KEY ICT POLICY PRINCIPLES: Digital Europe/ITI/JETTA Global ICT Industry Statement
Digital Europe/ITI/JEITA Global Information and Communications Technology (ICT) Industry Statement: Recommended Government Approaches to Cybersecurity[1]
Cyber security is a high priority for governments, society, and industry globally. Policy approaches to advance cyber security must meet security needs while preserving interoperability, openness, and a global market. Such approaches will result in enhanced security. In the right policy environment, we can increase security while maintaining the societal benefits derived from the growth and development of cyberspace.
As governments pursue cyber security-related laws, regulations, and other policies, we urge them to adhere to the following principles:
- Develop cyber security policies in a transparent manner and with relevant stakeholder input. Governments should ensure that the development of all laws, regulations, and other policies related to cyber security are undertaken in an open and transparent policymaking process. This can include, but is not limited to, publishing draft texts and allowing for public notice and comment procedures.
- Enable risk management and innovation. Governments should adopt policy approaches that can adapt to market changes and allow enterprises and consumers to properly understand, assess, and take steps to manage risks. A risk management approach recognizes that privatesector actors are best placed to manage and protect their networks, services, and assets and are incentivized to do so by market forces, corporate responsibility, and ethical standards.
- Develop and implement cyber security policies in partnership with the private sector. The ICT industry has extensive experience in providing leadership and resources in every aspect of cyber security. Cyber security policies will be most effective when building upon these initiatives and investments. This can help to ensure that policies are adaptive and effective.
- Encourage the development and use of globally recognized, industry-led, voluntary consensus security standards, best practices, assurance programs, and conformity assessment schemes. These approaches will improve security, because 1) nationally focused efforts may not have the benefit of the best peer review processes traditionally found in global standards bodies, 2) proven and effective security measures must be deployed across the entire global digital infrastructure, and 3) the need to meet multiple, conflicting security and conformity assessment requirements in multiple jurisdictions raises enterprises’ costs, demanding valuable security resources.
- Ensure the use of globally standardised tests and certification. Governments should allow for compliance requirements based on risk assessments, and be supportive of international transportability of test results and certificates.
- Ensure that cyber security requirements are technology-neutral. Mandates requiring certain technologies, including a preference for domestically made technologies, decrease security because the country can no longer access leading-edge security solutions that could be developed anywhere in the world.
- Ensure that cyber security requirements allow for procurement of technologies regardless of the country of origin or the nationality of the technology vendor. Product security is a function of how a product is made, used, and maintained, not by whom or where it is made. Governments should re-examine their understanding of cyber supply chain risk, acknowledge that ICT vendors are best placed to manage and protect their ICT supply chains, and partner with industry on solutions that build bridges rather than exclusionary trade walls.
- Ensure that any cyber security requirements avoid forced transfer or review of intellectual property (IP), such as source code. Such IP is business proprietary information that is essential to companies’ ability to innovate and remain economically competitive.
- Limit any prescriptive requirements to areas of the economy that are highly sensitive, such as government intelligence and military networks. Many governments may justifiably have very stringent requirements for security technologies sold into intelligence and military networks. Government procurement requirements for such systems should not extend to other government networks, government-licensed networks or to privately run infrastructure or commercial companies.
- Strengthen institutions, and develop contingency plans and cyber security strategies. Governments should have their own strong, standalone institutions, such as Computer Emergency Readiness Teams (CERTs), to ensure effective cyber security. Governments have an important role to play—working in partnership with the private sector whenever possible—in reflecting overarching national, regional and international security objectives; sharing in preparedness and prevention preparations; diagnosing and responding to incidents; and addressing education and research gaps.
- Focus on criminals and their threats. Governments should endeavor to respond to cyber actors, threats, and incidents domestically and internationally, working in cross-border partnerships to the extent possible, when appropriate.
- Focus on education and awareness. Governments should make all stakeholders aware of their important roles in helping to address cyber risks. Government efforts should include raising awareness, via education systems, to citizens of all ages about cyber security.
This statement has the full endorsement of DIGITALEUROPE (DE), the Information Technology Industry Council (ITI), and Japan Electronics and Information Technology Industries Association (JEITA).
