PRINCIPLE 2: Efforts to improve cybersecurity must properly reflect the borderless, interconnected, and global nature of today’s cyber environment.
Why is this important?
Cyberspace is a global and interconnected domain that spans geographic borders and national jurisdictions. To support the growth, operation, maintenance, and security of this domain, information technology (IT) companies continually innovate and invest in the development of globally deployable products and services. Cyberspace’s stakeholders - consumers, businesses, governments, and infrastructure owners and operators - seek a consistent, secure experience in cyberspace.
Efforts to improve cybersecurity should reflect cyberspace’s borderless nature and be based on globally accepted standards, best practices, and international assurance programs. This approach will improve security, because nationally focused efforts may not have the benefit of the best peer-review processes traditionally found in global standards bodies, because proven and effective security measures must be deployed across the entire global digital infrastructure, and because the need to meet multiple, conflicting security requirements in multiple jurisdictions raises enterprises’ costs, demanding valuable security resources. This approach will also: 1) improve interoperability of the digital infrastructure, because security practices and technologies can be better aligned across borders; 2) permit more private-sector resources to be used for investment and innovation to address future security challenges; 3) increase international trade in cybersecurity products and services that can be sold in multiple markets; and 4) allow countries to comply with their international commitments, such as the World Trade Organization (WTO)’s Technical Barriers to Trade Agreement (TBT), which calls for non-discrimination in the preparation, adoption, and application of technical regulations, standards, and conformity assessment procedures; avoiding unnecessary obstacles to trade; harmonizing specifications and procedures with international standards as far as possible; and the transparency of these measures.
What are we doing now?
The IT industry is actively involved in developing globally accepted cybersecurity standards, best practices, and international assurance programs. Some key examples follow.
• U.S. IT companies contribute to global cybersecurity standards development through the International Organization for Standardization (ISO), Organization for the Advancement of Structured Information Standards (OASIS), Institute of Electrical and Electronics Engineers (IEEE), the Internet Engineering Task Force (IETF), and numerous other organizations.
• U.S. IT companies, the U.S. Government, and foreign governments work to implement, improve, and expand the Common Criteria for Information Technology Security Evaluation (CC), the international standard (ISO 15408) for computer product assurance security certification. The CC is both the ISO standard and a multi-lateral agreement - Common Criteria Recognition Arrangement (CCRA) - among 26 countries including the U.S., Japan, the UK, Australia, Germany, Korea, and India.
PAGE 12
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24