20110308_CyberSecIndustry-whitepaper_Improving our Nation's Cybersecurity through the Public-Private Partnership.pdf
(
369 KB
)
Pobierz
Improving our Nation’s Cybersecurity through
the Public‐Private Partnership
A White Paper
Presented by
March 8, 2011
1
EXECUTIVE SUMMARY
We live and work in, and are dependent on, a networked world. That is why the
Business Software Alliance, the Center for Democracy and Technology, the Internet Security
Alliance, TechAmerica, and the U.S. Chamber of Commerce believe that the cybersecurity of
our critical infrastructure must be a national priority. However, the complexity and
interconnected nature of the Internet, and the ever‐evolving and sophisticated threat
environment, put cybersecurity beyond the reach of any single entity: to secure our critical
infrastructure, companies must work together, government must coordinate its efforts, and
industry and government must collaborate.
To that end, many government and industry organizations have made considerable
investments over the years to develop a strong public‐private partnership. Those investments
are paying off: this paper details many of the important cybersecurity achievements that the
partnership has delivered.
We think, however, that more can be done. This is why this paper proposes building on
this strong track record, by expanding the existing partnership within the framework of the
National Infrastructure Protection Plan. Specifically, we make a series of recommendations that
build upon the conclusions of President Obama’s Cyberspace Policy Review in seven important
areas of cybersecurity:
Risk Management:
o
Standards: Government and industry should utilize existing international
standards and work through consensus bodies to develop and strengthen
international standards for cybersecurity.
o
Assessing Risk: Government and industry need to recognize that their risk‐
management perspectives stem from different roles and responsibilities. Where
government demands a higher standard of care, market incentives need to be
available to accommodate non‐commercial needs for security.
o
Incentives: Government and industry must develop a menu of market incentives
to motivate companies to voluntarily upgrade their cybersecurity. The incentives
must be powerful enough to affect behavior without being so burdensome as to
curtail U.S. investment, innovation, and job creation.
Incident Management: Government should fully establish industry’s seat in the
integrated watch center and begin evaluation and process for growing industry’s
presence. Industry should ensure a long‐term plan for filling the watch center seats;
2
and participants should report lessons learned from collaborative exercises as soon as
possible and undertake improvement measures on a timely basis.
Information Sharing and Privacy: Government and industry should clearly articulate
information needs and how to promote more effective information‐sharing to address
those needs; information‐sharing for cybersecurity purposes should be transparent and
should comply with fair information practice principles; government should consider
how it can share more classified and sensitive information, particularly the parts of that
information that can help the private sector defend its systems; and in consultation with
interested parties, including industry and civil liberties organizations, Congress should
consider whether narrow adjustments to surveillance laws are needed for cybersecurity
purposes.
International Engagement: Industry and government need to engage international
organizations and standards ‐ making processes and work together to develop a strategy
for engagement, capacity building, and collaboration on issues of global concern.
Supply Chain Security: Government should expand its participation in the international
system that develops supply chain security standards and work with industry to identify
and disseminate them. Government should then leverage these standards when it
acquires technology and take steps to ensure it does not acquire counterfeit technology
products.
Innovation and Research and Development: The public‐private partnership should be
used to create a genuine National Cybersecurity Research and Development Plan with
prioritized, national‐level objectives and a detailed road map that specifies the
respective roles of each partner. The plan and its implementation road map should be
regularly reviewed by the partners and adjusted as necessary.
Education and Awareness: The public‐private partnership should enhance cybersecurity
public awareness and education, and increase the number of cyber‐professionals
available to both government and business, including through policies that boost the
number of science, technology, engineering, and mathematics (STEM) college students
graduating each year.
~~~~~~~~~~~~~
3
INTRODUCTION: THE PUBLIC‐PRIVATE PARTNERSHIP NEEDS TO BE FULLY REALIZED
THROUGH MEANINGFUL AND REGULAR COLLABORATION
The security of private‐sector and government network infrastructure is a national
priority. U.S.‐based information networks and critical infrastructures are complex and diverse,
and most of them are owned and operated by the private sector. Industry has been working
continually to enhance the security and resiliency of these systems and is committed to
continuing these efforts through a voluntary partnership with government. Industry players
have created and developed new products and services that make up information systems and
networks, and they continue to innovate to enhance those products and services for
operability, productivity, stability and security.
Given the complexity and interconnected nature of information systems and networks,
as well as an ever‐evolving and sophisticated threat environment, no one organization or entity
can address U.S. national cybersecurity alone. Industry players must work together,
government entities must harmonize their approaches to protecting critical infrastructure, and
government and industry must work together to address common concerns and build
collaborative solutions. The public‐private partnership on critical infrastructure protection and
cybersecurity has an evolutionary history that has culminated in the partnership structure that
government and industry collectively created and utilize today under the National
Infrastructure Protection Plan (NIPP).
