Letter DHS on IoT Security Principles

Ms. Lisa Barr

Director of Cyber Policy and Planning

U.S. Department of Homeland Security Office of Policy

Washington, DC 20528

December 29, 2016

Re: Cyber Secure America Coalition Comments on Strategic Principles for Securing the Internet of Things (IoT)

Dear Ms. Barr:

On behalf of the Cyber Secure America Coalition (“CSAC”), I am pleased to provide our feedback on the Department of Homeland Security’s (“Department”) Strategic Principles for Securing the Internet of Things (“IoT”) (“Strategic Principles”). CSAC is an organization of leading companies focused on improving the state of cyber security in the United States, and we fully support the Department’s important role in working with industry and across government to encourage the adoption of security and privacy practices in the number of increasingly-connected devices and services.

The Strategic Principles offer a helpful way for various stakeholders, including developers, manufacturers, service providers, businesses, governments, and consumers, to coalesce around their shared interests and responsibilities in securing IoT. We all recognize the incredible potential in IoT, but as the Department rightly acknowledges, “[S]ecurity is not keeping up with the pace of innovation.” Connected devices and services can leave end-users susceptible to cyber-attacks, as evidenced by the recent Mirai botnet attacks. These risks impact not only consumer devices, but also back-end services like cloud servers and supporting applications, business products and services, and components of critical infrastructure. Therefore, it remains imperative that all stakeholders incorporate appropriate security and privacy practices to establish the trust necessary to promote IoT adoption and to realize its benefits. In addition, enhanced transparency throughout a product’s or service’s supply chain and lifecycle can assist developers and manufacturers better identify and mitigate potential security vulnerabilities. This information, in turn, can support consumer education and awareness efforts regarding steps that individuals, businesses, and governments can take to protect themselves and their devices. We are pleased that the Strategic Principles document addresses these complex and important issues, and overall, it constitutes a useful framework going forward.

There are some specific additional suggested practices that CSAC would like to offer that can help facilitate increasing the security of any IoT solution. Organized in accordance with each of the Strategic Principles, they include:

(1) Incorporate Security at the Design Phase

a. Explicitly define components and separate their functions. Consider the isolation of components and implementation of the whole system as a system of loosely-coupled components with well-defined interfaces. This approach allows earlier identification of security issues and may provide possible solutions.

b. Do not assume reasonable behavior by end-users. In case security mechanisms rely on the assertions about system use that are not reinforced by the system’s implementation, a malicious actor may cause a security violation. Always assume that the system interfaces will be misused.

(2) Promote Security Updates and Vulnerability Management

a. Test third-party security patches. In addition to coordinating software updates with third parties and conducting vulnerability assessments that account for third-party vendor risks, it is imperative to test patches provided by software vendors under conditions simulating actual operation to the maximum extent before pushing patches through to end-users.

(3) Build on Recognized Security Practices

a. Use end-to-end threat modeling. Practice threat modeling at every phase of the lifecycle of product development and maintenance to address all security needs. Use sector-specific or technology-specific threat models where possible. In other cases, consider threats for system-specific security objectives.

b. Use proven security mechanisms. While the Strategic Principles does direct IoT ecosystem stakeholders to “start with basic software security and cybersecurity practices,” we believe it is important to highlight specifically the use of reliable and tested security mechanisms, such as public-key infrastructure, cryptographic key management, and anti-malware software development kits.

c. Implement secure software development lifecycle best practices. Use recognized security practices, such as code review and checking with static analyzers, security testing, penetration testing, vulnerability management, etc. at every phase of product/service development. NIST Special Publication 800-64 Revision 2, “Security Considerations in the System Development Life Cycle,” and the OWASP Software Assurance Maturity Model are additional resources that the Appendix can reference on this suggested practice.

