Sound cybersecurity policy in the United States drifted off course late last month with passage and approval of the Consolidated and Further Continuing Appropriations Act for Fiscal Year 2013 (Continuing Resolution). While we all, of course, support continued funding for our government, the tech industry was none too thrilled with a provision tucked in the resolution that bars several U.S. government agencies from procuring information technology (IT) systems made in China pending a security review by the Federal Bureau of Investigation (FBI).
In response, the Information Technology Industry Council (ITI) and 10 other leading trade associations sent a letter to congressional leadership today that outlined concerns with the provision and called for a truly effective approach for improving cybersecurity risk management. The associations wrote:
Given the expedited manner in which this provision was enacted, we ask the Congress to review the security implications and competitive impact of this requirement, and consider a more constructive approach to this issue. We also seek your support to ensure similar language is not included in other legislative vehicles.
In the age of a globally interconnected economy and Internet, it is important for all of our governments to stay focused and clear-headed on cybersecurity, and not let rhetoric carry the day. There is an on-going, and often colorful, debate in capitals around the world from DC to Beijing on cybersecurity and cyber trust. But when the dust settles, we must ensure the policies put in place to improve cybersecurity embrace the reality that product security is a function of how a product is made, used, and maintained, not by whom or where it is made.
Good security, like good ideas, knows no national boundaries. We do not believe that discriminating based on national origin is an effective means of achieving security assurance. We advocate this same position with all governments – including in China and in the United States.
Specifically, Section 516 of the Continuing Resolution bars the Departments of Commerce and Justice, the National Aeronautics and Space Administration, and the National Science Foundation from acquiring information technology (IT) systems unless “the head of the entity, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity” has made a risk assessment of potential “cyber-espionage or sabotage...associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People's Republic of China.”
The IT security review requirements in Section 516 set a bad precedent that could prompt other governments to implement similar requirements. In addition, they may slow the federal procurement process, impeding the U.S. government’s ability to protect itself through the use of the latest cutting-edge IT products.
The global ICT industry is committed to enhancing cybersecurity by investing heavily in R&D to ensure innovative technology drives new security solutions to keep up with bad actors and threats. We also seek the promotion of effective government cybersecurity policies that advance this goal.
Last summer, ITI, along with our counterparts in Japan (JEITA) and Europe (DIGITALEUROPE), came together to formulate a joint ICT industry statement on how to best get there. This global statement advocates that: "approaches to advance cyber security must meet security needs while preserving interoperability, openness, and a global market.” The entire ITI-JEITA-DIGITALEUROPE joint statement, including its 12 recommendations for governments, can be found here.
Bottom line, Section 516 does not take us closer to a place where we can have sensible and sober dialogue on some very complex and challenging issues related to cybersecurity. We plan to work with the U.S. Government to pursue policies that will truly advance the goal of improved cybersecurity – the kinds of policies that other governments will emulate around the world.
This blog was contributed to by Jimmy Goodrich, Director, Global Policy, ITI.