Posts Tagged ‘intel corporation’
Brief session description:
Thursday, July 26, 2012 – The US House of Representatives has passed four cybersecurity bills, and the US Senate has indicated an intent to consider cybersecurity legislation in the current session. The US Department of State is working with its global partners to develope relationships, collaborative action and norms of behavior for cyberspace. The US Department of Commerce has spearheaded a government initiative on botnets and is working with industry on botnet mitigation measures. The Department of Homeland Security is increasing its cybersecurity staffing for strategic and operational concerns. And the White House is transitioning its team on cybersecurity policy with a second cybersecurity adviser to the president. Stuxnet and Flame attacks have captured international attention. Cybersecurity remains a key theme in discussions in the United Nations, the International Telecommunications Union, the Organization for Economic Cooperation and Development, the Asia-Pacific Economic Cooperation, ICANN and the annual Global Internet Governance Forum. This workshop addressed questions such as: What are businesses, countries, and the technical community doing in this heightened era of cyber security concern? What should they be doing? What are the considerations for individual users here in the U.S. and around the world? How can all these pockets of activity help protect – and not hamper the protection of – the very medium that provides for productivity, communications, efficiencies, innovation, and expression?
Details of the session:
The session was moderated by Audrey Plonk, global security and Internet policy specialist at Intel Corporation. Panelists were:
- Tom Dukes, senior advisor, Office of the Coordinator for Cyber Issues, US Department of State
- Jeff Greene, senior policy counsel, Cyber Security and Identity, Symantec
- Kendall Burman, senior national security fellow, Center for Democracy and Technology
- Patrick Jones, senior director of security, ICANN
Panelists from the government and private sectors gathered at IGF-USA’s cybersecurity workshop to discuss how these entities are collaborating to deal with domestic cybersecurity threats and international cybersecurity issues.
This issue is especially pertinent right now. There have been a number of high-level conferences and meetings in Washington and other locales over the summer of 2012 on this topic, and, as moderator Audrey Plonk, global security and Internet policy specialist for the Intel Corporation, puts it, “Cybersecurity is the new black.”
Jeff Greene, panelist and senior policy counsel of cybersecurity and identity at Symantec, agreed. “At this time three years ago, cybersecurity was something that was mentioned in passing,” he commented. “Now the interest is exponential.”
Symantec’s business is centered on protecting enterprises from cyberthreats. Greene, who until recently worked with the Department of Homeland Security, said that according to this year’s Symantec Internet Security Threat Report, 75 percent of the enterprises Symantec deals with were threatened with a cyber attack in 2011.
He added that while the incidence of spam decreased in 2011, there has been a shift to web-based attacks. Greene also said the government and private sector are working together to reduce such threats.
“It is remarkable how much of the threat dynamic in both sectors is the same,” Greene said. “We see criminal and other malicious activity largely the same as the government does, so this is all work through government, private and international cooperation.”
Panelist Kendall Burman had a different view on government access to private sector and citizen information in terms of cybersecurity. As a senior national security fellow for the Center for Democracy and Technology, she has spent time exploring security and surveillance from the perspective of a member of a group focused on consumer privacy.
“I think that the tricky area from a civil liberties perspective is when the government is in a position of receiving that information, making sure that that information is limited to cybersecurity threats, and what the government can then do then once it receives it,” Burman said.
Panelist Tom Dukes, senior adviser for the Office of the Coordinator for Cyber Issues at the US Department of State, weighed in from a government standpoint on cybersecurity issues, including the important role of the US government in pushing other countries to increase their outreach and share their perspectives on cybersecurity issues.
“Obviously what the US says, the positions we take, are highly influential and they are certainly looked at by a great many other countries,” Dukes said.
“One thing that the US has been trying to do for the last couple years in terms of addressing cyberpolicy issues in general, cybersecurity included, is to try to take sort of a leadership role in helping shape the world debate on how we think about these issues.”
Dukes said that the US has also made progress in terms of leading a global discussion on reaching a consensus about cyber security norms. Greene said that while the U.S. would like to set its own cybersecurity policies, this could cause global problems.
“If everyone has a different set of rules, (global policymaking)’s going to be pretty difficult,” Greene said.
Panelist Patrick Jones, senior director of security for ICANN, shared his view that while US policymaking is important in terms of cybersecurity, politicians should be aware of the effects that any laws they make may have globally.
“It’s helpful for policymakers, when they’re coming up with legislation, that they think of the Internet as global and consider that the decisions they make may have technical impacts that they’re not considering that impact the way people are using the Internet today – give those a thorough understanding before decisions are made about a particular legislation,” Jones said.
One of the final points of discussion during the workshop was the differences between cybersecurity and information security.
In the discussion it was noted that cybersecurity, in the US view on Internet governance, deals primarily with protection from Internet threats. Information security, in the Russian and Chinese view, also includes censoring the civic sector and content from many Western media and knowledge organizations.
Dukes said there are two considerations for openness and freedom of information that convince most leaders in the world to find common ground in the fairly liberal US position on cybersecurity issues.
First is the basic human rights aspect of the argument; many countries accept that people should, whenever possible within the bounds of public safety, have certain rights of free speech, communication and assembly. Most countries agree that this should apply online.
Dukes’ second point is the economic benefit of keeping the Internet as open and free-flowing as possible. “Many evolving world countries are really desperate to find ways that they can harness the power of the Internet to increase economic opportunity, to increase GDP, to increase development and growth,” he said. “Those arguments seem to be very pragmatic, but it’s hard for countries to disagree with that.”
