Digital Discourse / Policy / Policy - Cybersecurity

Now is the Time to Act Swiftly, Enact Key Cybersecurity Objectives

January 18, 2012 By

SIIA offered its views to the Senate on cybersecurity on Tuesday, in a letter to Sen. Majority Leader Harry Reid (D-NV) in advance of the imminent Senate consideration of cybersecurity legislation.

Our members are dedicated to strengthening the nation’s IT infrastructure and protecting against growing cyber threats. These threats are more sophisticated and targeted than ever and are growing at an unprecedented rate. We know that as a nation, we can’t afford to delay advanced protection and instantaneous remediation.

That’s why SIIA believes that the most effective course of action is to focus in the short term on several critical priorities that enjoy broad bipartisan consensus. These key priorities are:

o Enhance information sharing between the public and private sectors,
o Reform of the Federal Information Security Management Act of 2002 (FISMA),
o Enhance and improve law enforcement tools and criminal penalties for cybercrimes, and
o Encourage increased cybersecurity research.

At the same time, SIIA believes that some complex issues of cybersecurity are not nearly as close to broad consensus. Including them in a comprehensive bill would give them short shrift and potentially slow down the bill’s adoption; most importantly and worryingly, the proposals advanced to date on some of these issues would seriously hinder the very innovation that is our best tool against cyber threats. Securing the Nation’s public and private IT networks will require the attention of Congress, the Administration and industry for the weeks, months and years ahead. It’s not something that can or should be achieved with one piece of legislation. Some of these complex issues include:

o Provide a national framework for data security and data breach notification,
o Designate and protect “covered critical infrastructure” (CCI),
o Clarify the role and authorities of the Department of Homeland Security (DHS),
o Ensure the security of the U.S. IT supply chain, and
o Create incentives for individuals and businesses to enhance their cybersecurity preparedness.

In particular, SIIA would welcome forward movement on a good data security and breach notification legislation. However, House and Senate consideration of this legislation in 2011 revealed many significant differences still needing to be resolved.

While SIIA does not support a heavy regulatory approach to cybersecurity, we do believe that positive incentives have a higher probability of success in two ways: a higher chance of better actual cybersecurity outcomes, and a higher probability of actually becoming law. The private sector responds to incentives, and aligning the interests of the private sector with the outcomes that are in the national interest makes sense. Furthermore, positive incentives (rather than negative ones) are clearly the most effective way to drive higher levels of trust and actual cooperation between the private sector and government – vital things needed to produce real success. SIIA strongly supports exploring positive incentives for individuals and businesses of all sizes as a long-term ongoing approach to securing the Nation’s IT infrastructure.

We are hopeful that the Senate can pass cybersecurity legislation that will quickly address some of the most critical threats to our nation’s IT infrastructure. SIIA members – whose companies work tirelessly to develop and deploy cutting edge cybersecurity solutions – will continue to actively engage policymakers to rapidly enact legislation that promotes technological innovation as the key to better cybersecurity.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With:

Congress: Let’s Battle Cyber Crime Together

December 1, 2011 By

Cyber threats are more sophisticated and targeted than ever and are growing at an unprecedented rate–and it makes sense that Congress is paying more attention to such a significant issue.

Today, the House Small Business Committee held a cyber hearing on protecting small businesses, where Phyllis Schneck, Vice President for McAfee, Inc., testified on behalf of SIIA. And yesterday, Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) unveiled new bipartisan cyber security legislation to provide the government “the authority to share classified cyber threat information on potential attacks with approved American companies.”

There’s no doubt that American companies need help dealing with cyber crime. McAfee Labs finds, for example, that both malicious URLs and malware have grown almost six-fold in the last two years, and that 2010 saw more new malware than all previous years combined. Likewise, cyber crime perpetrators have evolved from simple, low-budget, hackers into well-financed criminal operations that contribute to a multi-million dollar cyber crime industry.

But Congress must be careful to allow companies to attack cyber crime head-on, without limiting their ability to innovate and grow.

