Microsoft released a new white paper entitled Developing a National Strategy for Cybersecurity: Foundations for Security, Growth, and Innovation. This publication is based on lessons learned from customers and governments around the world, and is intended to aid governmental efforts to develop national cybersecurity strategies that set a clear direction to establish and improve cybersecurity for government, academia, enterprises, consumers and the ICT companies who serve those communities. Cybersecurity issues have developed into significant national-level problems that now require government consideration, including the protection of assets, systems and networks vital to the operation and stability of a nation and the livelihood of its people.
A national cybersecurity strategy is a policy framework for managing risks and responding to threats posed to the information and communications technology infrastructure of a nation. Microsoft believes that every nation should have a national strategy for cybersecurity, and we strongly support governments taking steps to protect their most essential information and ICT systems—those needed to support national security, the economy and public safety. As a global services and devices company, Microsoft has observed dozens of national approaches aimed at addressing cyber risk and has developed views about what makes for an effective national cybersecurity strategy.
A national strategy, if developed correctly, can meet many needs of government, the private sector and the citizens of the country. Our view is that a strategy should be based upon six foundational principles:
• Risk-based. To develop a risk-based approach to managing national cybersecurity risks, countries must first create and articulate a framework for assessing national cyber risks and prioritizing appropriate protections.
• Outcome-focused. Focus on the desired end state rather than prescribing the means to achieve it, and measure progress towards that end state.
• Prioritized. Adopt a graduated approach to criticality, recognizing that disruption or failure are not equal among critical assets or across critical sectors.
• Practicable. Develop plans that are not overly prescriptive or burdensome so they’ll be adopted by the broadest group of those in government and business.
• Respectful of privacy and civil liberties. Include protections for privacy and civil liberties based upon privacy and civil liberties policies, practices and frameworks.
• Globally relevant. Integrate international standards to the maximum extent possible, keeping the goal of harmonization in mind wherever possible.