By Jackie Medecki and Riccardo Masucci
The inaugural “CyberNextDC Privacy. Partnership. Protection.” conference took place in Washington DC on Oct 25 and was sponsored by the Coalition for Cybersecurity Policy and Law led by Ari Schwartz, the Cyber Threat Alliance led by Michael Daniel, and the National Security Institute at George Mason University. The event gathered cybersecurity experts, government officials, industry, and academia representatives to discuss cyber threats and solutions on topics such as the Internet of Things, information sharing, and vulnerability disclosure policies. David Hoffman, Intel’s Associate General Counsel and Global Privacy Officer, moderated a panel titled “Aligning the World around Risk Management”. The panel was comprised of Adam Sedgewick from the U.S. Department of Commerce, Amanda Craig from Microsoft, Avi Rembaum from CheckPoint Technologies, and Belisario Contreras from the Organization of American States.
The need for a global harmonized approach on cybersecurity emerged clearly during the panel discussion. The discussion made clear that fragmented strategies across different regions of the world cannot address growing and ever-changing security threats, and would hinder innovation as global entities struggle to comply with an expanding field of regulations and requirements. Panelists agreed on leveraging the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity as a model for a public and private partnership to develop flexible and scalable tools and solutions. Created in February of 2014 as a follow up to Executive Order 13636, this Framework is a voluntary risk-based set of industry standards and best practices, referencing globally recognized cybersecurity standards that enable organizations to manage cybersecurity risk. The Coalition for Cybersecurity Policy and Law’s recently published whitepaper, titled “Building a National Cybersecurity Strategy: Voluntary, Flexible Framework” calls, in fact, for cybersecurity risk management frameworks that are flexible, repeatable, performance based, and cost effective, and cites examples of successful voluntary frameworks in the U.K., Italy and Australia, and the NIST Framework in the U.S.
The panel emphasized standardization and the role that standards bodies can play in shaping cybersecurity practices. The ISO/IEC 27001 family of standards was mentioned as an effective tool for helping organizations keep information assets secure. The panel agreed that these and other ongoing efforts in developing international standards should be supported by governments and industry as the foundation for further harmonization in cybersecurity. Flexible, industry-driven approaches combined with international standards are two key ingredients for aligning the world around cyber risk management.
While ongoing efforts exist to develop public policy approaches to cybersecurity, continued collaboration between the private and public sector and across jurisdictions in this field is needed. The European Union is increasing its efforts to enhance its cybersecurity strategy, and Member States will transpose the Network and Information Security Directive into law by May 2018. The European Commission recently also published a new cybersecurity legislative package, including a European cyber certification process. The Cybersecurity Law in China laid out several requirements on critical infrastructure and data flows which risk creating a local regulatory structure disconnected from the rest of the world. Effective and efficient cyber risk management requires a globally consistent approach, and this is why Intel and the panel members support an international dialogue with policymakers, regulators, and industry to foster harmonization in the cybersecurity field.