There are two schools of thought on government’s role in achieving a desired outcome:  one that posits that regulatory mandates are the best way to incent good behavior (in this case, strong cyber security measures); and, alternatively, one that asserts that positive outcomes are best achieved via positive incentives.  

The heavily regulatory approach would not necessarily make organizations more secure – just more compliant. And it would dampen innovation too. On the other hand, positive incentives have a higher probability of success in two ways: a higher chance of better actual outcomes, and a higher probability of producing legislative success.  The private sector responds to incentives, and aligning the interests of the private sector with the outcomes that are in the national interest makes sense. Doing so could also provide rare proof that the phrase “win-win” is not always a cliché. 

Postive incentives are clearly the most effective way to drive higher levels of trust and actual cooperation between the private sector and government – vital things needed to produce real success.

Learn more about today’s testimony on McAfee’s blog.

Laura Greenback is Communications Director at SIIA.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With: , , ,

Botnets are Best Addressed with Multi-stakeholder Approach

November 14, 2011 By

Today, SIIA filed comments in the Departments of Commerce and Homeland Security’s proceedings geared toward addressing the problems of botnets and other malware. The harm from malicious software is well known–it can turn computers into elements of a robot network (or botnet), and can be activated by outside entities to launch denial of service attacks, send spam, or harvest personal information. The extent of the problem is hard to quantify, but in the aggregate undoubtedly imposes substantial economic costs on individuals and enterprises.

SIIA’s comments are in response to a process set in motion in September, when the Departments of Commerce and Homeland Security set out to craft a framework to address botnets and malware. The proceeding got a boost in October, when Howard Schmidt, Cybersecurity Coordinator for the Obama Administration, and Cameron Kerry, General Counsel for the U.S. Department of Commerce appeared at an event held by the Center for Strategic and International Studies focused on the need for public/private collaboration in fighting malware.

We endorse the fundamental idea of a voluntary approach, in which the government brings together relevant parties to confer on best practices. Our comments support mult-stakeholder discussions on how the private sector can develop and maintain timely and voluntary programs to detect and notify end-users that their machines have been infected with botnets or other malware and provide mitigation support that will eliminate these infections.  SIIA wants to be part of these ongoing discussions.

Collaboration and cooperation between the public and private sector are key to addressing the problem in a holistic way. Some suggest a government role to subsidize the notification and mitigation efforts needed to clean up infected computers.  In this model, researchers inform network companies (or they become aware through their own traffic monitoring activity) of IP addresses of infected computers on their networks. The network companies communicate with the customer whose computer appears to be infected and offer them a government- sponsored clean-up scheme, which they are entitled to use if they wish. Australia, Japan and Germany provide a collaborative framework that follow this rough model.

In the United States, search engines are already taking steps to warn users that their computers might be infected. In July 2011, Google discovered that some unusual traffic connecting to its search engine was caused by computers infected with a specific strain of malware.  Google responded by displaying a prominent warning at the top of its search results page when it appeared that a user’s computer was infected with this malware.

Despite these efforts, SIIA believes that there would be great benefit from further discussion of collaborative efforts to address this problem. We have several points to further the discussion:

*  A voluntary code of conduct approach is preferable to regulatory intervention.
*  ISPs need to be involved because they have a privileged role in the infrastructure.
*  Other participants should include security firms, search engines and computer services companies.

SIIA welcomes this facilitation role in the case of collaborative efforts to manage the botnet problem.  We urge that the agencies act as the convener and facilitator providing a platform for the airing and discussion of the views of industry, non-governmental organizations, technical experts and international participants.  We also want to make sure that the codes that emerge from this process are voluntary self-regulatory standards, not de facto regulatory mandates.

For further discussion of the general problem of botnets, see Tyler Moore, Richard Clayton, and Ross Anderson Economics of Online Crime, Journal of Economic Perspectives, Volume 23, Number 3, Summer 2009, Pages 3–20. See also Symantec and McAfee, Botnets Demystified and Simplified.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With: , , ,

SIIA Joins Call for U.S. Action to Promote Cross-Border Data Flows

November 3, 2011 By

Today, SIIA endorsed principles for promoting cross-border data flows. SIIA joined with the National Foreign Trade Council and other trade associations representing a broad range of U.S. companies in supporting this major business priority. The principles seek to bring to bear the resources of trade law to promote the global flow of data across national boundaries.