— Mary Kate Brogan
Cybersecurity is a multifaceted issue that requires attention to various strategic and operational efforts to make progress. Five overarching areas for focus are 1) development of a national strategy; 2) collaboration between government and industry; 3) cybercrime; 4) incident response; and 5) building a culture of cybersecurity/awareness. This session was scheduled to explore how the U.S. is addressing each of these, where there are opportunities for improvement and obstacles to progress, where the U.S. needs to work with international partners, and how cybersecurity contributes to Internet governance globally. Session moderators were Liesyl Franz, vice president for information security and global public policy at TechAmerica, and Audrey Plonk, global security and Internet policy specialist at Intel Corporation.
Details of the session:
Panelists and moderators discussed cybersecurity at one of the first morning workshops at the 2010 Internet Governance Forum-USA at Georgetown University Law Center. Co-moderator Liesyl Franz introduced the workshop and set the scene by presenting the session’s five overarching areas of focus, including national strategy, collaboration between government and industry to foster cybersecurity, combating cybercrime, incident response and building a culture of cybersecurity and awareness.
Developing a national strategy
The United States’ national strategy for cybersecurity has constantly evolved over the past 15 years. In the 1990s, the Critical Infrastructure Protection Board was created to address issues tied to cybersecurity. A few years later the United States created the Department of Homeland Security. These organizations worked to create the National Strategy to Secure Cyberspace, which was put into place in 2003.
“We’ve moved even beyond the 2003 strategy towards a more comprehensive strategy that is really trying to encompass all the departments and agencies in the United States federal government and deal with the international aspects,” said co-moderator Audrey Plonk, global security and Internet policy specialist at Intel Corporation. “Having a high level of strategy is very important.”
The Obama administration conducted a “clean-slate” review to assess U.S. policy, strategy and standards regarding security and operations in cyberspace in the summer of 2009. That report, aimed at addressing economic, national security, public safety and privacy interests can be found here: http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf
Collaboration between government and industry
The panelists noted that a national strategy is dependent on the collaboration of many people, including industry bodies and government agencies.
Cheri McGuire, director for critical infrastructure and cybersecurity at Microsoft and chair of the Information Technology Sector Coordinating Council, said that the public/private partnership relies on several key principles.
“One principle is trust,” McGuire said. “There is a long history of lack of trust between industry and government. This adds a unique factor to when government invited industry to the table to work collaboratively on cybersecurity issues.”
She noted that many public and private partnerships from the past can be used as a lesson on how to conduct successful partnerships today. “There is no one right model, there is no one right way to do this,” McGuire said. “There are a lot of lessons learned – that the many of us who are involved in the public and private debate have learned – that can be used to create the framework for these partnerships.”
The IT-SCC was established in 2006 to encourage cooperation between tech industry entities in addressing infrastructure protection, response and recovery. To read more, see http://www.it-scc.org/.
“Cybercrime runs the gamut of most of the bad things that humans do to each other,” said Don Codling, unit chief at the Federal Bureau of Investigation. “Think of everything from slavery, to human trafficking, to embezzlement, to fraud. You can even hire a hit man online.”
Codling said the domestic approach of the FBI regarding cybercrime almost instantly turns into a global effort. Due to the nature of the Internet, how records are stored and how financial transactions are performed, almost all major crimes become global instantly.
“We are members of the global community,” Codling said. “The global law enforcement community has coalesced rapidly and said we have similar problems. We need to work together.”
To read more about the FBI’s cyber mission, see: http://www.fbi.gov/cyberinvest/cyberhome.htm. For background from the U.S. Justice Department on international aspects of computer crime, see this page: http://www.justice.gov/criminal/cybercrime/intl.html
Incident response seen as vital
Scott Algeier, executive director of the IT Information Sharing and Analysis Center, said it is important for there to be open communication in order for people to share their expertise. He noted that when industry partners share information people are able to analyze the different trends that many different companies are experiencing.
“By sharing information, we give each other a larger capability,” Algeier said. “We are able to say ‘this is a neat trend we are seeing,’ and analyze all of the information that we are receiving.”
Computer emergency readiness teams work to assess attacks and vulnerabilities. The US-CERT site is http://www.justice.gov/criminal/cybercrime/intl.html.
Building a culture of cybersecurity and awareness
Franz said the five overarching elements covered in the session are all dependent on each other.
“I don’t want to focus on five elements and that they each do their own thing,” Franz said. “But instead emphasize that it is important to collaborate between these elements.”
“Cybersecurity means preserving this open, free Internet that we have learned to value so much,” said Greg Nojeim, senior counsel and director at the Project on Freedom, Security and Technology of the Center for Democracy and Technology (http://www.cdt.org/about). “We are only just beginning to realize what it would be like if it was all taken away. Security allows you to use the Internet freely.”
Nojeim said correctly balancing the needs for security and privacy online is important. He added that an increase in transparency could make people really understand the need for security.
“A lot of the cybersecurity efforts necessarily have to take place behind the scenes, but I think that openness is one key to a successful program,” Nojeim said. “It builds trust, it helps companies know what happens to the information that they share.”
All panelists agreed that there will never be a time where there is no cybercrime.
“I don’t think there is a perfect system – what we have to find is what is reasonable security and the proper balance between privacy and freedom of speech and safety and cybersecurity,” said Adam Palmer, Norton lead cybersecurity advisor for Symantec Corporation, a security systems company.
-Rebecca Smith, http://www.imaginingtheinternet.org