Senior Director, Trustworthy Computing, Microsoft
Last week, Scott Charney testified at a hearing of the Senate Committee on Homeland Security and Government Affairs. The hearing was about the Cybersecurity Act of 2012, which is Congress’s first comprehensive legislation aimed at improving cybersecurity across the United States. His full testimony is available here.
This legislation is an important milestone in the U.S. Congress’ sustained engagement on the topic of cybersecurity and an advancement in the national discussion on how to better secure the information infrastructure of the United States. These legislative proposals provide a risk-based framework intended to improve the security of government and certain critical infrastructure systems and establish an appropriate baseline to address current threats.
Scott’s testimony began with a brief discussion of the transformative effect of the Internet, as well as the challenges facing policymakers. He discussed the three key outcomes that U.S. national policy and legislation should promote to improve resiliency in the near-term, and ensure continued innovation and leadership in the long-term.
These three outcomes are: (1) flexible and agile risk management, narrowly focused on risks of greatest concern and optimized to adapt to rapidly changing threats; (2) innovative information sharing, targeted to address specific challenges and enable advanced risk management, response and recovery capabilities; and (3) meaningful and attainable international norms for the security of cyberspace.
Through successive Administrations, the Executive Branch has made considerable progress towards developing a policy framework to advance cybersecurity. The Comprehensive National Cybersecurity Initiative set the baseline for American operational and strategic readiness, and we’ve since seen an array of policy documents from the Obama Administration, including the International Strategy for Cyberspace and the National Strategy for Trusted Identities in Cyberspace. These initiatives demonstrate commitment to driving cybersecurity policy forward and in the right direction.
Collectively, policy makers from the Executive Branch and Congress must focus on three goals to ensure that the legislative and policy outcomes noted above are addressed. First, policy makers must aim for greater integration and harmonization of U.S. policy efforts so that comprehensive energies are brought to bear on cybersecurity. Second, policy makers must ensure that their approaches are technology-neutral and do not stifle innovation. Third, policy makers must catalyze the growth of leaders who can drive excellence in cybersecurity across the public and private sectors. Scott’s written testimony provides more detail about each of these goals.