FPF’s Chris Wolf is currently participating in the International Telecommunications Union’s Telecom World in Geneva. The International Telecommunications Union (ITU) is part of the United Nations and handles issues in information and communications technology. Chris is on a panel discussing cybersecurity challenges and was also invited to submit his paper The Role of Government in Commercial Cybersecurity: Public-Private Partnerships and Improvements in Government Data Security Rather Than Government Control as the Optimal Model. Please enjoy Chris’ remarks that he will give today at the conference:
“Thank you for inviting me to speak with you today.
ITU Telecom World 2011 here in Geneva has brought together heads of state, leaders of government and international organizations together with corporate CEOs, mayors of top cities, thought leaders, innovator and researchers. I am honored and humbled to be included among such an elite group.
And among the topics being explored here at the ITU gathering, perhaps none is as pressing as the issue of cybersecurity. So I am especially pleased to be on this panel exploring that issue.
My part of this program, in contrast with the other presentations, has a truly “macro” focus: the role of government in achieving cybersecurity.
In the paper I prepared for this session, I observe that given the dramatic increase in cybersecurity incidents, some look to government to take control of the cybersecurity problem. And in my paper, I have concluded that not only is government control not possible in most modern democracies, but it is not the best approach at all.
In my own country, the United States, there are restrictions on the government “taking charge” of the flow of information through network access, monitoring, and/or control, as well as the limitations of government technical capabilities. As a result, US cybersecurity policy is collaborative, with the government working with industry to develop flexible standards rather than prescribing complex regulations. The result is a process-oriented, thematic approach to commercial cybersecurity that is more likely to produce optimal business practices.
Indeed, government control of cybersecurity is ill-advised even in non-democratic countries, such as China. I currently am examining the so-called MLPS proposals in China, which would require indigenous Chinese technology for cybersecurity, and am concluding that a restrictive and prescriptive approach to information security blocks the adoption of best available technology and practices.
After reviewing frameworks in the US, the EU and Asia, I have concluded that government’s principal role in protecting cyberspace is and should be through (1) law enforcement, (2) improvements to its own cybersecurity and sharing its research and experience with industry and the public, and (3) engaging in a public-private dialogue about cybersecurity through which it has incorporates suggestions from industry into cybersecurity policy.
I would like to talk about approach in the US, before some observations about the situation in the EU and Asia:
First, the United States’ approach to the security of its own internal government networks is relevant to the extent that the US government shares with industry some of its security standards. This, in turn, encourages commercial entities to follow the government’s own rigorous standards. Indeed, in some circumstances, commercial government contractors are required to follow those standards. As a result, the government leads in establishing some security standards.
A key component of the US government’s approach to commercial cybersecurity policy has been to facilitate a public-private dialogue that has enabled both government and industry to learn from each other’s experiences. For example, the US Computer Emergency Readiness Team (“US-CERT”), the operational arm of the National Cyber Security Division at the Department of Homeland Security is a public-private partnership that interacts with federal agencies, industry, the research community, state and local governments, and others to publish cybersecurity information. US-CERT also provides interested parties with the ability to communicate and coordinate directly with the United States government on cybersecurity. From personal experience in assisting law firm clients in dealing with cybersecurity incidents, I can tell you that US-CERT plays an extremely useful role.
Perhaps the best example of the constructive role private entities can play in the public-private dialogue is the defenses mounted by private company security experts against the Conficker worm.
The Conficker worm, as you undoubtedly know, is one of the world’s most devastating pieces of malware that continues to baffle experts and has infected more than twelve million computers around the world, including those of the British Parliament and the French and German military. In November of 2008, a group of cyber warriors, who called themselves the “Conficker Cabal,” volunteered their time, and in some cases their own money, to identify, dissect, track, monitor and defend the Internet against this massive exploit. This episode is described in a new book by author Mark Bowden entitled “WORM The First Digital World War” and illustrates the role private parties can play in the private-public partnership.
Two other US developments to note before I move on to other parts of the world:
In March 2011, a broad coalition of business, civil liberties, and Internet security groups released a white paper that supports the continued use of public-private partnerships to address cybersecurity rather than have the government play a more prescriptive and intrusive role. The paper, entitled “Improving Our Nation’s Cybersecurity through the Public- Private Partnership” emphasized the importance of collaboration between the private and public sectors but concluded that the complexities of the Internet and the sophistication of cyber-criminals made centralized control of the problem ill-advised.
