Sub-Committee on Emerging Threats, Cybersecurity, and Science and Technology
Testimony of Scott Charney, Corporate Vice President, Trustworthy Computing, Microsoft
“Securing America’s Cyber Future: Simplify, Organize and Act”
Before the U.S. House Committee on Homeland Security
Sub-Committee on Emerging Threats, Cybersecurity, and Science and Technology
Hearing on “Reviewing the Federal Cybersecurity Mission”
March 10, 2009
Chairwoman Clark, Ranking Member Lungren, and Members of the Subcommittee, thank you for the opportunity to appear today to provide a perspective on “Reviewing the Federal Cybersecurity Mission.” My name is Scott Charney, and I am the Corporate Vice President for Trustworthy Computing at Microsoft. I served as one of four Co-Chairs of the CSIS Commission on Cybersecurity for the 44th Presidency with Representatives Jim Langevin of Rhode Island and Michael McCaul of Texas, and General Harry Raduege.
I will address four themes that cross many of the recommendations made in the Commission’s report. First, we have an immediate need for a comprehensive White House-coordinated national strategy for cyberspace security. Second, we need to evolve and focus the public private partnership model. Third, we should consider a new regulatory model designed to ensure that greater regulation, if enacted, protects innovation while providing appropriate government oversight of cyber security issues. Fourth, the Internet needs an appropriately deployed identity metasystem if we are to make the Internet dramatically more secure but protect important social values, such as privacy and free speech. I will address each of these in turn.
First, the need for a comprehensive and coordinated national strategy could not be more clear. In the information age, a country’s success is dependent upon information, knowledge, and communications. While the growth of the Internet in the early 90s created new beneficial opportunities for all, including individuals, businesses, and governments, it also created unprecedented opportunities for those who would misuse technology. It permits individual criminals, organized crime groups and nation-states to target all types of sensitive information, from personal information to business information to military information. It is therefore clear that our country’s future success requires a comprehensive cyber security strategy that engages the relevant agencies of the government and brings to bear all elements of national power, including economic, diplomatic, law enforcement, military and intelligence authorities. When one recognizes the breadth of the challenge and the need for a massively decentralized but coordinated response among the federal agencies, it becomes clear that our national cyber security strategy and its implementation should be led by the White House.
Of course, any successful strategy must include protecting one’s own networks from attack. Here, it is critical that the government and private sector work together to improve the state of computer security. Why is partnership required? It is because the private sector drives the design, development and implementation of the products and services that power cyberspace. And we must also have the right objectives. For years the goal of the partnership has been “information sharing” which will not, without more, secure America’s infrastructures. We must establish a more meaningful public-private partnership, where the partners work in complementary fashion towards the clearly identified objective of securing America’s networks. Consistent with this philosophy, the partnership should focus on sharing information that is actionable and building mechanisms that enable meaningful action to be taken.
With regard to regulation, the government and private sector should jointly determine the level of security provided by markets, the level of security needed to protect national security, and how the gap between what the market will provide and what national security demands can be filled most effectively. While this is not a call for broad regulation, it is a recognition that appropriately tailored legislation – legislation that is technology neutral and recognizes the best practices created by the innovative private sector — may be an important component of any national cyber security effort. The fact is, markets respond to customer demand and most customers, though more aware of security issues today than in the past, will not pay for the level of security necessary to protect national security. In short, establishing a cohesive national strategy, a robust public private partnership, and a security model that takes advantage of industry best practices, government influence and tailored regulations, can dramatically advance security.
Finally, creating the ability to identify what person and which device is sending a particular data stream in cyberspace must be part of an effective cyber security strategy. Even sophisticated attackers face difficult challenges – and find their access restricted – because of better authentication. Stronger authentication can also help us create safe places for our children to learn online, for businesses to interact with customers, and for government to serve its citizens. In addition, because the use of digital IDs also reduces the need to authenticate people by having them provide private details about themselves, stronger authentication can enhance both security and privacy. Thus, as part of an overall cybersecurity strategy, the government should accelerate the adoption of authentication technologies by actions such as issuing and accepting digital credentials in appropriate circumstances, and working to integrate privacy issues into the design, development and operation of the resulting identity metasystem.
In conclusion, let me say that these are complex challenges that obviously will not be solved overnight. Securing America’s future in the information age depends upon creating a comprehensive national strategy for cyberspace security, one that simplifies, organizes and enables effective operational partnerships among the government, the private sector, and Internet citizens. There is both an opportunity and a need for leadership as we focus the nation’s attention on the importance of cybersecurity. I thank this Committee for raising this important issue, for considering my written testimony as a part of the record, and I look forward to your questions.