Cybersecurity, Foreign Policy, and Business

Similar documents
(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework

Confrontation or Collaboration?

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

Cyber Security Recommendations October 29, 2002

WRITTEN TESTIMONY OF

Trends Concerning Cyberspace

Dean C. Garfield President & CEO, Information Technology Industry Council (ITI) Committee on Energy and Commerce

THE WHITE HOUSE Office of the Press Secretary

Cyber Security Strategy

S. ll IN THE SENATE OF THE UNITED STATES

How To Write A National Cybersecurity Act

Cybersecurity: Mission integration to protect your assets

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

In an age where so many businesses and systems are reliant on computer systems,

GAO CRITICAL INFRASTRUCTURE PROTECTION. Significant Challenges in Developing Analysis, Warning, and Response Capabilities.

Before the DEPARTMENT OF COMMERCE National Telecommunications and Information Administration Washington, DC ) ) ) ) )

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C ) ) ) PS Docket No COMMENTS OF CTIA THE WIRELESS ASSOCIATION

Testimony of. Before the United States House of Representatives Committee on Oversight and Government Reform And the Committee on Homeland Security

Future of the Internet Cyber Security

Homeland Open Security Technology HOST Program

RUSSIA CHINA NEXUS IN CYBER SPACE

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

James R. Clapper. Director of National Intelligence

FOREIGN AFFAIRS AND TRADE Australia - Cyber: Reports of Chinese cyber attacks

The Dow Chemical Company. statement for the record. David E. Kepler. before

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

Cyber Security: Exploring the Human Element

Analysis. Document. Abstract: Keywords: Receive our NEWSLETTER. Document Analysis 34/ /2013 3rd June 2013

working group on foreign policy and grand strategy

Actions and Recommendations (A/R) Summary

Cybercrime Bedrohung, Intervention, Abwehr. Cybersecurity strategic-political aspects of this global challenge

The Comprehensive National Cybersecurity Initiative

FINAL // FOR OFFICIAL USE ONLY. William Noonan

STATEMENT OF JOSEPH M. DEMAREST, JR. ASSISTANT DIRECTOR CYBER DIVISION FEDERAL BUREAU OF INVESTIGATION

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Middle Class Economics: Cybersecurity Updated August 7, 2015

SEC update: Cybersecurity initiatives. SEC update: Cybersecurity initiatives. Intelligize // 02

Docket No. DHS , Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations

the Council of Councils initiative

2 Gabi Siboni, 1 Senior Research Fellow and Director,

STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE

Corporate Spying An Overview

Developing a National Strategy for Cybersecurity FOUNDATIONS FOR SECURITY, GROWTH, AND INNOVATION. Cristin Flynn Goodwin J.

How To Protect Your Computer From Attack

The U.S. Department of Homeland Security s Response to Senator Franken s July 1, 2015 letter

Viewpoint: Implementing Japan s New Cyber Security Strategy*

National Cyber Security Policy -2013

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

Action Plan for Canada s Cyber Security Strategy

EU Cybersecurity: Ensuring Trust in the European Digital Economy

January 17, ITI Point of Contact:

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

Comments on CBRC Draft Regulations Affecting Technology Purchases. 14 September 2015

A conversation with Allan Friedman about cybersecurity issues

CYBER BRIEF Improving Supply-Chain Policy for U.S. Government Procurement of Technology

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

TESTIMONY OF ZOË BAIRD, PRESIDENT, MARKLE FOUNDATION CHAIRMAN, TASK FORCE ON NATIONAL SECURITY IN THE INFORMATION AGE

BSA GLOBAL CYBERSECURITY FRAMEWORK

Good morning. It s a pleasure to be here this morning, talking with the NZISF. Thank you for this opportunity.

Securing the Network: Cybersecurity Recommendations for Critical Infrastructure and the Global Supply Chain Telecommunications Industry Association

STATEMENT OF MR. THOMAS ATKIN ACTING ASSISTANT SECRETARY OF DEFENSE FOR HOMELAND DEFENSE AND GLOBAL SECURITY OFFICE OF THE SECRETARY OF DEFENSE;

Lessons from Defending Cyberspace

CYBER SECURITY INFORMATION SHARING & COLLABORATION

C DIG COMMITTED TO EXCELLENCE IN CYBER DEFENCE. ONE MISSION. ONE GROUP. CSCSS / DEFENCE INTELLIGENCE GROUP

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

Cyber-Security. FAS Annual Conference September 12, 2014

Secure Software Development Trends in the Oil & Gas Sectors. How the Microsoft Security Development Lifecycle helps protect critical industries