And in June of this year, the US Department of Commerce issued a “Green Paper” preliminarily recommending a new framework for commercial cybersecurity entitled “Cybersecurity, Innovation and the Internet Economy.” The report discusses how to improve the cybersecurity practices of companies that operate online in the so-called “Internet and Information Innovation Sector,” not including companies in “critical infrastructure” sectors that implicate national security interests.
The Department of Commerce Green Paper recommended (1) work with multi-stakeholder groups to develop, when necessary, nationally recognized and consensus-based cybersecurity standards and practices specific to the covered businesses; (2) work with industry to create, through public policy and public private partnerships and other means, new incentives for firms to follow nationally recognized cybersecurity standards and practices as consensus around them emerges; (3) work with industry and other federal agencies to deepen private-sector and public understanding of cybersecurity vulnerabilities, threats, and responses in order to improve incentives, research and development, and education; and (4) continue to enhance the Department of Commerce international collaboration and cooperation activities regarding cybersecurity.
Specifically, the Green Paper called for improved commercial cybersecurity through the use of voluntary self regulatory industry standards. It also contemplated the development of external incentives for businesses that institute strong cybersecurity practices, such as liability protection, improving the availability of cybersecurity insurance, and tax breaks. Notably, none of these methods would impose prescriptive regulations on businesses.
On the US approach to cybersecurity, let me conclude by saying that it is a work in process, as evidenced by the keen interest demonstrated by lawmakers on Capitol Hill this year. But the general framework, a not overly-prescriptive and collaborative framework, is likely to remain the norm.
In the EU, member states have implemented privacy and data security laws pursuant to several directives of the European Parliament and Council, including the 1995 Data Protection Directive and the 2002 E-Privacy Directive. These contain requirements pertaining to the processing and safeguarding of personal data and the confidentiality of electronic communications, which the member states have transposed into national law, and while the directives contain detailed and extensive privacy and confidentiality requirements, their treatment of data security is less comprehensive.
Apart from these general principles, the directives says little with respect to data security. Given the generality of these requirements, the EU member states have had considerable flexibility in implementing the directives’ security mandates. As noted in recent reports by the European Network and Information Security Agency (ENISA)—an EU agency established in 2004 to enhance the capability of the member states and their business sectors to prevent, address, and respond to network and information security threats—this variance is not without costs in terms of addressing transnational issues such as cybersecurity.
In a March 2011 report on the threat posed by “botnets,” ENISA found that that the diversity of the member states’ legal frameworks in the context of cybercrime was a “key factor” affecting the fight against botnets. The report also noted that the detection and mitigation of cybercrime was limited by conflicts between the member states’ data protection and IT security laws. Among other recommendations, the report called upon regulators to harmonize European laws in order to facilitate mitigation processes and cooperation at an international level.
Just in time for my presentation today, ENISA recently issued a new guide with thirty-six recommendations on building effective Public and Private Partnerships for data security, called “Cooperative Models for Effective Public Private Partnerships – Good Practice Guide.” ENISA recognized that across the EU, the critical infrastructure of most member States is in the hands of the private sector and, therefore, to provide secure and reliable system access for citizens and businesses, industry and governments must work together. The ENISA Guide underlines the need for a common understanding across Europe of the importance of a public-private partnership.
Finally, turning to non-European countries, APEC, the group of nations addressing Asia-Pacific Economic Cooperation, has made cybersecurity a priority. In the APEC TEL Strategic Plan for 2010 to 2015, there is a commitment to promote the development of effective cyber security initiatives, in accordance with the APEC Cybersecurity Strategy and the APEC Strategy to Ensure Trusted, Secure and Sustainable Online Environment, including through distribution of best practice approaches, information sharing, technical cooperation, training and education.
Governments and business of the world, from the US, to the EU to Asia, recognize the urgency of cybersecurity for national and international health, welfare and economic growth.
There is a convergence in approach internationally, one that recognizes that governments do not have all of the answers – that they cannot and should not prescribe the technologies to defend computer networks. There is a role for government, to be sure – in law enforcement, in leading by example, and in facilitating research and incentives for information security development. There is a growing recognition that governments working together with industry, through public-private partnerships can help advance cybersecurity significantly.
Thank you very much.”