Editor’s Note: The following post is from J. Paul Nicholas, Senior Director, Global Security Strategy and Diplomacy at Microsoft and Cristin Goodwin, Senior Attorney, Regulatory Affairs at Microsoft.
The 2013 Executive Order on Improving Critical Infrastructure Cybersecurity (EO) set forth the U.S. Government’s two-phase approach to strengthening critical infrastructure cybersecurity. In the first phase, the National Institute of Standards and Technology (NIST) led collaborative development of a Cybersecurity Framework; in the second phase, the Department of Homeland Security (DHS) established a voluntary program and continues work towards incentives for organizations to utilize the Framework, while government agencies examined their cybersecurity authorities and regulations relative to the Framework.
Nearly 16 months after the EO’s release, we can begin to observe the impact of this two-phase approach. In the first phase, the development of the Cybersecurity Framework demonstrated a commitment to collaboration, within government, between government and industry and across industries. The point of view from our colleagues Scott Charney, corporate vice president for Trustworthy Computing, and Matt Thomlinson, vice president for Microsoft Security, is that NIST’s process and the resulting risk management guidance in the Cybersecurity Framework provide a template for leveraging public private partnerships to advance cybersecurity in the United States and around the world.
The second phase of EO implementation is now coming into focus, particularly with regard to cybersecurity regulatory efforts. The White House recently published a blog post regarding several cabinet agencies’ assessments of their cybersecurity authorities and existing regulations relative to the Framework. The White House determined that three agencies – the Department of Homeland Security, the Environmental Protection Agency, and Health and Human Services – were required to perform those assessments. The agencies determined that existing regulations, when coupled with strong voluntary partnerships, are capable of mitigating cyber risks to critical infrastructures.
Additionally, the White House provided the public with the three cabinet agencies’ analyses of their current cybersecurity authorities and regulations. This is a helpful demonstration of how certain U.S. federal agencies interpret their regulatory authorities. We encourage other agencies with regulatory authority, such as the Departments of Energy, Transportation, and the Treasury to conduct reviews and share their respective analyses publicly.
While governments sometimes engage in public dialogue with industry and other stakeholders about how to shape standards and policy initiatives, it is uncommon for governments to share their internal analyses about regulatory efforts, particularly in cybersecurity. The White House has taken a leadership approach in driving forward both the Framework and related voluntary efforts, which sets a standard that we encourage other governments to consider as they work to develop cybersecurity policies and regulations. Governments, industry and civil society groups around the world are having very important discussions on critical infrastructure cybersecurity, and the resulting policies will be more effective if the discussion is open and various groups can work together to improve cybersecurity-related risk management globally.
It is our opinion that governments must strive to harmonize approaches to cybersecurity to enable economic advancement nationally, and the U.S. government’s publication of more agencies’ perspectives can help further this goal. Microsoft looks forward to continuing our participation in implementation of the Executive Order, as well as other cybersecurity risk management initiatives around the world. To learn more about our work in this area, please visit www.microsoft.com/cybersecurity.