“数字欧洲”组织(DE)、美国信息技术行业协会(ITI)和日本电子与信息技术行业协会(JEITA)全球信息通信技术产业界声明:《政府网络安全推荐性实施准则》
网络安全是全球各国政府、社会和业界应当优先考虑的问题。旨在加强网络安全的政策措施必须在确保网络互操作性和开放性以及统一的全球市场的基础上满足安全需求,这种政策有助于实现网络的高安全性。在正确的政策环境下,我们完全可以在保证网络空间扩展所带来的社会效益的同时,增进网络安全。
我们敦促各国政府在贯彻实施相关的网络安全法律、法规及其他政策时坚持以下原则:
-
采用透明的网络安全政策制定程序,并充分倾听利益相关方的意见和建议。各国政府应确保与网络安全相关的所有法律、法规及其他政策的制定过程均应公开、透明,包括但不限于发布草案文本进行公示并征求公众意见。
-
实施风险管理并推动安全手段创新。各国政府应当采用适应市场变化、使得企业和消费者能够正确理解、评估和采取风险管理行动的政策措施。风险管理体系中,私营部门企业最能有效地管理和保护其网络、业务和资产,无论是从市场力量、企业责任和道德标准角度,私营企业都有这样做的动力。
-
与私营部门合作,共同制定和实施网络安全政策。ICT 产业界一直在网络安全的各个方面都发挥带头作用和提供相关资源,并积累了丰富的经验。只有当建立在这样的行动方案和投资的基础上,网络安全政策才最为有效。这有助于确保政策的适应性和有效性。
-
鼓励制定和采用全球公认、行业主导、自愿协商一致的安全标准、最佳做法、安全保障方案和合格性评定制度。这样做将提高网络安全性,原因如下:一、全球标准化机构通常采用的最佳同行评审程序的效果优于某一国家集中采取的安全行动。二、全球所有数字化基础设施均应采用经过实践证明的有效安全措施。三、满足不同国家制定的内容相互冲突的安全和合格性评定要求会增加企业成本,耗费宝贵的安全资源。
-
确保采用全球标准化的检测和认证程序。各国政府应当允许执行基于风险评估结果制定的符合性要求,支持检测结果和证书全球通用。
-
确保网络安全要求的技术中立性。如果一个国家强制要求使用特定的安全技术,比如优先考虑国产技术,将会降低安全性,因为该国不会再推行世界上其他国家制定的先进的安全解决方案。
-
确保所制定的网络安全要求不对所采购技术的来源国或技术供应商国籍进行限制。产品的安全性取决于产品的制造、使用和维护方式,与制造者和制造地无关。各国政府应当重新审视自己对网络供应链风险的认识,承认ICT 厂商最能有效地管理和保护其ICT 供应链,与产业界合作制定解决方案,建立沟通的桥梁而不是排他性的贸易壁垒。
-
确保网络安全要求不强制转让或审查知识产权(IP),例如源代码。这些知识产权是企业的独家信息,对保持企业的创新能力和经济竞争力至关重要。
-
将规定性要求的采用范围限制在具有高度敏感性的领域,如政府情报和军事网络。很多国家对外购的用于情报和军事网络的安全技术要求非常严格,这种严格要求合情合理。政府对这类系统的采购要求不应扩展到其他政府网络、政府许可的网络或私人经营的基础设施或商业公司。
-
加强机构建设,制定应急方案和网络安全战略。各国政府应当建立强大的独立机构,例如计算机应急响应小组(CERTs),以切实保证网络安全。在维护国家、地区、国际总体安全目标、应急和预防工作信息共享,分析判断和应对突发安全事件以及缩小教育和科研差距方面,政府应当发挥重要作用,并在可能时随时与私营部门合作。
-
密切关注网络罪犯及其威胁。各国政府应当努力应对国内及国际的网络犯罪分子、其造成的威胁及相关突发事件,如果需要,开展跨境合作追捕网络犯罪分子。
-
注重安全教育,提高安全意识。各国政府应当使所有利益相关方了解他们在协助处理网络风险中的重要作用。各国政府采取的安全行动应包括利用教育系统使所有年龄段公民提高网络安全意识。
本声明得到“数字欧洲”组织(DE)、美国信息技术行业协会(ITI)和日本电子与信息技术行业协会(JEITA)的完全支持。
[1] As jointly released by Digital Europe, ITI and JEITA June 2012. Please see http://www.itic.org/media/news-releases/global-technology-industry-align....