Today, the Department of Commerce released the green paper Cybersecurity, Innovation and the Internet Economy. This follows the release of both a Cybersecurity Legislative Proposal and an International Strategy for Cyberspacefrom the White House last month. Intel commends the Department of Commerce’s efforts to address some of the most challenging cybersecurity policy topics while focusing on two fundamental principles: 1. Improving “Trust” through increased privacy and security; and 2. Relying on a multi-stakeholder policymaking process.
In recent years there has been significant public debate about the role of government and the private sector in protecting systems and networks that support infrastructure upon which national and economic security depend. Some proposals suggest a regulatory model covering a broad cross-section of industry, including the IT sector, while other proposals support a more voluntary, standards-based approach tailored to finding the right level of protections for each sector and sub-sector. We are pleased that the green paper advances the concept of voluntary partnership through the identification of the “Internet and Information Innovation Sector” (I3S), which would explicitly be differentiated from any definition of covered Critical Infrastructure. The Department of Commerce’s approach of looking towards voluntary codes of conduct for a dynamic sector like I3S is an innovative approach to addressing cybersecurity challenges across this varied sector. We advocate continued discussion about the definition of I3S and whether it includes of the right mix of information and communications technology industry companies necessary to meet the Department’s stated goal of “enhancing our national cybersecurity posture.”
Intel would also like to offer support for the following concepts reflected in the green paper:
• The importance of innovation and the need for technology sector to play a vital role in bringing to market new and improved security products and solutions to address the evolving cyber landscape.
• The importance of international collaboration and cooperation activities to promote cybersecurity policies, standards, and research, and the need for any national efforts to acknowledge the necessity of working with other governments to create a global approach to cybersecurity.
• The need to further enable the Common Criteria to serve a primary role in demonstrating trust and confidence in information technology products and services. Common Criteria (CC) is currently the only internationally recognized product assurance evaluation and certification scheme for hardware, firmware, and software. Common Criteria allows for mutual recognition by twenty six countries of the certifications provided by authorized independent laboratories through the Common Criteria Recognition Arrangement (CCRA). Please see my accompanying blog post that describes the CC reform efforts we have been working on with members of industry and governments around the world.
• The importance of a genuine public/private partnership as reflected in the notion that any disclosure of cybersecurity plans and evaluations within I3S would need to be voluntary, and would need to address important issues of cost, protection of intellectual property, and whether such disclosure might increase cybersecurity threats.
• A desire to focus on improved structures for threat and vulnerability information sharing.
• Analysis for how to provide government incentives to increase investment in cybersecurity.
• A goal to improve cybersecurity education, with a priority on K-12 education, and the creation of formal cybersecurity oriented curricula.
Intel commends the efforts of the Department of Commerce to address some of the most complex and challenging cybersecurity policy issues. The Department’s approach of asking difficult questions and inviting multi-stakeholder dialogue is both helpful and necessary, and the Department can play an important role as an impatient convener in these discussions. Intel looks forward to responding to the green paper and working with the Department of Commerce and other government departments and agencies to further the concepts of voluntary partnerships for cybersecurity and product assurance.