American businesses are being harmed by the many barriers inhibiting the flow of data across international borders. Many countries want to impose restrictions on the transfer of data, while others seek to inhibit access by companies or individuals to lawfully available information located outside their jurisdiction. Still others demand that companies provide computing or information services through domestic facilities, in effect requiring localization of plant and equipment.

These practices inhibit economic growth, trade in services, innovation and the free expression of ideas in the global economy. The principles endorsed by SIIA underscore the significance of the problem and encourage the U.S. government to seek remedies in a variety of international organizations. The forums where this problem can be addressed include the World Trade Organization (WTO), Asia Pacific Economic Cooperation (APEC) forum, OECD, and regional trade negotiations such as the Trans-Pacific Partnership.

SIIA’s goal is to have the U.S. government treat these practices as violations of current international rules concerning digital goods, services and information. By joining with the rest of the U.S. business community in endorsing these principles, SIIA is urging the U.S. government to identify these practices as violations of international rules and resolve them through WTO or bilateral consultations.

The principles also address the important issues of intellectual property protection and limitations on liability for internet intermediaries. But rather than reinventing the wheel, the principles reference the approach contained in the Communiqué on Principles for Internet Policymaking related to intellectual property protection and limiting intermediary liability developed by the Organization for Economic Cooperation and Development (OECD) in June 2011.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With: ,

Cybersecurity is a major national security issue

October 6, 2011 By

Yesterday, SIIA applauded the House Republican Cybersecurity Task Force’s conclusion that cybersecurity is a major national security issue and a critical component of economic growth. In particular, SIIA strongly supports the Task Force’s support for a global approach to cybersecurity that seeks international consensus to avoid fragmented, unpredictable national requirements.

The recommendations appropriately recognize the need to avoid hobbling U.S. industry with a set of U.S.-only standards. The Task Force instead calls for international colaboration and heavy engagement with the private sector on security standards that are not U.S.-centric.

Public-private cooperation is vital for the success of any security regime. SIIA appreciates that the Task Force has focused on enhancing incentives, not increasing regulations, to encourage private companies to step up cybersecurity. In the fast-changing world of cybersecurity, strict mandates could hinder businesses from adapting to the ever-changing technology landscape.

The fact is, strong cybersecurity initiatives already exist within the marketplace. When there is agreement that the needed level of security goes beyond that for which a business case can be made, the most effective role for government is to provide businesses with support and further incentives.

SIIA further concurs that improving information-sharing is a critical element of cybersecurity. SIIA members are industry leaders in providing a wide range of cybersecurity products and services to help users protect themselves. The government could play a very effective role in promoting public awareness of threats–and best practices to protect against those threats.
 

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

Share|
Filed Under: Policy, Policy - Cybersecurity, Software Tagged With: ,

SIIA submits comments on Cybersecurity, Innovation and the Internet Economy

August 3, 2011 By

In our continuing effort to maintain and expand the partnership between the private sector and the government to address our nation’s cybersecurity challenges, SIIA submitted comments to the Department of Commerce on Monday in response to their recent Green Paper on Cybersecurity, Innovation and the Internet Economy.

At the heart of the Green Paper is an effort to help define the roles of the Government and the private sector in combating cybersecurity threats and protecting the systems and networks that support the infrastructure that drives the nation’s economy. In our comments, SIIA offered strong support for the Department’s approach of looking toward voluntary codes of conduct for an innovative sector such as the Internet and Information Innovation Sector (I3S). We noted that the most critical element of achieving these goals is to resist an approach that is overly-prescriptive, where mandates would have the adverse effect of slowing the development of standards in the private sector, or the unintended effect of putting U.S. companies at a disadvantage to their counterparts around the world. Given the broad, rapidly-evolving cross-section of industry that comprises the I3S, a flexible industry-led approach is the correct best path forward to achieve an ideal security framework, rather than a regulatory model.