Risk and responsibility in a hyperconnected world: Implications for enterprises

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

COMMENTS OF THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION

The Landscape of Cyber, critical infrastructure and how Regulation fits in

Cyber Security Strategy

INTELLECTUAL PROPERTY. Insights Gained from Efforts to Quantify the Effects of Counterfeit and Pirated Goods in the U.S. Economy

Presidential Summit Reveals Cybersecurity Concerns, Trends

Why Join BSA? A Vital Resource for Software Companies. The many reasons why software companies join BSA OUR VALUE PROPOSITION

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Accountability: Data Governance for the Evolving Digital Marketplace 1

Secure Data Centers For America A SOLUTION TO

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

cyber Threat Intelligence - A Model for the 21st Century

Specific comments on Communication

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Cybersecurity-related international institutions: An assessment and a framework for nations strategic policy choices

INFOCUS. Five Questions to Guide Cybersecurity Risk Management BY EARL CRANE

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

Memorandum by the Association of Investment Companies (AIC)

POLICIES TO MITIGATE CYBER RISK

engagement will not only ensure the best possible law, but will also promote the law s successful implementation.

RE: Comments on Vietnam s Draft Law on Information Security, version 2.22

OBAMA S NEW CYBERSPACE POLICY

Public Private Partnerships and National Input to International Cyber Security

Remarks by. Thomas J. Curry Comptroller of the Currency. Before a Meeting of CES Government. Washington, DC April 16, 2014

Transcription:

Summary Report Cybersecurity, Foreign Policy, and Business Washington, DC Workshop January 11, 2011 8:00 a.m. 3:00 p.m. In early 2011, the Council on Foreign Relations held a workshop focused on the intersection of cybersecurity, foreign policy, and global business. The program, which included a keynote address by Philip Reitinger, Deputy Undersecretary of the National Protection and Programs Directorate at the U.S. Department of Homeland Security, consisted of three panels: supply chain security; balkanization of digital markets; and cyber exploits, private business, and national security. Participants included officials from the Departments of Commerce and Homeland Security as well as Senate and House staffers, industry representatives, and academic and policy analysts. The central focus of the workshop was the potential for certain cybersecurity measures to balkanize the Internet and the overall global technology ecosystem. Today s relatively global, open, and interoperable digital infrastructure is being challenged by national spaces implementing competing technology standards and security processes. As more nation-states become concerned about cyber risk and seek to apply their own solutions, there has been a proliferation of constraints placed upon commercial technology companies such as requests to examine proprietary source code compliance with which would make it more difficult for them to operate globally. Some states seem to be working to undermine the current system of global technology security governance, which is currently marked by the participation of state actors, technology companies, and independent technical groups in relatively open, multi-actor fora, and replace it with a more closed, state-centric, sovereignty-oriented model. The United States has a national interest in a global and open digital infrastructure. There are clear economic reasons for this. American technology firms have benefited from economies of scale and new models of global innovation. There are also strong national security arguments to be made: an open, transparent, and flexible system is likely to be more secure than one where national governments try to enforce multiple competing security standards. While the United States government is well positioned to push a vision of a global digital infrastructure forward, it is not doing so as effectively as it could. If Washington does not lead on these issues, the impetus and energy for change may come from revisionist actors whose interest and values are not congruent with those of the United States.

