Jan 05 2016

White House Wants U.S. to Help Develop International Cybersecurity Standards

Obama administration aims for bottom-up approach to creating global standards.

The White House is urging federal agencies to work together as the U.S. government participates in the development of international cybersecurity standards for IT and industrial control systems. The Obama administration is advocating that nongovernmental organizations and private industry lead the creation of such standards, while acknowledging that the federal government has a role to play.

In a blog post late last month, Michael Daniel, the White House’s cybersecurity coordinator, laid out the administration’s position on the creation of the international standards. He also unveiled an interagency report that describes the federal government’s strategic objectives and outlines several recommendations for how the U.S. government can work with other groups to achieve them.

The report was co-authored by the National Security Council and the Information Technology Laboratory at the National Institute of Standards and Technology. Daniel said, “The U.S. approach to developing international standards relies on hundreds of mostly nongovernmental organizations to develop standards and specifications and to provide the infrastructure for the preparation of standards documents.”

According to Daniel, this approach lets all stakeholders — users of standards, private industry, academia and governments — to take part in creating the standards.

“The U.S. government receives no preferential treatment in this process,” he said. “This nongovernmental approach yields standards of better technical rigor and industry uptake, helps support innovation, and enables the rapid adaptation and evolution of standards.”

Setting the Stage for International Standards

“U.S. companies are most effective when they can rely on the same cybersecurity standards overseas as they do in the United States,” Daniel said. “Not only do common standards make it easier for product development and sales, companies can more easily maintain and enhance network defense and resilience, which are vital in today’s world of diverse cyberthreats.”

The report spells out “four fundamental interrelated [U.S. government] strategic objectives in actively participating in the development and use of timely international standards for cybersecurity.” The four objectives are: enhancing national and economic security and public safety; ensuring standards and assessment tools for the federal government are technically sound; facilitating international trade; and promoting innovation and competitiveness.

As FedScoop reported, the report also calls for the creation of new cybersecurity standards in a number of relevant areas, including “security automation in industrial control, smart grid and voting systems.”

Reports Makes Key Recommendations

The report makes eight critical recommendations “for achieving overall [U.S. government] strategic objectives in cybersecurity, which are derived from each agency’s mission and objectives.”

The recommendations are: • Ensuring U.S. government coordination. • Promoting U.S. government participation in cybersecurity standards development. • Developing timely and technically sound standards and assessment schemes for cybersecurity. • Leveraging U.S. public and private sector collaboration in standards development for cybersecurity. • Enhancing international coordination and information sharing. • Supporting and expanding standards training for federal agency staff. • Developing technically sound international standards for cybersecurity that minimize privacy risk. • Using relevant international standards for cybersecurity to promote global acceptance and achieve mission and policy objectives.

Daniel wrote that the nongovernmental approach to creating international standards “builds trust among those creating and those using the solutions throughout the world.” He said such standards are needed to “protect everyday applications such as online commerce, smart electricity meters, networked medical devices and online banking.”

“Simply put, we believe that a consensus-based, private sector-driven international standards development process, with input from all interested stakeholders, is superior to a top-down, national government-controlled approach to standards,” he said. “We are committed to advocating for the adoption of a global approach to standards development around the world.”


Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.