Cybersecurity Principles for Industry and Government

PRINCIPLE 1: Efforts to improve cybersecurity must leverage public-private partnerships and build upon existing initiatives and resource commitments.

Why is this important?

It is well-known that the private sector owns and operates 85% of critical infrastructure in the United States, and that the information technology (IT) industry creates nearly the entire cyberspace infrastructure. What is not known is the multitude of ways in which the IT industry works cooperatively with national, state, and local governments to improve cybersecurity and ensure that approaches to cybersecurity are adaptive and effective. For well over a decade, IT companies have provided leadership, subject- matter experts, technical and monetary resources, innovation, and stewardship to enable all stakeholders to better manage and mitigate cybersecurity risk. Cyberspace would be much less secure in the absence of these partnerships and initiatives.

What are we doing now?

The IT industry leads and contributes to a range of significant public-private partnerships, including information sharing, analysis, and emergency response with governments and industry peers. Some key examples follow.

&#x2022; The U.S. IT industry formed and funds the IT Sector Coordinating Council (IT-SCC) to work closely with the Department of Homeland Security (DHS) to ensure better preparedness and coordination of critical infrastructure protection (CIP) initiatives.

&#x2022; Major U.S. IT companies founded and operate the IT Information Sharing and Analysis Center (IT-ISAC), a non-profit operational center established to exchange information among companies and with DHS to identify, manage, and mitigate IT infrastructure risks.

&#x2022; Major U.S. IT companies participate in the Industry Consortium for Advanced Security on the Internet (ICASI), an industry-driven global initiative to share information on product vulnerabilities.

&#x2022; U.S. IT companies participate in national advisory committees such as the Federal Bureau of Investigation (FBI)&#x2019;s National Cyber Forensics Training Alliance and the Forum of Incident Response and Security Teams (FIRST).

&#x2022; U.S. IT companies work closely with the National Institute of Standards and Technology (NIST) to provide input into NIST&#x2019;s security standards and guidelines for U.S. Federal non-classified computer systems.

&#x2022; U.S. IT companies participate in DHS&#x2019;s Software Assurance (SwA) Program, which spearheads the development of practical guidance and tools and promotes research and development (R&D) to reduce software vulnerabilities and improve the routine development and deployment of trustworthy software products.

PAGE 10

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24