A place to exchange ideas and perspectives, promoting a thriving innovation economy through public policy
644 Discussions

Furthering Intel's Security First Pledge with Cybersecurity Public Policy

0 0 474

By Audrey Plonk, Senior Director, Public Policy, Intel Product Assurance and Security Group

Working with the Center for Cybersecurity Law and Policy to Advance Coordinated Disclosure Policy and Practice

audrey-headshot.jpg Audrey Plonk, Senior Director, Public Policy, Intel Product Assurance and Security Group

Having been intimately involved from day one in Intel’s response to the Spectre and Meltdown vulnerabilities, I am also deeply familiar with - and committed to - Intel’s Security First Pledge.  As Intel progressed through the release of production microcode updates for Spectre Variant #2, I have refocused my attention on advancing the spirit and letter of the Pledge consistent with our policies announced last week and through our global cybersecurity public policy efforts.

I first started working on cybersecurity policy in 2003.  At the time, industry and government were primarily concerned about distributed denial of service attacks and operating system vulnerabilities.  A few years later, in 2007 - when I went to the Organisation of Economic Cooperation and Development to write cybersecurity policy recommendations for governments - hackers were primarily hobbyists, and cybersecurity companies were in their infancy.  Even then however, signs of the future were starting to emerge.  It was that same year that cyberattacks against Estonia forced them to restrict incoming Internet traffic from overseas locations.  A year later, I joined Intel and began learning about the industry’s history and challenges in cybersecurity technology and policy.  Many things are different now than in 2003 –  growth in the cyberarsenals of nation-states and criminal syndicates, and increasingly commonplace reports of vulnerabilities potentially affecting hardware, not just software – to name just a few.  Throughout this time, however, Intel’s security policy leadership has remained steady.  Our Meltdown and Spectre response was built on the foundation of decades of leadership in hardware security and cybersecurity and privacy public policy.

At Intel, our cybersecurity and privacy policy goal has always been to enable trust and confidence in the use of the global digital infrastructure and digital devices.  While the environment evolves, that goal remains the same.  In today’s complex environment, we are grappling with renewed appeals from governments for access to encrypted communications, and increased discussion about how to address hardware and software vulnerabilities.  Looking back at the industry’s history, and thinking about next week’s annual RSA Conference, I am reminded of former Intel executive Pat Gelsinger’s keynote speech at RSA 2002, where he said: "The right policy is fighting technology with technology.  Intel strongly opposes secret ‘back doors’ in encrypted products…”  This is one example of Intel’s leadership and we have partnered with industry, government, academia and civil society to advance cybersecurity policy in the intervening years.

Intel knows that lasting change comes from the difficult work of aligning stakeholders from industry, government, civil society and academia.  In anticipation of this year’s RSA conference, I’m pleased to announce today that Intel has asked the Center for Cybersecurity Policy and Law to engage broadly with other technology companies to examine coordinated hardware-specific vulnerability disclosure policy and processes.  The goal is to identify the specific needs and circumstances of the hardware ecosystem, opportunities to advance disclosure policy and practice, and options for future improvements.  The Center has agreed to direct this project and it is well qualified to do so, as it brings together key stakeholders from across the technology sector, and the Center’s Coordinator, Ari Schwartz.  Before entering the private sector, Ari was a member of the White House National Security Council, where he served as Special Assistant to the President and Senior Director for Cybersecurity.

Time passes all too quickly and it is hard to believe that I’ve been working on cybersecurity policy for fifteen years.  Many things have changed, but my desire to work on solving difficult problems to improve cybersecurity and privacy has remained a constant.  We have some challenging issues ahead, including coordinated vulnerability disclosure policy, advancing norms and behaviors for cyberspace, and the security assurance of commercial products and services.  Consistent with our Security First Pledge, I am committed to advancing cybersecurity public policy in cooperation with our colleagues and partners in industry, academia and government.