(4) Prioritize Security Measures According to Potential Impact

a. Consider and clearly articulate the particular objectives for any security measures. Identification of the security objectives, which are very high-level security requirements, is crucial to describe potential threats for particular systems or solutions. Security objectives specify what security is for a particular device, component, etc.

b.Explicitly define all assumptions about trust. Security assumptions provide the basis for the security of the system. While it is not possible to protect against all potential threats, the clear definition of security assumptions contributes to determining the level of confidence in the system’s security and helps to identify trusted, albeit not necessarily trustworthy, objects and processes.

(5) Promote transparency across IoT

a. Consider and explicitly describe all potential risks to end-user privacy. Privacy may be unintentionally violated, even in cases where the product or service does not handle personally-identifiable information (PII). It is important to recognize that increased connectivity can shift the definition of what constitutes PII. Therefore, developers and manufacturers should consider privacy risks in addition to security concerns during the development of any IoT solution.

(6) Connect Carefully and Deliberately

a. Evaluate distinct characteristics of different communication protocols in connectivity technologies as part of security considerations. Communication protocols and connectivity technologies have distinct characteristics that can affect the suitability and security of an IoT application. In addition to making intentional connections and enabling selective connectivity, developers and manufacturers should consider how the connectivity technologies they employ can introduce security risks and plan accordingly.

Given the evolving challenges that securing IoT presents, it will be helpful for the Department to prioritize particular efforts that align with its public safety and cybersecurity missions and furthers our shared objective. The four lines of effort discussed in the Strategic Principles outline how the Department intends to pursue its role in this important space. Within that context, CSAC offers the following additional suggestions for areas of prioritization:

(1) Clearly articulate how the Department intends to coordinate with other government actors (including the Federal Trade Commission (FTC), the National Telecommunications and Information Administration (NTIA), and the National Institute of Standards and Technology (NIST)) and industry in this space. The various government activities related to IoT security, while helpful in highlighting the importance of the issue, have yet to explain to stakeholders how they plan to intersect to ensure that consumers and industry can engage effectively to achieve our common goal;

(2) Tailor public education and awareness campaigns not only to particular sectors and individual consumers, but also by recognizing the various layers of the IoT ecosystem – device/product, back-end services like cloud infrastructure and networks, and supporting applications. There may be consensus approaches that can address these layers as a whole, but we must be cognizant that there may be differences that require more specific strategies;

(3) Closely coordinate efforts to incentivize adoption of security and privacy practices in IoT with industry, NTIA, and NIST, given their collective expertise on potential market barriers. The multi-stakeholder processes utilized by NTIA and NIST could provide a helpful template for any Department-led convening on these issues; and

(4) Consider the economic impact of “inconsistent sets of standards or rules” related to IoT security on the U.S. when engaging internationally on these issues. Given the significance of IoT development, manufacturing, and consumption to the U.S. economy, it is imperative that the Department, in coordination with other federal agencies, industry, and consumers, ensure that any international outcomes in this space do not result in bifurcated norms, rules, or standards that negatively impact the ability of U.S.-based IoT vendors to access global markets and customers.

We appreciate the leadership of the Department in putting forth the Strategic Principles for Securing the Internet of Things. This document presents a thoughtful framework for IoT security. CSAC stands ready to participate in and support additional activities that the Department undertakes with regards to these Strategic Principles. It is important that industry maintain a leading role in securing connected devices and services. We look forward to working with you on this and other cyber security issues important to the protection of our country.

Sincerely,


Phil Bond Executive Director

Submission to Department of Homeland Security on the National Cyber Incident Response Plan

The Department of Homeland Security

Washington, DC 20528

October 31, 2016

RE: Comments on National Cyber Incident Response Plan

Dear Sir or Madam:

On behalf of the Cyber Secure America Coalition, thank you for the opportunity to provide our comments on the working draft of the National Cyber Incident Response Plan (NCIRP). The Plan makes significant strides to reflect the need for a whole community approach that enables both the public and private sectors to share responsibility and coordinate incident response efforts to cyber threats that can impact the national security and economy of the United States. By incorporating guiding principles outlined in Presidential Policy Directive (PPD)-41, U.S. Cyber Incident Coordination, the NCIRP appropriately emphasizes the need for a risk-based response to cyber incidents, the importance of respecting affected entities to safeguard privacy and sensitive information, and the value of facilitating the restoration and recovery of an affected entity’s operations.

