USACM Welcomes Steps to Address Cybersecurity Issues
Association for Computing Machinery
Advancing Computing as a Science & Profession
|Virginia Gold||Cameron Wilson|
|ACM||ACM Public Policy Office|
Printable PDF file
Washington, February 14, 2013—Following is a statement from Eugene H. Spafford, Chair of USACM, the U.S. Public Policy Council of the Association for Computing Machinery (USACM). It is in response to President Obama's Executive Order to strengthen cyber defenses and develop standards to protect national security, as cited in the 2013 State of the Union Address.
"ACM's Public Policy Council (USACM) applauds the initiative of the President to update cybersecurity practices. Continually updating cyber threat information and ensuring this is shared with appropriate parties is a fundamental component of effective cybersecurity practices.
As government agencies proceed to implement the President’s Executive Order on Improving Critical Infrastructure Cybersecurity, following are a few key points to remember:
- USACM supports targeted cybersecurity standards. Noting the challenges unique to different sectors of cybersecurity practice, we recommend that any effort to establish effective standards will need to be explicit about recognizing differences across systems and sectors, and allow appropriate flexibility to stay current. Targeted sets of standards will be more effective than a single set of standards intended to cover all systems and all possibilities. With the Cybersecurity Framework in Section 7 of the Executive Order, there should be an opportunity to ensure that the variations in infrastructure needs are addressed.
- USACM supports recognizing the legitimacy of all types of risk management response in any risk-based approach. The desire to mitigate all identified risks is an understandable one, but usually does not produce the most effective results. Depending on the circumstances, including the severity of the risk and the cost of mitigation, it may make more sense for a private entity to simply accept the risk or to address it through mechanisms such as insurance. We caution against adopting any approach that unnecessarily restricts risk management options.
- Appropriate protections for information disclosed within any information sharing process. We are pleased to see the material in Section 5 of the executive order directing explicit actions to protect privacy and civil liberties. However, even with what is outlined there and in 6 USC § 133 it is possible for information reported by the private sector to government agencies, to (inadvertently) provide too much detail. Information is easily aggregated and mined to produce surprising amounts of detail unnecessary for the protection of critical infrastructure. Thus, we urge that the activities detailed in Section 5 explicitly address giving guidance – and some limits – to the private sector on information that may be provided to government agencies under this order. Guidance would include consideration of best practices such as minimization and limited retention of the data.
- Pace of Change Computing technologies continue to evolve rapidly, and those changes often find their way into operational systems. They may also change the risk environment by creating new opportunities for attack as well as eliminating old ones. We urge that the framework and associated incentives and standards developed under Sections 7, 8, and 9 explicitly recognize and include methods to accommodate technology changes that may occur more rapidly than the framework may be updated.
- Consultative process USACM, as the US Public Policy Council of the ACM, is composed of scientists, engineers, professors, lawyers, industry executives, and students representing the computing community. We appreciate the breadth of community expressed in the process in Section 6, and look forward to participating in it."
ACM, the Association for Computing Machinery, is the world’s largest educational and scientific computing society, uniting computing educators, researchers and professionals to inspire dialogue, share resources and address the field’s challenges. ACM strengthens the computing profession’s collective voice through strong leadership, promotion of the highest standards, and recognition of technical excellence. ACM supports the professional growth of its members by providing opportunities for life-long learning, career development, and professional networking.
The ACM U.S. Public Policy Committee (USACM) serves as the focal point for ACM's interaction with U.S. government organizations, the computing community, and the U.S. public in all matters of U.S. public policy related to information technology. Supported by ACM's Washington, D.C., Office of Public Policy, USACM responds to requests for information and technical expertise from U.S. government agencies and departments, seeks to influence relevant U.S. government policies on behalf of the computing community and the public, and provides information to ACM on relevant U.S. government activities. USACM also identifies potentially significant technical and public policy issues and brings them to the attention of ACM and the community.