• Variety of U.S. Government Departments and Agencies have some responsibility related to cybersecurity– White House, Department of Homeland Security, Department of
Defense, Department of Commerce, Department of State, National Institute of Standards and Technology (NIST), etc.
• These Departments/ Agencies have various roles now• They also are considering new cyber policies• ITI supports some policy ideas, not others
– We support the Commerce Department helping to promote voluntary cybersecurity efforts in industry
– We support greater USG cybersecurity R&D– We oppose DOD regulating the ICT supply chain
• Overall, we oppose a regulatory approach because it will decrease security
China• Encryption regulations (1999)– Rules restrict or ban outright the use of
foreign encryption technology • ZUC algorithm for 4G LTE telecom networks– Although a globally accepted standard (3GPP), ZUC will
be mandatory for the China market, along with invasive testing requirements (source code review)
• Multi-Level Protection Scheme (MLPS) – For information security in China’s “critical
infrastructure” – Many requirements (e.g. domestic IP, testing) would
keep out foreign ICT products
India• New Preferential Market Access (PMA) rules – Procurement preference to domestically
manufactured electronic goods “due to security considerations and in Government procurement”
– Assumption that “made in India” is more secure• Telecom network security certification – Overreach- required source code/ technology transfer,
in-country testing (partially resolved in 2011)• Telecom Security Policy (draft)- 2012– Includes important principles to effectively address
India’s telecommunications security concerns– Simultaneously, a push toward Indian-specific security
standards and testing or linking security to domestic products/local manufacturing…
EU – Working on New Policies• Forthcoming European Strategy for Internet
Security • Revision of Data Protection Directive and
inclusion of “security by design”
• Industry urges the EU to balance security and commercial/trade interests
Recommendations for the EU, US• Pursue policies that recognize the global dimension of
Internet security– Aim to meet domestic security needs while recognizing the global
cyber marketplace
• The U.S., EU, and other governments should cooperate to promote policies that are a model for rest of the world– We don’t want to set bad examples (or decrease security)
• Pursue global standards and best practices, balance security and economics
• The best path is via public-private partnerships– The ICT industry seeks security – it is our bottom line– Sharing of knowledge and experience and promoting cooperation
to enhance cybersecurity
Thank you
Danielle KrizDirector, Global Cybersecurity PolicyInformation Technology Industry Council (ITI)[email protected], +1-202-626-5731www.itic.org