Cybersecurity Investments for the Information Age

Last summer, I testified before the House Science and Technology Committee’s Subcommittee on Technology and Innovation about the need for government to develop security strategies to address the full spectrum of risks in the Information Age.  Last week, the House passed The Cybersecurity Enhancement Act, H.R. 4061, which represents an important step to better address those risks.  In recognition of the long-term nature of this challenge, the bill appropriately aims to drive strategic investments toward the development of the skilled workers and advanced technologies we will need to improve our nation’s cybersecurity.  Promoting and resourcing innovative approaches will help government and industry to have the necessary skills, capabilities, techniques, and tools to counter evolving cyber threats and continue to grow and lead in the connected world. 

The provisions regarding identity management are particularly noteworthy because creating the ability to know reliably the person and/or device that is sending a particular data stream in cyberspace is essential for attribution.  Strong identity management and attribution capabilities help deter cyber attacks, so driving toward a coordinated, interoperable, and scalable security- and privacy-sensitive system for managing identities will benefit all Internet users.

Passage of this legislation in the House represents an initial step to address the broader challenge the United States is facing in cyberspace.  The Information Age has arrived, yet much work still needs to be done to prepare for the realities of today and of tomorrow.  Long-term investments must be complemented by near-term planning and action to better secure the nation’s critical infrastructure and sensitive networks and data.   Government and private industry must collaborate more effectively to drive strategic planning and enhance operational capabilities in several key areas, including:

• Updating existing strategies to recognize the ever-mounting importance of economic security, more comprehensively address the various elements of national power, and articulate a clearer understanding of norms, attribution, and deterrence;
• Establishing a hybrid model that improves security across the Federal enterprise and fosters agility to counter evolving threats; such a model recognizes that there are some responsibilities and practices that should be done by each Federal agency, but that a fully centralized model for managing security will not work;
• Building operational partnerships that let us effectively mitigate and respond to threats in a more coordinated manner; and
• Managing the real-time health of networks by using information provided by IT assets, such as routers, hosts, and proxy servers, to evaluate operational and security status, and by promoting meaningful audit to drive behavior and provide accountability.

Every day, we work to improve the technologies, processes, and procedures used to protect our connected assets in this increasingly networked world.  Even dramatic and demonstrable improvements in cybersecurity are being challenged by the increasing availability and value of data online and the escalation of cyber attacks in terms of both number and sophistication.  There is much more computer security to be done.  Microsoft congratulates the House for passing The Cybersecurity Enhancement Act, which we view as a significant step towards transforming government for the Information Age.  We look forward to continuing to work with government and industry partners to enhance cybersecurity and the resiliency of our critical infrastructures

 

About the Author

Corporate Vice President, Trustworthy Computing, Microsoft

Scott Charney is Corporate Vice President for Microsoft’s Trustworthy Computing Group. Mr. Charney is responsible for a range of corporate programs that influence the security, privacy and reliability of Microsoft’s products, services and internal networks. He also manages the Engineering Excellence Team, a group focused on promoting best-of-breed engineering practices and ensuring compliance with Microsoft’s mandatory engineering policies. Prior to joining Microsoft, Mr. Charney served as a Principal at PricewaterhouseCoopers, where he led the firm’s Digital Risk Management and Forensics Practice. Before that, Mr. Charney served as Chief of the Computer Crime and Intellectual Property Section (CCIPS) where he was responsible for implementing the Justice Department's computer crime and intellectual property initiatives. Prior to leading CCIPS, Mr. Charney served as an Assistant United States Attorney responsible for the investigation and prosecution of complex cases involving organized crime and as an Assistant District Attorney in Bronx County, New York, where he was responsible for prosecuting persistent violent felony offenders. He also served as Deputy Chief of the Investigations Bureau.