06/03/2013 11:49 am ET Updated Aug 03, 2013

Translating Good Intentions Into Effective Cybersecurity Policy

Governments around the world are considering regulatory changes in an effort to reduce cybersecurity risk; in fact, more than 40 governments are working on cybersecurity plans, policies, and/or regulations. Why this increased focus on cybersecurity? There are two primary drivers: (1) societal dependence on the Internet has grown dramatically, as virtually every aspect of daily life -- whether social, economic or political -- has a cybercomponent; and (2) there has been a rise in sophisticated Internet attacks, including some which suggest nation-state involvement.

Albert Camus once said, "[G]ood intentions may do as much harm as malevolence if they lack understanding." Having a common understanding of cybersecurity challenges is key to developing effective cybersecurity policy. There is no single set of actions or controls that will enable a government, a critical infrastructure owner/operator, or an enterprise to adequately reduce its exposure to cybersecurity risk. Improving cybersecurity risk management and increasing resiliency in the face of complex and persistent attacks requires government and industry to build a better and more comprehensive model for security policy. Although this may include some form of regulation, it is crucial that any new model preserve the private sector's ability to innovate its technology and response processes to address changing threats. Equally important, ICT vendors and operators should not be forced to waste precious and limited resources addressing burdensome compliance requirements that do not meaningfully reduce risks posed by existing and emerging threats.

In my last post I described a framework for an effective global approach to cybersecurity and called on governments to:
  • Integrate the private sector into national and international efforts to enhance cybersecurity
  • Promote cybersecurity policies that are technology-neutral and innovation friendly
  • Anchor their approach to securing IT systems in risk management
  • Encourage dynamic information sharing, focused on addressing specific challenges
  • Continually keep in mind the global and international ramifications of their actions

I believe that these principles provide the flexibility needed to address the dynamic cybersecurity threat environment. These principles, if used by policymakers, can guide the development of government policies that are responsive to current challenges. The resulting policies and public-private partnerships can in turn inform the decisions of both critical infrastructure owners and operators, as well as inform the efforts of information and communications technology vendors.

There are vital cybersecurity efforts happening today on both sides of the Atlantic Ocean. In the U.S., the administration is working hard to implement an Executive Order on Cybersecurity; in the EU, policymakers are engaging on the proposed Network and Information Security (NIS) Directive. These two efforts are seminal developments in cybersecurity policymaking and will have significant implications for the security of the economies responsible for half of the world's economic output and a third of all trade.

I urge European and U.S. policymakers to work together to develop global, harmonized approaches to cybersecurity risk management. This week, I'll participate in a Microsoft event in Brussels involving European policymakers, U.S. officials, key European countries, and private-sector practitioners, all of whom are thinking about the various ways we can improve the state of cybersecurity. This is an important opportunity to exchange views and share experiences about how to better:
  • Understand the current cybersecurity threat environment to better inform risk assessment and risk management efforts;
  • Establish key priorities for reducing cybersecurity risk in critical infrastructure and encourage broad adoption of good practices;
  • Leverage international standards in the development of the appropriate security measures; and
  • Address the challenges related to exchanging cybersecurity incident data to achieve a positive outcome.

The discussion clearly has global ramifications. Harmonizing cybersecurity requirements and risk management approaches -- as well as considering each region's sometimes common and sometimes unique imperatives -- will be critically important if we want a global Internet to continue to thrive. In a future post, I will present some further ideas for advancing the dialogue around establishing cybersecurity norms.