The clear articulation of the four concurrent lines of effort in the NCIRP: threat response, asset response, intelligence support and related activities, and an affected entity’s response, as well as identifying the roles and responsibilities for the public and private sectors within those lines of effort, is critical to a whole community response to cyber incidents. Specifying which federal agency is the lead with respect to threat response, asset response, and intelligence support bolsters the private sector’s ability to actively participate in responding to cyber incidents and coordinating appropriately. International coordination playing a key role throughout the four lines of effort is imperative, and it is good that this notion is included in the NCIRP.

With regards to asset response, we appreciate that the Department of Homeland Security (DHS) is the designated lead because such designation leverages the Department’s resources and expertise with regards to information sharing, vulnerability assessment and mitigation, critical infrastructure protection, and technical assistance. By highlighting the importance of coordinating with other lead agencies (Department of Justice through the Federal Bureau of Investigation (threat response) and the Office of the Director of National Intelligence (intelligence support and related activities)), working with sector-specific and other agencies, and linking with the Cyber Incident Severity Schema, the NCIRP can provide reasonable guidance to the private sector regarding the extent of the federal government’s engagement, if any, in case of a cyber incident.

Despite these positive aspects of the NCIRP, we believe that the private sector generally and the cyber security industry specifically can and should play a larger role, particularly as it relates to threat intelligence and threat response. We believe the Plan does not accurately reflect the role that the cyber security industry can play in helping to respond to and mitigate a threat. Cyber companies, whether they provide endpoint security, vulnerability management, or other managed security services, have unique visibility into the threat landscape and can play a significant role in supporting both public and private sector efforts in developing a coordinated response, including enabling restoration and recovery.

A critical component of the NCIRP is the bidirectional sharing of cyber threat information. It is incumbent on DHS to ensure that a smooth process to facilitate such sharing is in place. We recognize the importance of protecting privacy and civil liberties, and therefore, we would encourage the use of tools and technologies that remove personally-identifiable information (PII) and provide threat data in an anonymous form. Furthermore, the NCIRP should recognize the value of promoting private-to-private information sharing and the creation of information sharing and analysis organizations (ISAOs). Combined with the sector-specific information sharing and analysis centers (ISACs), these ISAOs can serve as both early warnings systems and a vehicle to rapidly disseminate threat data to mitigate cascading effects from a cyber incident. The NCIRP should not negatively impact the creation and growth of ISAOs, or their supporting technology platforms, and should instead, focus on leveraging the potential of these organizations to harness private sector engagement in a whole community response.

In addition, DHS should continue to refine its information sharing practices to ensure the sharing of timely, actionable public sector data, in addition to acting as a clearinghouse for private sector data. To address data classification concerns, we would encourage the exploration of using anonymizing and redaction technologies to remove attributable information. Furthermore, we would encourage DHS to develop mechanisms that ensure secure communications between federal agencies and the private sector with regards to incident response. Components of such mechanisms should look at appropriate access controls and multi-factor authentication regimes. We strongly assert that such programs should be in place at the earliest opportunity.

Overall, we feel the NCIRP succeeds in achieving its objective to establish a “strategic framework and doctrine for a whole community approach to mitigating, responding to, and recovering from a cyber incident.” Properly rolled out, it can be an effective tool to better coordinate public and private sector efforts when an incident does occur, promote a more comprehensive response, and also provide for quicker recovery. We look forward to continuing to work with you on this important issue, and again, we appreciate the opportunity to provide comments on the working draft.

