The Obama administration wants to leverage U.S. participation in international standards-making to improve the nation’s cybersecurity.
The Obama administration wants to improve coordination between federal agencies and with other nations in developing technical standards to help improve U.S. cybersecurity.
The nation’s economy and security increasingly depend on the use of commercial IT products and international infrastructures that cannot be secured on a piecemeal basis. Internationally accepted cybersecurity standards are necessary, and the U.S. must leverage its participation in the standards-making process to ensure the technical requirements meet its cybersecurity objectives.
“Given the increasingly global, complex, and interconnected nature of the world economy, the use of international cybersecurity standards for information technologies and industrial control systems are necessary for the cybersecurity and resiliency of all U.S. information and communications systems and supporting infrastructures,” declares a draft report released by the National Institute of Standards and Technology.
The report makes recommendations for achieving government’s strategic objectives for the development of international cybersecurity standards. It calls for improved interagency collaboration within the U.S. government as well as for cooperation in the international process.
Technical standards do not by themselves ensure cybersecurity. But interoperability across products, systems and networks is needed so that state-of-the-art products can be effectively implemented and security policies and programs based on best practices can be carried out. Technical standards generally are voluntary and are adopted by vendors because interoperability and security are good business. Additionally, the U.S. government also can make conformance with standards a requirement for agencies acquisitions.
Standards-making in the U.S. private and public sectors are driven by different but mutually beneficial motives. Non-governmental organizations are influenced primarily by industry participation and motivated by market forces. Government participation is motivated by the need for cost-efficient, timely and effective solutions for achieving mission and policy objectives. Testing for conformance with standards, as well as for interoperability and performance are important aspects for agency procurement.
“Testing and attestation of products, processes, and services against established cybersecurity standards help provide a level of assurance that a product, process, or service’s stated security claim is valid,” the new report says.
But international standards for core areas of cybersecurity are generally lacking now. Standards for core areas identified by the report in most applications still are under development. In only a handful of areas are they mostly available. As standards are developed, the U.S. wants to make sure that it has a say in the process.
But there are significant differences between in the United States and many other countries where the development process is centrally coordinated and government driven. The U.S. standards system is generally an open, collaborative process between public and private sector organizations, with the outcome based on voluntary consensus. To ensure that standards meet U.S. cybersecurity needs, “the [U.S. government] should ensure dialogue and information exchange takes place between senior Federal cybersecurity officials and their counterparts in key partner countries on cybersecurity standards development activities.”
Given the critical importance of cybersecurity standardization, the administration also wants to see more coordination within government on standards development. “Coordination by senior Federal cybersecurity officials under the auspices of the Executive Office of the President would provide the necessary focus and resources to develop and implement a comprehensive strategy . . . ,” the report says.
If you would like to comment on the report and its recommendations, a template for responses to both volumes is posted online. Comments are due by Sept. 24.