March 2, 2023
Acting Director Kemba Walden
Office of the National Cyber Director
The White House
1600 Pennsylvania Avenue, N.W.
Washington, DC 20500
Dear Acting Director Walden:
IBM appreciates the Administration’s commitment to strengthening the cybersecurity of the United States with the release of the National Cybersecurity Strategy. As one of the defining issues of this decade, we stand ready to assist in the advancement of core cybersecurity principles and policies and offer three thoughts on implementation.
Post Quantum Cryptography
We are already entering a new age of computing – the Quantum Age. While quantum technologies promise to produce immense value for our society, new threats related to these disruptive emerging technologies could create many challenges to securing and protecting people, the nation, and information. IBM applauds the inclusion of post quantum cryptography (PQC) in the NCS and the numerous collaborative cross- government efforts. As a leader in quantum computing, IBM has been at the forefront of quantum cryptographic research to ensure quantum is responsibly and safely ushered into digital environments by participating in the development of all four algorithms selected through NIST’s PQC Standardization Program. We look forward to more engagement and collaboration with our US government partners.
Yet, there is still much work to be done to ensure the security of our nation. Government, industry, and academia must adopt PQC to protect critical infrastructure, services, and information – an event that could be larger than Y2K. We call on the administration to work with Congress to craft a CHIPS and Science Act-like bill to ensure both R&D and adoption of PQC are adequately funded so that new cryptography is adopted in time to strengthen the safety and security of the nation for when quantum computers become available. We must act now by investing in future-proofing to mitigate against these risks.
Preventing Misuse of US Critical Infrastructure
As cybersecurity attacks continue to grow in amount and scale, the technology industry has seen the malicious use of cloud infrastructure to carry out cyber attacks. We commend the administration’s interest in addressing this misuse of US infrastructure and share similar concerns. However, cloud providers have taken significant steps to prevent and mitigate such misuse. Cloud providers employ several technical and administrative controls to prevent misuses, such as proactive account monitoring and threat detection, behavior-based risk analysis, and built-in protections against bad behavior (e.g., blocking unnecessary outbound port access).
While much has changed since EO13984 was released, the EU continues to raise concerns about the U.S. collection and protection of European data. Thus, the implementation of this rule must be careful to maintain the ability of US cloud service providers to compete in the EU. As your office looks to implement EO13984, we recommend that the government work closely with industry to develop a precision approach to produce the desired outcomes, encourage the Department of Commerce to leverage the exemption process to exclude B2B clients, and suggest a greater focus on Section 3 Cooperative Efforts to Deter the Abuse of United States IaaS Products to support cooperation with appropriate law enforcement.
Liability Safe Harbor
IBM is pleased to see the inclusion of a liability safe harbor framework. We have already seen the success of liability safe harbors, such as under the Cybersecurity Information Sharing Act of 2015, which has enabled companies and other private organizations to share sensitive cyber threat information useful for protecting others against similar cyber threats. Likewise, states like Ohio and Utah have implemented liability safe harbors for data breaches for companies that follow security best practices. This is crucial because, as an industry, we know that companies will get hacked. Without these liability protections, we risk revictimizing the victim and placing organizations in a difficult position of balancing information security with protecting themselves against legal and reputational risk.
As your office moves forward with liability protection proposals around software, we recommend that you work with Congress to develop a bill that provides protections to companies who follow recognized cybersecurity frameworks and best practices, like NIST’s Secure Software Development Framework, modeling existing state data breach liability safe harbor laws. This will encourage companies to adopt more robust software development practices and raise the bar on the nation’s security.
Thank you for considering our view on implementing the National Cyber Strategy and your leadership on cybersecurity. We look forward to working with you. Should you have any questions, please contact Mason Molesky, Cybersecurity Policy Executive, at mason@ibm.com.
Sincerely,
Chris Padilla
Vice President of Government & Regulatory Affairs
Jamie Thomas
General Manager, Systems Strategy & Development
Share this post:
- More Articles
-
IBM Statement on the Quantum Computing Cybersecurity Preparedness Act
-
3 practical ways to strengthen EU-US trade and generate near-term benefits for the transatlantic economy
-
IBM Urges Suspension of Harmful U.S. Department of Commerce Rule on IT Supply Chain Security
-
Building digital resilience through more collaboration