Regards,

Phil Bond

Executive Director

 

Letter in Support of PPD-41 Cyber Incident Coordination 

Michael Daniel

Special Assistant to the President and Cyber Coordinator

The White House

1600 Pennsylvania Avenue

Washington, DC 20500

August 8, 2016

Dear Mr. Daniel:

On behalf of the Cyber Secure America Coalition I am writing express our support for Presidential Policy Directive 41(PPD-41) on US Cyber Incident Coordination. We appreciate the strong leadership the Obama Administration has taken in the area of cyber security. As cyber threats become more sophisticated and serious, a coordinated effort within government and between the government and private sector is critical.

PPD-41 is a natural next step in the cycle of cyber defense, following the recent enactment of information sharing legislation intended to strengthen the flow of threat information in the public and private sectors. We believe this directive is thoughtful and lays out a solid framework for responses to cyber incidents.

A vast majority of the critical infrastructure is owned and operated by the private sector and it is our shared responsibility to work together to share information and coordinate responses to major cyber incidents to minimize impact and ensure a fast recovery. As you develop specific policies for this directive, we urge you to work with private sector experts to ensure that strong channels of communication exist between the public and private sector. It is important that procedures are in place to ensure that when a significant incident occurs not just those entities directly affected are participating, but the broader sector is also informed and engaged in a timely manner.

Thank you again for your leadership on this crucial issue. We look forward to working with your office and the Administration as you develop specifics to PPD-41.

Sincerely,

Phil Bond

Executive Director


cc: Hon. Andy Ozment, Asst. Secretary for Cyber Security and Communications, DHS

Letter in Support of Warner-McCaul Encryption Commission Bill 

The Honorable Ron Johnson

Chair, Senate Homeland Security & Governmental Affairs Committee

340 Dirksen Senate Office Building

Washington, DC 20510


The Honorable Tom Carper

Ranking Member, Senate Homeland Security & Governmental Affairs Committee

340 Dirksen Senate Office Building Washington, DC 20510

June 3, 2016

Dear Chairman Johnson and Ranking Member Carper:

On behalf of the members of the Cyber Secure America Coalition, I am writing to to express our support for legislation to establish a legislative Commission on Digital Security and Technology Challenges. We appreciate your leadership in promoting a thoughtful approach to addressing the serious and complicated issue of digital security, particularly as it relates to encryption. We have a shared desire to support law enforcement, but also understand the value of strong encryption to both privacy and security.

The digital revolution of the last few decades has changed many things, including the challenges facing law enforcement. That’s especially true when positive technologies are used by criminal and terrorist elements. We believe that private sector experts have a vital role to play in assisting law enforcement in dealing with these new challenges in reasonable ways, and are ready and willing to offer suggestions and expertise toward that end.

We believe that mandating the breaking of encryption technologies will negatively impact the American people, the national economy, U.S. law enforcement and American national security. We believe that due to a number of unintended consequences that arise from any mandates that would undermine encryption, the costs most likely outweigh the benefits of requiring decryption.

In our view, it is false to presume that requiring U.S. technology companies to comply with law enforcement by modifying their technologies would have no negative consequences. Placing U.S. companies under such a requirement would massively undermine these companies in the global marketplace. Such actions, would signal to the world that US technology products are neither secure nor private, and instead remain open to review by the government in this country.

Further, in most cases, such forced compliance would not provide the envisioned benefits to law enforcement since terrorists would simply accelerate their move away from the use of U.S. technology products -- something we are already seeing today. Experts in the field are abundantly aware that there are literally hundreds of encryption software offerings in the global market. Similarly, there are many alternatives to the U.S.-based platform technologies and devices that are accessible to terrorists and criminals. Therefore, efforts to thwart criminals and terrorists will be little impacted by applying new requirements on U.S.-based technology companies. Instead, the ultimate and unintended consequence would be to reduce the reach of U.S. law enforcement and to weaken American national security as U.S. companies would see less and less of the malicious actors’ traffic on their devices or networks and therefore have a diminished ability to provide appropriate assistance to law enforcement.

We believe these views are consistent with what an array of experts would find upon serious examination. But we also believe that the range of experts required by your legislation would find many other useful ways in which law enforcement could better use metadata and other digital tools in the pursuit of criminals and terrorists. We therefore see great value in the proposed commission as a credible vehicle to help law enforcement to engage the digital world without undermining security or endangering cherished privacy rights.

