Over the past decade, there has been exponential growth in the Internet and in adoption of information technology worldwide. New ideas for software, hardware and ways of interconnecting networks has led to dramatic increases in productivity, spurred globalization, and literally changed the world. But this burst of activity has also brought some challenges. One of them is security.
We are now all familiar with the appearance of worms and viruses which circulate on the Internet. This malware is generally illegal and can cause varying degrees of harm - from the manageable to the serious. It can also be costly to respond to and to repair.
Globally, everyone is focused on information security. Customers demand it and vendors are supplying it. The security area of information technology is characterized by innovation, activity and adoption. Security technology is moving from passive to active and from isolated products to intelligent networks. Everyone -- customers, consumers and vendors -- has the incentive to get secure.
There is also the realization that security is not just technology, but must include processes and people as well. One size does not fit all, and all three have to be applied holistically to achieve security in all environments.
After 9/11, policy makers in the US and around the world have become focused on the state of the information infrastructure. Policy makers want to ensure that users of networks employ technology, process and people best practices to make networks as secure as possible. Public-private partnerships have been formed to work through voluntary, market-based approaches to security.
In the US, President George W. Bush created the President's Critical Infrastructure Board in response to September 11th. Since its inception, the Board has examined issues related to cybersecurity. On February 17, 2003, the White House released its Cybersecurity Plan, and the Department of Homeland Security has been working to implement the recommendations.
Among other issues, the Plan urges computer users to create holistic approaches to security, and properly deploy technology, processes and people. It also suggests public-private dialogue to share information, best practices and keep current on new security approaches and challenges. The plan also encourages users to plan for and practice security response and recovery.
Public-private partnerships have increased their work on best practices and information sharing. For example, the National Cybersecurity Partnership (NCSP) created five cross-sector working groups. It also issued reports on awareness for home and small business users, early warning systems, technical standards and common criteria, software development and corporate governance.
During 2004, the National Infrastructure Advisory Council (NIAC) to the President issued four substantive reports containing recommendations for improving security. The reports cover the role of government, cross sector interdependencies, information sharing and analysis and a vulnerability disclosure framework.
The National Cyber Security Alliance (NCSA) published its Top 10 tips for home, small business and education users and during 2004 launched a nationwide awareness campaign to Stay Safe online.
The National Institute of Standards and Technology (NIST) continues its work on voluntary best practices and guidelines, including its guide to a holistic approach to security: the NIST Guide for the Security Certification and Accreditation of Federal Information Systems, NIST 800-37.
The OECD published its Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security in 2002. The Guidelines constitute a foundation for working towards a culture of security throughout societies.
In 2004, the European Commission (EC) created the European Information and Network Security Agency (ENISA). ENISA is a pan-European "center of excellence" for security. It serves as the lead organization for public-private partnerships and information sharing throughout the EU on security best practices and voluntary guidelines.
In Asia, the Asia-Pacific Economic Cooperation (APEC)'s E-Security Task Force created a Cybersecurity Strategy to help deployment of best practices in the APEC economies.
It is now recognized that most cyber incidents are crimes. Law enforcement agencies have stepped-up the prosecution of these crimes at home and, in cooperation with others, abroad. As criminals attempt to use the network for theft, fraud, misrepresentation, extortion, vandalism and other crimes, more and more countries are ensuring that just as their laws make this activity illegal in the off-line world, their laws make this activity illegal in the on-line world and the laws must be enforced.
Significantly, security technology continues to innovate: networks are moving from passive to active and from point-products to system-wide, end-to-end approaches to security recognition, containment and quarantine. Further, Internet Service Providers (ISPs) are competing on security and consumer ISPs have begun to offer security as part of their service.
From a public policy perspective, there are things that governments can do in partnership with industry. Governments can:
Raise awareness of the importance of getting secure
Educate users about best practices
Employ best practices to secure their own systems
Fund long-term research and development; and
Enforce aggressively the laws against cyber crime
Government should not regulate security.
Regulation will: stifle innovation; always be several steps behind; and may make us less secure.
Competition is driving innovation in security, and it is this innovation that will ultimately ensure the most effective security.
Looking forward, the next area of progress can include international cooperation on the socialization of best practices and a focus on the international prosecution of cybercrime.
It is critical to recognize that the threat has begun to change, from ad hoc malware to criminals, organized crime and monetizing cyber incidents.
Many public-private partnerships from the National Cybersecurity Partnership, to the National Infrastructure Advisory Council, to the Partnership for Critical Infrastructure Security have brought hundreds of people together to create sound best practices and are making progress in achieving even more secure networks.
Cisco President and CEO John Chambers, in his personal capacity, is Vice Chairman of the U.S. National Infrastructure Advisory Council (NIAC), which advises the President on security issues.
Cisco will continue to create innovative security products and services.
Together, we can continue to work with partners and governments around the world to help ensure our information infrastructure is safe, secure and robust.
Security has been and continues to be a core issue for Cisco -- we continue to build security into our own networks, help our customers protect theirs, and support efforts to strengthen critical public infrastructure.
The market is the most powerful driver of innovation. We are focused on meeting the security demands of our customers, and market-based solutions will provide the best results for them.
Facts are important in this discussion and Cisco has reached-out to policy makers to share its factual expertise as a "trusted advisor," and will continue to do so.
U.S. Strategy to Secure Cyberspace
National Infrastructure Advisory Council (NIAC)
The Business Software Alliance Cybersecurity website
The Institute for Information Infrastructure Protection (I3P)
TechNet CEO Cybersecurity Resource Center
Stay Safe Online
OECD Guidelines: Towards a Culture of Security
APEC eSecurity Task Group
As of January 2005