Balancing Cybersecurity and Trade Danielle Kriz Director, Global Cybersecurity Policy Information Technology Industry Council Digital Agenda Assembly Brussels – June 21, 2012
About ITI One of the main high-tech trade associations in Washington 50 of the largest companies in the world Hardware, software, and services Mostly U.S., 4 European, 5 Japanese members Companies have facilities all over the world Expertise in cyber: Cybersecurity Committee Expertise in standards: Standards Policy Committee Expertise in trade: Trade Policy Committee
ITI Member Companies Apple, Inc.
ITI Cybersecurity Principles Inform the public cybersecurity discussion Cybersecurity is rightly a priority for governments Interests of industry and governments are fundamentally aligned Principles provide an important lens for viewing any efforts to improve cybersecurity
Six Principles To be effective, any efforts to improve cybersecurity must: Leverage public-private partnerships and build upon existing initiatives and resource commitments; Reflect the borderless, interconnected, and global nature of today’s cyber environment; Be able to adapt rapidly to emerging threats, technologies, and business models; Be based on effective risk management; Focus on raising public awareness; and More directly focus on bad actors and their threats.
Global Trends in Cybersecurity & Commerce Governments often react to cybersecurity concerns without fully considering the global context or consequences of policy proposals Cybersecurity: Catch-all term for cybersecurity, network security, information security, encryption, security standards, etc Government actions on cybersecurity may create commercial barriers – intentionally or unintentionally Mandating domestic standards or prescriptive technologies, requiring use of domestic intellectual property (IP), forcing technology transfer, source code review
Global Trends in Cybersecurity & Commerce We recognize the need for cyber / national security These concerns must be balanced with commercial interests But many times proposed policies decrease security Unique security standards and other requirements Undermine security and resiliency Raise costs & slow industry’s ability to innovate and meet current and future security challenges Impede global interoperability, fragment the Internet Governments may overlook the tremendous market incentive that the private sector has to secure networks and systems Large concern to ITI member companies and others
U.S. Cybersecurity Policies - Congress Variety of legislative proposals in the Senate and House of Representatives in last 12 months; none have passed We support proposals that would improve cybersecurity while preserving industry’s ability to innovate Cyber threat information sharing, Federal Information Security Management Act (FISMA) reform, cybersecurity R&D, cybercrime, national data breach standard Some proposals are overly regulatory and would decrease security- and also send the wrong message globally Giving Department of Homeland Security additional power (including to write standards), government regulation of ICT supply chains We regularly urge the U.S. Congress to consider the global implications of their proposals and to lead by example
U.S. Cybersecurity Policies - Administration Variety of U.S. Government Departments and Agencies have some responsibility related to cybersecurity White House, Department of Homeland Security, Department of Defense, Department of Commerce, Department of State, National Institute of Standards and Technology (NIST), etc. These Departments/ Agencies have various roles now They also are considering new cyber policies ITI supports some policy ideas, not others We support the Commerce Department helping to promote voluntary cybersecurity efforts in industry We support greater USG cybersecurity R&D We oppose DOD regulating the ICT supply chain Overall, we oppose a regulatory approach because it will decrease security
China Encryption regulations (1999) Rules restrict or ban outright the use of foreign encryption technology ZUC algorithm for 4G LTE telecom networks Although a globally accepted standard (3GPP), ZUC will be mandatory for the China market, along with invasive testing requirements (source code review) Multi-Level Protection Scheme (MLPS) For information security in China’s “critical infrastructure” Many requirements (e.g. domestic IP, testing) would keep out foreign ICT products
India New Preferential Market Access (PMA) rules Procurement preference to domestically manufactured electronic goods “due to security considerations and in Government procurement” Assumption that “made in India” is more secure Telecom network security certification Overreach- required source code/ technology transfer, in-country testing (partially resolved in 2011) Telecom Security Policy (draft)- 2012 Includes important principles to effectively address India’s telecommunications security concerns Simultaneously, a push toward Indian-specific security standards and testing or linking security to domestic products/local manufacturing…
EU – Working on New Policies Forthcoming European Strategy for Internet Security Revision of Data Protection Directive and inclusion of “security by design” Industry urges the EU to balance security and commercial/trade interests
Recommendations for the EU, US Pursue policies that recognize the global dimension of Internet security Aim to meet domestic security needs while recognizing the global cyber marketplace The U.S., EU, and other governments should cooperate to promote policies that are a model for rest of the world We don’t want to set bad examples (or decrease security) Pursue global standards and best practices, balance security and economics The best path is via public-private partnerships The ICT industry seeks security – it is our bottom line Sharing of knowledge and experience and promoting cooperation to enhance cybersecurity
Thank you Danielle Kriz Director, Global Cybersecurity Policy Information Technology Industry Council (ITI) dkriz@itic.org, +1-202-626-5731 www.itic.org