We see the proposed commission as a thoughtful and balanced approach to this issue, and one that directs the conversation into appropriate policy guidance from the legislative branch. For these reasons we believe the Warner-McCaul Commission approach is the right vehicle to accomplish our shared goals of effective law enforcement coupled with national and economic security. It can be a means to bring a much-needed consensus between the public and private sectors on the critical national issues mentioned above.

We look forward to working with you and others in Congress to perhaps refine and improve this bill as it moves through the legislative process in the Senate. We hope that ultimately this bill can be combined with a legislative product from the House as that chamber moves through its own process of consideration on this vital topic.

Sincerely,

Phil Bond

Executive Director


cc: The Honorable Mark Warner, The Honorable Michael McCaul

Encryption Views 2016

The Cyber Secure America Coalition is comprised of companies, and venture capital firms dedicated to securing cyber space. Our industry leading efforts bring key innovative technologies to the market to help government, enterprises and individuals better secure their data and systems. Encryption is one of the critical cyber security solutions that protects, our customers and their data from bad actors. Compromising current encryption technologies will inevitably make them less secure.

Backdoors

Security is about risk management and compromising a secure environment through the allowance of back doors increases risk to networks. Vulnerabilities in software will be found sooner or later, and make it easier for bad actors to infiltrate systems and access sensitive data or attack the critical infrastructure. Government should not mandate the creation of backdoors and thus vulnerabilities in software.

Encryption Use

Encryption is widely used in both the public and private sector. Requiring backdoors will make software used by good actors less secure and put them at risk to attacks from bad actors, including cyber criminals, nation-states and terrorist organizations. Encryption by Bad Actors Mandating weaknesses in software will not help intelligence and law enforcement to catch bad actors. Cyber criminals, terrorists and nation-states already have the capability to use their own encryption and are doing so and wold be unaffected by backdoors.

Backdoors will negatively impact US companies

By requiring backdoors, we weaken our position in the global economy. Enterprises and individuals will be less likely to purchase American software as it will be seen as inherently more vulnerable. This will impact our ability to compete overseas, will impact our dominant position in the IT space and will serve to further balkanize the Internet.

Letter in Support of the National Cybersecurity Protection Advancement Act of 2015

The Honorable Michael McCaul

Chairman, Committee on Homeland Security

H2-176 Ford HOB

Washington, DC 20515

April 13, 2015

Dear Chairman McCaul:

On behalf of the Cyber Secure America Coalition*, I am pleased to offer our support for the National Cybersecurity Protection Advancement Act of 2015 intended to promote multi-directional information sharing.

Now more than ever, the public and private sectors must work together to protect our cyber networks and digital assets. Better collaboration between government and enterprises through real-time robust information sharing is critical to combating the cyber threat. Sharing what we know about threats and how to combat them will go a long way towards raising the overall level of cybersecurity in our nation. We are pleased with the provisions in the bill to promote private to private information sharing and to provide liability protections for those companies that share in good faith. We appreciate the focus on ensuring that private and sensitive data be stripped out prior to sharing threat indicators. Trust is critical to a successful information sharing program and ensuring privacy protections as part of that regime is necessary to ensuring that trust.

Thank you again for your leadership on this important issue. We look forward to working with you to make this legislation even better and to help move it through the legislative process.

Regards,


Phil Bond

Executive Director


* CyberSecure America Members include CyberPoint International, ISC(2), Kaspersky Lab, Nok Nok Labs, Qualys, and Techguard Security

Letter in Support of S. 2717, the Cyber Information Sharing Tax Credit Act


The Honorable Kirsten Gillibrand

United States Senate

478 Russell Senate Building Washington, DC 205010

September 10, 2014

Dear Senator Gillibrand:

On behalf of the Cyber Secure America Coalition (CSAC)*, I am writing to express our support for S. 2717, the Cyber Information Sharing Tax Credit Act. As leaders in the cyber security industry, we understand how important it is to stay one step ahead of malicious actors.

