Consistent Global IT Industry Security Policies Necessary?Rich
[singlepic id=884 w=320 h=240 float=right]These 12 recommendations outline a cooperative approach between government and industry, with an eye toward leaving industry free to innovate and compete without being burdened by overly specific government regulation.
Government has a critical role to play in cybersecurity and a partnership with industry is necessary. Although the private sector produces the hardware and software and operates the systems that make up the global cyber infrastructure, many elements of cyber risk are out industry’s hands.
Although it generally is agreed that a public-private partnership is needed to adequately secure cyberspace, debate and disagreement over the exact nature of the partnership have stymied a number of cybersecurity bills now pending in the U.S. Congress.
Many Republicans favor a more hands-off approach focusing on voluntary cooperation and information sharing, while bipartisan legislation that has the support of many Democrats calls for establishing mandatory standards of security for privately owned critical infrastructure.
The principles offered by the industry groups are:
- Develop cybersecurity policies in a transparent manner and with relevant stakeholder input.
- Enable risk management and innovation, recognizing that the private sector can best manage and protect their networks, services through market forces, corporate responsibility, and ethical standards.
- Encourage the development and use of globally recognized, industry-led, voluntary consensus security standards, best practices, assurance programs and conformity assessment rules.
- Ensure the use of global standard tests and certifications.
- Ensure that cybersecurity requirements are technology-neutral.
- Ensure that cybersecurity requirements allow procurement regardless of the country of origin or the nationality of the vendor.
- Ensure that cybersecurity requirements do not require transfer or review of intellectual property such as source code.
- Limit prescriptive requirements to specific sensitive areas such as government intelligence and military networks.
- Strengthen institutions and develop contingency plans and cybersecurity strategies. Governments should have their own strong, stand-alone institutions, such as Computer Emergency Readiness Teams, to ensure effective cybersecurity.
- Focus on criminals and their threats, responding domestically and internationally, working in cross-border partnerships when possible and appropriate.
- Focus on education and awareness.