Digital Infrastructure: Context Almost every technology company relies on and must manage a global supply chain. This is true for the biggest companies with manufacturing and R&D locations around the world as well as smaller firms that source or deliver products through a supply chain that can span several countries and continents. While these networks bring real economic gains, they also bring the risks of greater interdependence. Software and hardware can be compromised at multiple points by numerous actors. Managing supply chains has become even more complex for suppliers, vendors, and customers, in part because these networks have become significantly more software- and services-based. This is a good thing for American companies as they move up the stack away from products that are rapidly becoming commodities, but also places greater demands on users as the rate of change is rapid. In effect, the risk is getting worse and there is unlikely to be a single set of engineering or technological solutions. Policymakers must try to envision the entire ecosystem in which suppliers, vendors, and customers cooperate and compete, realizing that any set of proscriptive solutions may create unexpected and unwanted outcomes. Confronted with a similar set of security challenges, policymakers in Russia, China, India, the United States, Brazil, and elsewhere are responding with national laws or regulations that make multiple demands on technology firms dependent on location. The motivation for these demands is often opaque; policies can be driven by real security concerns, the desire to promote competing technology standards and strengthen domestic firms, or some combination of the two. In the case of China, the objectives appear clearer. Policymakers in Beijing advocate a sovereigntybased model of the Internet that is tied to economic competiveness and national security. They are trying to shift discussions about the Internet s future out of multi-actor fora such as ICANN to the ITU and other international organizations where states wield greater power. In addition, China is using market access, procurement strategies, and other policies designed to encourage indigenous innovation to create new technology and security standards. On a positive note, as some Chinese firms are going global, they are beginning to look to the Common Criteria an international security standard that is assured by national testing laboratories as a way to enter markets and eventually these firms may be able to shape domestic cybersecurity policies. It should be also noted that there is skepticism in the rest of the world about U.S. intentions. Some foreign governments see themselves and their networks as overly dependent on U.S. suppliers and fear that U.S. intelligence agencies have access to their networks. In many ministries and regulatory agencies around the world, it is widely assumed that there is a close relationship between U.S. firms and the National Security Agency. Policy Process In addressing this balkanization, there is some good news. Participants of the workshop pointed to a greater recognition of the issue and their common interests in industry and government. There was also a sense that industry and government largely shared a similar policy approach, one grounded, in the words of one of the participants, in the creation of the Internet itself. That is, the process should be open and developed in a global context by nongovernmental organizations. Public-private partnerships would figure prominently in U.S. strategy, with the private sector taking the lead supported by government policy. Or as one participant put it, the power and authority of the U.S. 2

government combined with the much more knowledgeable technological expertise of the private sector. While few questioned the strengths of this model, there was a sense that it needed to be energized and extended, especially as others pursued competing visions in more state-centric venues such as the ITU. Some of the apparent weaknesses of the open and decentralized model included the speed of decisionmaking within the government and the inability of traditional rule making processes to keep pace with technological and market change. As a reference, one participant noted that FCC Chairman Julius Genachowski recently reported that the average rule-making cycle is 6 years. In addition, there was the larger issue of how to move from process to strategy. This was often referred to as a problem of coordination. Several public-private consultations may be going on at the same time; sometimes these processes may come together better than others. Since cybersecurity encompasses economic and national security issues, responsibilities are spread across numerous agencies or departments. The State Department, for example, has one bureau that deals with the ITU, APEC, and the OECD on economic and trade issues and another that addresses hacking and cyber intelligence issues through NATO and other organizations. The appointment of Coordinator of Cyber Issues, announced in the 2010 Quadrennial Diplomacy and Development Review, should resolve some of the inevitable coordination problems that have emerged from such a decentralized approach. Indeed, the participants were clear: they were not looking for a single plug-in for all cyber issues. Still, there were concerns about what some saw as a lack of a comprehensive Internet foreign policy strategy, one that would empower policymakers to make decisions about tradeoffs and signal numerous agencies and departments about priorities and resource use. Without a comprehensive strategy, departments have different interpretations of their own and others priorities and strategies. Moreover, a single vision makes it easier to engage both the private sector and U.S. allies and other potential international partners. As it stands now, these partners have to understand and interpret priorities and intentions on their own, drawing from multiple documents and voices. Policy principles Workshop participants identified several principles for moving forward on technology security: 1) A Global Approach. At the center of any policy response should be support for internationally recognized standards that enable consistent approaches to addressing technology security. This would be similar to the existing Common Criteria regime and a related broader effort, the Open Group Trusted Technology Forum that from the beginning is positioned to be an international partnership involving business and government. 2) Global standards should underlie national approaches. The standards do not stand alone, but are part of a flexible regulatory model that encompasses multiple actors across various ecosystems. One participant suggested the food safety system as a possible analogy, highlighting the importance of independent oversight primarily maintained by industry participants but also with government intervention as well. 3

