Balancing Cybersecurity and Trade Danielle Kriz Director, Global Cybersecurity Policy Information Technology Industry Council Digital Agenda Assembly Brussels – June 21, 2012
Download ReportTranscript Balancing Cybersecurity and Trade Danielle Kriz Director, Global Cybersecurity Policy Information Technology Industry Council Digital Agenda Assembly Brussels – June 21, 2012
Balancing Cybersecurity and Trade Danielle Kriz Director, Global Cybersecurity Policy Information Technology Industry Council Digital Agenda Assembly Brussels – June 21, 2012 About ITI • One of the main high-tech trade associations in Washington • 50 of the largest companies in the world – Hardware, software, and services – Mostly U.S., 4 European, 5 Japanese members – Companies have facilities all over the world • Expertise in cyber: Cybersecurity Committee • Expertise in standards: Standards Policy Committee • Expertise in trade: Trade Policy Committee ITI Member Companies Apple, Inc. ITI Cybersecurity Principles • Inform the public cybersecurity discussion – Cybersecurity is rightly a priority for governments – Interests of industry and governments are fundamentally aligned • Principles provide an important lens for viewing any efforts to improve cybersecurity Six Principles To be effective, any efforts to improve cybersecurity must: • Leverage public-private partnerships and build upon existing initiatives and resource commitments; • Reflect the borderless, interconnected, and global nature of today’s cyber environment; • Be able to adapt rapidly to emerging threats, technologies, and business models; • Be based on effective risk management; • Focus on raising public awareness; and • More directly focus on bad actors and their threats. Global Trends in Cybersecurity & Commerce • Governments often react to cybersecurity concerns without fully considering the global context or consequences of policy proposals – Cybersecurity: Catch-all term for cybersecurity, network security, information security, encryption, security standards, etc • Government actions on cybersecurity may create commercial barriers – intentionally or unintentionally – Mandating domestic standards or prescriptive technologies, requiring use of domestic intellectual property (IP), forcing technology transfer, source code review Global Trends in Cybersecurity & Commerce • We recognize the need for cyber / national security – These concerns must be balanced with commercial interests – But many times proposed policies decrease security • Unique security standards and other requirements – Undermine security and resiliency – Raise costs & slow industry’s ability to innovate and meet current and future security challenges – Impede global interoperability, fragment the Internet • Governments may overlook the tremendous market incentive that the private sector has to secure networks and systems • Large concern to ITI member companies and others U.S. Cybersecurity Policies - Congress • Variety of legislative proposals in the Senate and House of Representatives in last 12 months; none have passed • We support proposals that would improve cybersecurity while preserving industry’s ability to innovate – Cyber threat information sharing, Federal Information Security Management Act (FISMA) reform, cybersecurity R&D, cybercrime, national data breach standard • Some proposals are overly regulatory and would decrease security- and also send the wrong message globally – Giving Department of Homeland Security additional power (including to write standards), government regulation of ICT supply chains • We regularly urge the U.S. Congress to consider the global implications of their proposals and to lead by example U.S. Cybersecurity Policies Administration • Variety of U.S. Government Departments and Agencies have some responsibility related to cybersecurity – White House, Department of Homeland Security, Department of Defense, Department of Commerce, Department of State, National Institute of Standards and Technology (NIST), etc. • These Departments/ Agencies have various roles now • They also are considering new cyber policies • ITI supports some policy ideas, not others – We support the Commerce Department helping to promote voluntary cybersecurity efforts in industry – We support greater USG cybersecurity R&D – We oppose DOD regulating the ICT supply chain • Overall, we oppose a regulatory approach because it will decrease security China • Encryption regulations (1999) – Rules restrict or ban outright the use of foreign encryption technology • ZUC algorithm for 4G LTE telecom networks – Although a globally accepted standard (3GPP), ZUC will be mandatory for the China market, along with invasive testing requirements (source code review) • Multi-Level Protection Scheme (MLPS) – For information security in China’s “critical infrastructure” – Many requirements (e.g. domestic IP, testing) would keep out foreign ICT products India • New Preferential Market Access (PMA) rules – Procurement preference to domestically manufactured electronic goods “due to security considerations and in Government procurement” – Assumption that “made in India” is more secure • Telecom network security certification – Overreach- required source code/ technology transfer, in-country testing (partially resolved in 2011) • Telecom Security Policy (draft)- 2012 – Includes important principles to effectively address India’s telecommunications security concerns – Simultaneously, a push toward Indian-specific security standards and testing or linking security to domestic products/local manufacturing… EU – Working on New Policies • Forthcoming European Strategy for Internet Security • Revision of Data Protection Directive and inclusion of “security by design” • Industry urges the EU to balance security and commercial/trade interests Recommendations for the EU, US • Pursue policies that recognize the global dimension of Internet security – Aim to meet domestic security needs while recognizing the global cyber marketplace • The U.S., EU, and other governments should cooperate to promote policies that are a model for rest of the world – We don’t want to set bad examples (or decrease security) • Pursue global standards and best practices, balance security and economics • The best path is via public-private partnerships – The ICT industry seeks security – it is our bottom line – Sharing of knowledge and experience and promoting cooperation to enhance cybersecurity Thank you Danielle Kriz Director, Global Cybersecurity Policy Information Technology Industry Council (ITI) [email protected], +1-202-626-5731 www.itic.org