State Department’s Cybersecurity Policy Defined; Coordination Seen as Key

Different international forums have different expertise sets and they should focus on their strengths and avoid duplication of effort, Ennis said. The ITU’s strengths are development of technical solutions and capacity-building, but not national security or national defense, cybercrime or issues involving the content of transmissions, he said. The State Department’s International Communication and Information Policy group believes the commercial and economic aspects of cybersecurity are more than just a marketplace issue -- there are national interests like critical infrastructure protection, theft of information and intellectual property at stake, he said. In the economic and commercial sphere, while some form of global standards may be necessary, voluntary standards and best practices are preferred to treaties, he said.

Private sector participation in international economic and commercial cybersecurity issues are critical, Ennis said. The industry, which owns the infrastructure, is often the first to see an emerging threat, has the technical expertise to fix vulnerabilities and knows what solutions are achievable, he said. He urged the U.S. government and private sector to promote U.S. best practices internationally to ensure compatibility between U.S. domestic solutions and international standards, he said.

The State Department bureaus and offices involved in cybersecurity include EEB (Economics, Energy Business Affairs), INR (Intelligence & Research) and P/M (Political/Military), Ennis said. A newly created State Department Office of the Coordinator for Cyber Issues is charged with uniting different parts of the department working on cyber matters, he said. Additionally, the Office of Multilateral Affairs coordinates the U.S. government’s engagement at ITU, APEC (Asia-Pacific Economic Cooperation), OECD (The Organization for Economic Co-operation and Development) and CITEL (Inter-American Telecom Commission) on cybersecurity issues, he said.

The European Commission is leading an effort to rewrite, unify and strengthen the data protection and regulatory regimes governing commerce and law enforcement activities, said Lara Ballard, an attorney-adviser with the Department of State. The European Commission also seeks to strengthen individual rights, improve the Single Market, ensure high levels of protection for data sent outside Europe and ensure effective enforcement, she said. The U.S. is working on trans-border cooperation on enforcement of privacy laws through OECD and APEC, she said. Transborder cooperation is generally a welcome trend for the international groups because they want to see first-hand U.S. commercial privacy laws and enforcement guidelines, she said.

CEA President Gary Shapiro raised concern over privacy interfering with trade, at the meeting. That’s because of the different approaches on cybersecurity and privacy between the U.S. and Europe, said Ballard. The U.S. needs to respect and acknowledge that the differences will always be there, she said.

Meanwhile, the State Department’s Telecom Industry Roundtable on Haiti Relief & Reconstruction identified as opportunities for improvement identification of critical response needs, information sharing and collaboration, logistics and intergovernmental coordination and communication, said Paul Chiswell, a director with Cisco, also chair of the newly formed ACICIP Disaster Response Sub-committee. Improved coordination between the industry and the U.S. government would result in a more efficient and effective response, he said. The subcommittee seeks to create a playbook to improve disaster response coordination within the private sector and the U.S. government, he said. The playbook would include a resource guide, knowledge repository and phased response, he said. It would advise ACICIP, provide optional guidance and improved efficiency for private industry, he said. The subcommittee will present the playbook and progress to ACICIP on June 28, he said.