Encouraging robust sharing of threat information is a critical step in that fight. While we also need to break down legal barriers to information sharing, encouraging more companies through tax incentives to join information sharing organizations and to be active participants in the fight against cyber threats is a complimentary effort and one that we endorse.

As you work through the legislative process, we would encourage you to look at expanding the definition of qualified information sharing and analysis organization. As organizations and technology evolve over time, flexibility should be in place to determine what qualifies as an information sharing and analysis organization.

We look forward to working with you to move this important legislation forward.

Regards,

Phil Bond

Executive Director


Letter in Support of S. 1638 the Cyber Security Public Awareness Act of 2013 


The Honorable Sheldon Whitehouse

U.S. Senate

530 Hart Senate Office Building

Washington, DC 20515

June 6, 2014

Dear Senator Whitehouse:

On behalf of the Cyber Secure America Coalition*, I am pleased to offer our support for S. 1638, the Cyber Security Public Awareness Act of 2013. The cyber threat is real and we must all work together to make our online experiences safer. The public must be better informed on the importance of the cyber risk we face, and should be better equipped with solutions to enable greater security. Thank you for your continued leadership on this critical issue.

The public and private sectors must work together to protect our cyber networks and digital assets. Better collaboration between government, enterprises and consumers is critical. Understanding the threat and where is it coming from is an important tool to finding solutions to combat and mitigate it. We believe your bill brings much needed focus to this subject and regard your proposal as a positive step towards improving collaboration between the public and private sector. In terms of reporting around private sector requests for government assistance in defending networks, we believe the language can be strengthened to ensure that no sensitive or identifiable private sector information is revealed in these reports. It is important that cyber threat information flow unimpeded between the public and private sectors, and we believe that will be encouraged by removing the risk of the public release of sensitive information.

Encouraging reporting by public companies around cyber threats is also important. In fact, we have sent a letter to the SEC encouraging such action. Encouraging reporting is an important policy step, but we also urge that this step be taken in combination with promoting better cyber security practices. We believe that a safe harbor from reporting should be developed to encourage greater deployment of cyber security technology. This safe harbor framework should include the following principles.

- Demonstration of continuous monitoring of enterprise security architecture through the Twenty Critical Controls or an equivalent regime.

- Designation of an officer of the company with responsibility for information security. - Demonstration of active membership in an information-sharing program designed to allow members to share attack-related information in an anonymized fashion.

- Demonstration of compliance with all relevant federal and state information security laws such as data breach notification and HIPAA. Additionally, we support S. 1638’s encouragement of best practices to improve cyber security.

Finally, we agree with your bill’s proposal to look at legal and other impediments to public awareness around common cyber security threats, and to make recommendations to reduce them. Raising the overall level of cyber security in the United States is essential. Thank you again for your leadership on this important issue. We look forward to working with you to make this legislation even better and to help move it through the legislative process.

Regards, Phil Bond Executive Director


* CyberSecure America Members include CyberPoint International, Kaspersky Lab, Nok Nok Labs, Qualys, Techguard Security and Trend Micro.




Data Security Principles - February, 2014

The Cyber Secure America Coalition supports improving the security of government, business and consumer data. It is critical that we work to inform consumers appropriately, while ensuring that data holders are taking the steps to protect sensitive information. It is clear that the online world has become a target of criminals and those that seek information for political or personal gain. We believe that legislation to improve data security and inform consumers when their data is compromised is needed. According to the Privacy Rights Clearing House over 660 million records from over 4000 breaches have been compromised since 2005, yet we have no federal law governing the reporting of breached data or around the protection of consumer data. Instead we are governed by a patchwork of state laws. We support the inclusion of the following principles in any federal data breach law.