3) Government policy should be technology-neutral and outcome-oriented. The right mix of market-based incentives and government regulations needed to raise the floor on security is, of course, crucial. The majority of workshop participants supported a private-sector led solution, where the government provides encouragement, support, and in some instances creates incentives for private action. In these instances, the government s focus should be on outcomes, not specific technological means. 4) Beware the consequences of unilateral action. Moving forward, policymakers must keep in mind the impact that U.S. government actions have on other actors. If the U.S. insists on developing its own domestic standards, then it cannot expect Russia, Brazil, China, or others not to pursue the same remedy. 5) Pursue strategic alliances. Given international skepticism about U.S. intentions in cyberspace, policymakers need to find the right partners with which to pursue these policies and, in some instances, encourage them to take the lead. Examples might include Australia in Asia-Pacific Economic Cooperation (APEC), Brazil in the Organization of American States (OAS), and India given its increasing global influence. Cyber espionage, national security, and economic security During the afternoon, workshop participants turned their attention to the issue of attacks on U.S. corporations. In the September 2010 issue of Foreign Affairs, Deputy Secretary of Defense William Lynn III argued that though the threat to intellectual property is less dramatic than the threat to critical national infrastructure, it may be the most significant cyber threat that the United States will face over the long term. Since Lynn s article appeared, public reports have indicated that DuPont, Johnson & Johnson, General Electric, RSA, and at least a dozen others have had proprietary information stolen by hackers. Given the scope of the threat, should the United States government have a greater role in combating corporate espionage and intellectual property theft? If so, should one agency take the lead? How should the government sector and private industry work collaboratively to defend against attacks? In contrast to the morning session, there were some sharper differences in defining the problem. While the attacks on the intellectual property of companies could traditionally be conceived of as a law enforcement problem, the fact that many of the attacks are launched from other countries means that they also become foreign policy and national security challenges. Moreover, as one participant argued, criminal prosecutions do not serve as an effective deterrent. Countries such as Russia rarely cooperate with U.S. requests to prosecute hackers. Most notable, some participants, especially in contrast to the discussion on supply chain security, made a more forceful argument for greater government regulation in the face of a market failure. In this instance, the Internet s culture of decentralization and deregulation, while critical to continued innovation, is failing to address a serious security threat that is only worsening. The obvious challenge, if greater regulation is indeed the answer, is how to set guidelines without losing the good side of deregulation. Can the government move the market enough through incentives, procurement policy, and support of R&D or is more direct intervention required? 4

Given the attacks on Google and others, there was skepticism that even the biggest companies would be very successful on their own against state or state-backed hackers. Or as one participant put it, the private sector has the expertise to deal with geek versus geek attacks but not spy versus spy. Those skills were to be found in the National Security Agency. In this environment, the objective for the private sector is risk management, with the government and U.S. Cyber Command playing defensive and deterrent roles, respectively. Despite the centrality of information sharing to public-private partnerships, participants noted the failure to develop a mechanism to ensure that the government shares information in a timely and relevant manner. While the finance and communication sectors in particular are thought to allow for relatively effective sharing through the Information Sharing and Analysis Centers, one participant referred to a case where the government knew of an attack on a telecommunications company four months before the company knew. From the other side, government representatives spoke of the private sectors unwillingness to disclose information about security breaches out of fear that the admissions would spark questions from investors and regulators. Through the Defense Industrial Base Information Sharing Environment, forty defense contractors share information on attacks in return for Department of Defense assistance with network defense. Recent reports suggest that the Pentagon will offer to develop a similar program for Internet service providers. In addition, the newly opened National Cybersecurity and Communications Integration Center (NCCIC) is expected to collocate government and industry representatives to allow for coordinated planning and response. Yet, it is clear that without common knowledge and shared understandings it will be impossible to create the consensus needed for clear policy. As with the discussion on supply chain security, there was a widely shared sense that greater policy clarity was needed. There were questions of whether repeating the need for public-private cooperation and information sharing was enough; these date back to at least 1995 or 1996 and no one doubts that the United States is still not moving fast enough. Rather than simply repeat these mantras, the restated policy would more clearly define roles and responsibilities, both within the government and between the government and private sector. Moving forward The workshop s discussions point to the need for a coherent Internet foreign policy. While the United States economic and soft powers are important strengths, a more proactive strategy is necessary in the pursuit of national interests. This strategy would not only make it more likely that separate agencies work together but would also provide a policy framework for balancing the tradeoff among the economic, security, and governance issues that are part and parcel of the United States presence in cyberspace. The emergence of such a unified policy was seen to be the likely outcome of two possible events: a catastrophic attack, or the exercise of high level leadership. Since all want to avoid the first catalyst, and suspect that decisions made soon after a crisis are likely to get the balance among security, economic, and privacy issues wrong, we hope that over the next year or two, leaders in the public and 5

private sector will begin to craft a coherent picture of where the United States needs to go and how it will get there. The Council on Foreign Relations gratefully acknowledges IBM and Thomson Reuters for their support of this workshop. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information