1
The current critical infrastructure protection partnership is sound, the framework is
widely accepted, and the construct is one in which both government and industry are heavily
invested. The current partnership model has accomplished a great deal. However, an effective
and sustainable system of cybersecurity requires a fuller implementation of the voluntary
industry‐government partnership originally described in the NIPP. Abandoning the core tenets
of the model in favor of a more government‐centric set of mandates would be
counterproductive to both our economic and national security. Rather than creating a new
mechanism to accommodate the public‐private partnership, government and industry need to
continue to develop and enhance the existing one. In order to more fully articulate the benefits
and continuing needs of the partnership, this report outlines key components of the
government‐industry interaction in cybersecurity. The key components of the outline derive
heavily from the Cyberspace Policy Review (CSPR) and industry priorities, and we examine each
for the benefits, successes, and outstanding objectives.
The National Infrastructure Protection Plan (NIPP) is available at
http://www.dhs.gov/files/programs/editorial_0827.shtm#0
1
4
Government and industry sources have documented the substantial progress the
current market‐oriented process has made. In 2009 President Obama commissioned staff from
the National Security Council to conduct an intensive review of our nation’s cybersecurity which
found that “many technical and network management solutions that would greatly enhance
security already exist in the marketplace but are not always used because of cost and
complexity.”
2
The marketplace has seen the development of many products and services that provide
for greater cybersecurity. Their effectiveness has been affirmed by both government and
industry studies that note that a significant number of cyber events could have been prevented
or had their effects mitigated by using the standards practices and technologies the
marketplace has already created.
3
The CSPR’s finding that cost and complexity, not lack of ability or commitment, are the
largest problems in implementing effective cyber solutions has also been confirmed by multiple
independent studies. This research shows that although many enterprises are investing heavily
in cybersecurity, many others, largely due to the economic downturn, are reducing their
cybersecurity investments.
4
As President Obama has noted, “Due to the interconnected nature
of the system this lack of uniform implementation of sound security practices both undermines
critical infrastructure and makes using traditional regulatory mechanisms difficult to achieve
security.”
5
A number of policy and operational accomplishments have already been achieved
through the current industry‐government partnership. These accomplishments include the
development of cybersecurity standards and best practices through the global, multi‐
stakeholder ecosystem of standard‐setting organizations, creation of the Sector Coordinating
Councils, Critical Infrastructure Partnership Advisory Council (CIPAC) legal structure, the
completion of a National Cyber Incident Response Plan (NCIRP), the successful execution of the
Cyber Storm exercises, and several sector risk assessments. There have also been
Obama Administration, Cyberspace Policy Review – Assuring a Trusted and Resilient Information and
Communications Infrastructure at 31.
3
Aerospace Industries Association Annual Conference, Robert Bigman comments on Cyber Security, Washington,
DC in October 2008; U.S. Senate, hearing before the Committee on Judiciary, Subcommittee on Terrorism and
Homeland Security, Testimony of Richard C. Schaffer, Jr. Information Assurance Director of the National
Security Agency, November 17, 2009, http://judiciary.senate.gov/pdf/11‐17‐
09%20Schaeffer%20Testimony.pdf, Verizon, 2010 Data Breach Investigations Report,
http://www.verizonbusiness.com/resources/reports/rp_2010‐data‐breach‐report_en_xg.pdf;
PricewaterhouseCoopers, The Global State of Information Security, 2005; Verizon, 2008 Data Breach
Investigations Report, http://www.verizonbusiness.com/resources/security/databreachreport.pdf.
4
PricewaterhouseCoopers, The Global State of Information Security, 2008.
Center for Strategic & International Studies, In the Crossfire: Critical Infrastructure in the Age of Cyber War, 2010.
5
White House, Remarks by President Obama at White House Meeting on Cyber Security, July, 2010.
2
5
Plik z chomika:
Amiga789
Inne pliki z tego folderu:
1976_report-on-inquiry-into-cia-related-electronic_released-by-James-Bamford-20141003.pdf
(20718 KB)
2007_Critical-Thinking-and-Intelligence-Analysos_ndic_moore_crit_analysis_hires.pdf
(12497 KB)
1976_prosecutive-summary_released-by-James-Bamford-20141003.pdf
(7638 KB)
20130324_NCSC-lijst-van-incidenten_Bigwobber_2593_0001.pdf
(46275 KB)
1944_OSS_Simple-Sabotage-Field-Manual.pdf
(2513 KB)
Inne foldery tego chomika:
198.199.95.116
51pegasib.free.fr
75.86.91.167 Aescula
Adventure Legends
Ami64.com Free Downloads
Zgłoś jeśli
naruszono regulamin