ISA Telecom Sector Specific Recommendations and the Presidential Commission on Enhancing National Cybersecurity

June 7, 2017

ISA Telecom Sector Recommendations

Source: Chapter 8 of The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity

Presidential Commission on Enhancing National Cybersecurity

Incident Reporting and Information Sharing

“Governments can do more to set the framework and do more to incentivize and reward good behavior. Following an incident, everyone needs to be clear and precise about what has happened, but government decisions about incident notification and public disclosure of major incidents (or audits) should not be allowed to disrupt or undermine industry attempts to mount an appropriate and proportionate response. Furthermore, incident notification should account for disruptive effects in adjacent sectors and obligations on other parties to share relevant information in a timely manner. Cooperation and information sharing should be voluntary and protected and the law should favor incentives above regulations.

For the industry to make meaningful headway on standards and standardization, we need to see more intergovernmental coordination on standards work to deliver globally accepted outcomes that strike at the heart of the issues. A consensus-based international standards development process needs clarity from governments about the role of organizations.

The telecommunications industry also requires a legal and regulatory framework to promote and uphold technology neutrality and provide a legal framework to encourage investment in future-capable networks that will carry exponentially growing data in virtualized cloud-based environments.”

Commission Recommendation 1.2: As our cyber and physical worlds increasingly converge, the federal government should work closely with the private sector to define and implement a new model for how to defend and secure this infrastructure.

Commission Action Item 1.2.4: Federal agencies should expand the current implementation of the information-sharing strategy to include exchange of information on organizational interdependencies within the cyber supply chain. (SHORT TERM)

Commission Action Item 1.4.5: The government should extend additional incentives to companies that have implemented cyber risk management principles and demonstrate collaborative engagement. (SHORT TERM)

Commission Recommendation 6.1: The Administration should encourage and actively coordinate with the international community in creating and harmonizing cybersecurity policies and practices and common international agreements on cybersecurity law and global norms of behavior.

Commission Action Item 6.1.2: The federal government should increase its engagement in the international standards arena to garner consensus from other nations and promote the use of sound, harmonized cybersecurity standards. (MEDIUM TERM)

Commission Text: To prevent destruction and degradation of infrastructure, the private sector and government must jointly and continuously address cybersecurity risk. To date, much of this effort has been focused primarily on cybersecurity incident response. Moving forward, our collective effort must focus also on all stages of operations to protect and defend networks, as well as to ensure resilience and swift recovery through joint planning and training and coordinated responses. This collaboration must occur continuously as threats are discovered, and information must be exchanged throughout the prevention and detection of, and the response to, an incident.

Incentives must play a more substantial role in building a cyber-secure nation. To accomplish this goal, the next Administration and Congress should pass legislation that provides appropriate liability protections for businesses that engage in cyber risk mitigation practices that are consistent either with the Cybersecurity Framework or with common industry segment practices, and that engage in cyber collaboration with government and industry.

Issues that need to be addressed internationally include the development of cybersecurity and technical standards, international conformance requirements, and coordinated incident response; increased multilateral legal cooperation; continued progress toward international consensus on applying international law to cyberspace; and formalization of communications channels.

Take a Light Hand with Regulation

“Government, wherever possible, should avoid prescribing risk frameworks, risk tolerance, appropriate controls, and oversight mechanisms. Government needs to lead and support national and international conversations required to find the appropriate balance between the need to protect the privacy of the individual and the need to ensure the collective security of society.

Where there must be regulation, make it smart. Policy and regulation must be developed with the specific needs of the enterprise sector in mind. Regulations that unduly restrict the cross-border transfer of personal and machine-generated data are likely to increase the costs of providing global telecommunications solutions.”

Commission Recommendation 1.3: The next Administration should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management.

Commission Text: The right mix of incentives must be provided, with a heavy reliance on market forces and supportive government actions, to enhance cybersecurity. Incentives should always be preferred over regulation, which should be considered only when the risks to public safety and security are material and the market cannot adequately mitigate these risks.


Broaden the Vision of the Public-Private Partnership Between Telecommunications and Government

“Private companies are on the frontline of defense when it comes to cyber threats. Many attacks are not launched at telecommunications companies, but through them, in some cases against government or national-security targets. Third parties may struggle to manage the impact of high-level attacks if their prevailing business models don’t allow for further investment in cybersecurity. In these situations, it might be cost-effective for government to use telecommunications companies to provide enhanced security in situations where further investment is needed to reduce the impact of high-level threats and provide a broader common level of defense that is beyond the reach of some organizations but ultimately in the national interest.” Commission Action Item 1.2.2: The private sector and Administration should launch a joint cybersecurity operation program for the public and private sectors to collaborate on cybersecurity activities in order to identify, protect from, detect, respond to, and recover from cyber incidents affecting critical infrastructure (CI). (MEDIUM TERM)

Commission Recommendation 1.3: The next Administration should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management.

Commission Recommendation 2.1: The federal government and private-sector partners must join forces rapidly and purposefully to improve the security of the Internet of Things (IoT).

Commission Action Item 2.1.1: To facilitate the development of secure IoT devices and systems, within 60 days the President should issue an executive order directing NIST to work with industry and voluntary standards organizations to identify existing standards, best practices, and gaps for deployments ranging from critical systems to consumer/commercial uses—and to jointly and rapidly agree on a comprehensive set of risk-based security standards, developing new standards where necessary. (SHORT TERM)