SIIA also noted that while the primary purpose of the Green Paper is to discuss an area that is outside of the critical infrastructure segment, and to bolster security in this area, this exercise can also help to appropriately define the critical framework of what is “covered critical infrastructure,” and it can help to avoid confusion and appropriately allocate resources where they are most needed.

For SIIA policy updates including upcoming events, news and analysis, subscribe to SIIA’s weekly policy email newsletter, Digital Policy Roundup.

Share|
Filed Under: Government, Legislation, Policy, Policy - Cybersecurity, Security, SIIA News

SIIA sends cybersecurity recommendations to Administration

April 27, 2011 By

As the Administration completes its review of the legislative proposals to improve the security of federal and critical information infrastructure, SIIA pushed for a robust partnership between the private sector and the government in a letter to officials today.

The Administration’s legislative recommendations on cybersecurity will be released shortly and are expected to provide impetus to the legislative process on the issue in Congress. Sens. Leiberman and Collins have reintroduced their cybersecurity bill, and it will likely be combined with a similar bill from Sens. Rockefeller and Snow–with the possible outcome of a combined legislative vehicle on the part of Senate Majority Leader Reid.

SIIA’s letter features six recommendations that would help the government keep pace with the ever-evolving challenges of protecting the nation’s online systems, networks and data. Here are the recommendations:

Public Private Partnership

The private sector is on the frontlines of active security defense for our nation’s critical infrastructure since the majority is owned, operated, and maintained by industry. Therefore, a robust partnership between the public and private sectors is vital. Government should collaborate with industry to develop reasonable security practices and find technology solutions that ensure our nation’s security.

Risk-Based Security

No set of precautions can ensure absolute security.  Reasonable cybersecurity measures must address threats based on the importance of the networks and systems involved and the nature of the threat they face. For this reason, government should address risks to systems and networks that are part of our nation’s critical infrastructure differently from its approach to risks to systems and networks that are not part of our critical infrastructure.  To ensure predictability and transparency for the private-sector companies that manage these systems and network, government should provide a clear, public and consistent boundary between critical and non-critical infrastructure.  Further, critical infrastructure should be narrowly defined to include only the systems and networks of the utmost importance to national security.

Layered Security

Experts regard a layered approach to security as the best practice.  Security in depth minimizes the chances that any single point of failure will result in the leak of information or the compromise of a system.  Elements of a layered approach to security include protection at the data/document level, the application and OS levels, and finally at the network/perimeter level.  Government should utilize adopt layered security for its own use, and encourage its adoption by the private sector through voluntary means.

International Coordination

Security threats are global.  Adequate countermeasures can be developed only through global cooperation among governments and industry.  For this reason, government and the private sector should cooperate to establish, maintain, and upgrade internationally accepted security standards. In particular, government should look to the Common Criteria to ensure that technology products exhibit security.  For supply chain requirements, governments should adhere to public, internationally accepted standards which are audited pursuant to international standards.

Security Incentives

Strong market incentives already exist within the marketplace to promote increased innovation within the constantly evolving cybersecurity landscape. To the extent that government and the private sector agree that the needed level of security goes beyond that for which a business case can be made, government should provide incentives such as confidentiality, liability protection, and tax incentives that lead the private sector to implement desired security measures. The government should not mandate specific measures that need to be adopted by the private sector. Specific mandates generally do not adapt with the changing threat and technology landscape, potentially becoming a hindrance to security advancement later on.

Innovation

Cybersecurity is a dynamic and evolving field that must respond to the rapidly changing, innovative nature of the information technology sector itself.  For that reason, government should provide resources, support, and guidance for research and development in this field and use its role as a convener to encourage multi-stakeholder cooperation and information sharing.

Share|
Filed Under: Government, Policy, Policy - Cybersecurity, Security Tagged With:
« Older Posts
Newer Posts »