ITI Cybersecurity Principles for Industry and Government

Size: px

Start display at page:

Download "ITI Cybersecurity Principles for Industry and Government"

Silvia Cook
8 years ago
Views:

1 ITI Cybersecurity Principles for Industry and Government Danielle Kriz Director, Global Cybersecurity Policy Information Technology Industry Council IEEE CQR Meeting, Naples, FL May 12, 2011

2 About ITI One of the main high-tech trade associations in Washington 50 of the largest companies in the world Hardware, software, and services Mostly U.S., 3 European and 5 Japanese members Companies have facilities all over the world Active Cybersecurity Committee Goal: Promote cybersecurity policies that balance national security and commercial needs

, 3 European and 5 Japanese members Companies have facilities all over the world Active

3 ITI Member Companies Apple, Inc.

4 ITI Principles Released January 2011 Six months of work among ITI members Inform the public cybersecurity discussion Cybersecurity is rightly a priority for governments Interests of industry and governments are fundamentally aligned Principles provide an important lens for viewing any efforts to improve cybersecurity

for governments Interests of industry and governments are fundamentally aligned

5 Six Principles To be effective, any efforts to improve cybersecurity must: Leverage public-private partnerships and build upon existing initiatives and resource commitments; Reflect the borderless, interconnected, and global nature of today s cyber environment; Be able to adapt rapidly to emerging threats, technologies, and business models; Be based on effective risk management; Focus on raising public awareness; and More directly focus on bad actors and their threats.

today s cyber environment; Be able to adapt rapidly to emerging threats, technologies, and business models; Be based

6 ITI Principles Document Contains Summary of each principle Information on each principle Its importance What industry and governments are already doing in each area Specific proposals for what more policymakers can do Last two items are U.S.-specific But the principles are globally applicable

doing in each area Specific proposals for what more policymakers can do

7 Principle 1 Efforts to improve cybersecurity must leverage public-private partnerships and build upon existing initiatives and resource commitments.

8 Principle 1: Examples What are we doing now? Information sharing, analysis, and emergency response with governments and industry peers IT Sector Coordinating Council (IT-SCC), IT Information Sharing and Analysis Center (IT- ISAC), national advisory committees Input into National Institute of Standards and Technology (NIST) security stds/ guidelines What more can policymakers do? Leverage and build upon partnerships Eliminate barriers to information sharing

Council (IT-SCC), IT Information Sharing and Analysis Center (IT- ISAC), national advisory committees Input into

9 Principle 2 Efforts to improve cybersecurity must reflect the borderless, interconnected, and global nature of today s cyber environment. Borderless approach based on globally accepted standards, best practices, and international assurance programs.

10 Principle 2: Benefits Improved security Global peer review process, security deployment across entire global digital infrastructure Meeting conflicting requirements raises costs, demanding valuable security resources More private sector resources for investment to address future security challenges Improved interoperability of digital infrastructure Increased international trade Countries can comply with their international trade commitments (WTO TBT)

private sector resources for investment to address future security challenges Improved interoperability of

11 Principle 2: Examples What are we doing now? Companies contribute to global standards development via ISO, IEC, IETF Participate in Common Criteria and CCRA Governments conduct bilateral/multilateral efforts, including U.S.-EU CIP forum What more can policymakers do? Support efforts to reform CC Preserve global market Promote global industry-led voluntary standards

Common Criteria and CCRA Governments conduct bilateral/multilateral efforts, including U.S.

12 Principle 3 Efforts to improve cybersecurity must be able to adapt rapidly to emerging threats, technologies, and business models.

13 Principle 3: Examples What are we doing now? Industry-led standardization efforts addressing emerging cybersecurity risk concerns (e.g. Kantara Initiative => identity management) Company programs and voluntary consortia such as the Open Group, SAFECode Industry R&D on security What more can policymakers do? Technology-neutral proposals Promote greater R&D in cybersecurity. Convene stakeholder discussion on whether and how to update the definition of CI

14 Principle 4 Efforts to improve cybersecurity must be based on risk management.

15 Principle 4: Examples What are we doing now? ISO/IEC and 27002, NIST risk management standards & special pubs, others to manage cybersecurity risks U.S. IT industry contributes to the National Infrastructure Protection Plan (NIPP) Companies undertake their own risk management What more can policymakers do? Ensure that cybersecurity measures allow organizations to properly assess & mitigate risk Develop and implement policies based upon thoughtful, ongoing risk management assessments

industry contributes to the National Infrastructure Protection Plan (NIPP) Companies undertake their own risk management

16 Principle 5 Efforts to improve cybersecurity must focus on raising public awareness.

17 Principle 5: Examples What are we doing now? U.S. IT companies founded the National Cyber Security Alliance (NCSA), a non-profit organization focused on conducting cybersecurity education and awareness programs StopThinkConnect National Cyber Security Awareness Month Oct. U.S. Federal Trade Commission (FTC) OnGuard Online program tips for citizens What more can policymakers do? Continue to support awareness activities Promote practical, entry-level security skills in post-secondary education

cybersecurity education and awareness programs St

18 Principle 6 Efforts to improve cybersecurity must more directly focus on bad actors and their threats. Threats include crime, commercial espionage, nation-state espionage, war.

19 Principle 6: Examples What are we doing now? In the U.S.: FBI Cyber Division; Secret Service Electronic Crimes Task Forces; Economic Espionage Act of 1996; FTC action on identify theft; others Council of Europe Convention on Cybercrime Companies take actions to deter cyber threats and minimize being subject to espionage What more can policymakers do? More resources for law enforcement Leverage existing agreements on cross-border prosecutions of crime and espionage Help developing countries to improve their own enforcement efforts

others Council of Europe Convention on Cybercrime Companies take actions to deter cyber threats and minimize being subject to

20 Current Status of ITI Principles Provided to U.S. policymakers Congress, Administration Briefings for U.S. Administration Shared with other associations Have shared with Europe, Japan, China Translated into Chinese Hope to translate into Japanese Hope to build global agreement on approach enshrined in six principles

Japan, China Translated into Chinese Hope to translate into Japanese Hope to

21 Thank you Danielle Kriz Director, Global Cybersecurity Policy Information Technology Industry Council (ITI) Washington, DC, USA Principles available at:

The IT Industry s Cybersecurity Principles for Industry and Government

The IT Industry s Cybersecurity Principles for Industry and Government 2011 ITI MEMBER COMPANIES Apple Inc. TABLE OF CONTENTS Executive Summary 5 Setting the Stage 7 Six Cybersecurity Principles 9 Principle