  • The pre-emption of state laws to ensure consistency in reporting.
  • A safe harbor from reporting for companies that encrypt or otherwise render the data useless or unreadable using widely accepted industry practices.
  • The safe harbor incentive should require regular vulnerability assessments, and encourage the use of existing industry standards, such as the SANS 20 Critical Controls, as a benchmark to attain safe harbor status. This should not however include any specific technology or product mandates.
  • Legislation should also have a consistent threshold of significant risk to ensure that over notification does not occur and thus risk desensitizing consumers to the threat of their data being compromised.
  • Legislation should provide effective enforcement measures without a private right of action.

No security regime can be 100% effective. Robust security comes from a smart balancing of risk and cost.  We believe it is important to encourage companies to put in place a strong security framework to protect their customers data, while also insuring that when a breach does occur, those customers are notified and assisted in protecting their sensitive personal information.

Letter to the SEC Chairman White on creating a safe harbor from disclosure of cyber attacks

The Honorable Mary Jo White

Chairman  

Securities and Exchange Commission

100 F Street, NE

Washington, DC 20549


June 4, 2013 

Dear Chairman White: 

We are writing to commend you for exploring potential roles the Securities and Exchange Commission can play to improve cyber security by publicly traded corporations in the United States.   As companies working daily to prevent and defend against malicious cyber attacks, the Cyber Secure America Coalition* is well aware of the changing nature and sophistication of the cyber threats faced by government and industry alike.  

Encouraging greater disclosure of damaging incursions, managing cyber risk, and promoting more information exchange between the public and private sectors are critical to combatting today’s cyber threat.   We appreciate your efforts to make this a priority.    

As you consider potential changes to encourage greater disclosure of significant cyber attacks by public companies, we urge you to consider the following points.     Major companies face multiple cyber threats on a regular basis.  In fact, we know that in today’s digital world, both attempted and/or meaningless minor incursions for any one company can easily number in the thousands.  No security regime can be 100% effective.   Robust security comes from a smart balancing of risk and cost.  We believe it is important to encourage companies to put in place a strong security framework.  Adoption of such a framework should be used to develop a safe harbor framework exempting companies from disclosure and/or entitle them to a presumption that “industry standard” defense was employed.   Key principles for such a framework could include: 

 - Demonstrate continuous monitoring of enterprise security architecture through the “20 Critical Controls*”or an equivalent cyber security “industry standard” regime.

- Designate an officer of the company with responsibility and accountability for  cyber security.

- Demonstrate active membership in an information sharing program designed to allow members to share attack related information in an anonymized fashion.

- Demonstrated compliance with all relevant federal and state cyber security laws such as data breach notification and HIPAA

We believe that most public companies are making a good faith effort to protect their systems and the data.   By demonstrating the adoption of this security framework prior to an incident, companies should be eligible for relief from public disclosure.      

Promoting greater sharing of cyber threat information is a key tenet of our organization and is critical to improving cyber security for our nation.   It is essential that companies feel comfortable sharing appropriate information without fear of any proprietary information or trade secrets being released.  As much as possible, information that is shared should be anonymized.  Further, when the government has threat or attack data, it is important that key sectors such as critical infrastructure companies be provided such information in a timely manner to prevent incidents.  We believe that it would be unfair to require public disclosure when the Federal government may have had information in that would have enabled a company to better defend itself.    Today when government shares information, it is often very general and not actionable.  

We are ready to work together with you to help establish the most effective policies to help reduce cyber incidents and improve corporate cyber security.   Thank you again for your leadership on this important issue.  We hope you will see the CSAC as a partner in this effort.   Please feel free to contact me at pbond@cybersecureamerica.com /202-347-8787 or Adam Rak at arak@cybersecureamerica.com/650-766-1833.  

Sincerely, 

Phil Bond 

Executive Director 


cc: Honorable Elisse Walter

      Honorable Luis Aguilar

      Honorable Troy Paredes

      Honorable Daniel Gallagher

  • Cyber Secure America Coalition members include:  Kaspersky Lab, Trend Micro, Qualys, Nok Nok Labs, CyberPoint LLC, TechGuard Security

* http://www.sans.org/critical-security-controls/guidelines.php