Microsoft released Oct. 4 a paper detailing how nations should develop a national strategy for cybersecurity based on the company’s recommendations.
The report was issued just six months after the Government Accountability Office urged the federal government to form a national strategy. GAO noted there was a 782 percent increase in cybersecurity attacks from 2006 to 2012.
“Until an overarching national cybersecurity strategy is developed that addresses all key elements of desirable characteristics, overall progress in achieving the government’s objectives is likely to remain limited,” the GAO report said
According to the paper, cybersecurity threats evolve too quickly for international standards, which makes a national strategy paramount. The strategy can be used for all four of the major categories of cyber-threats such as military and political espionage, economic spying, cyber-warfare and conventional cyber-crimes including fraud.
Microsoft’s recommendations are based on six principles. The strategy should be risk-based by identifying threats and vulnerabilities, which are managed through controls, costs and other measures. The strategy should also be outcome-focused, prioritized, practicable and respectful of privacy and civil liberties. Finally, Microsoft recommends the strategy be globally relevant in order to integrate international standards for ease in work between countries.
Besides identifying risk, the paper endorses setting critical and minimum security baselines for data and also to work closely with the private sector to create security baselines because over time, the theft of private data compromises the competitiveness of the nation. Governments should build incident response capabilities to handle attacks that do access information.
“Effective incident response capabilities can help brunt the disruption or exploitation of information and systems that could threaten national security, economic stability, or public safety,” the paper said.
Incident response includes setting clear procedures for dealing with attacks and the development of a national computer emergency response team that assists both the government and private industry. The paper advocated for international CERT cooperation to share cyber-threat information.
The paper suggested nations employ workforce training as a means to minimize security breaches.
In 2009 the White House began a cybersecurity initiative and created the cyberspace policy review to coordinate a national strategy. As of 2013, a clear national strategy has not been completely adopted.