Security and Trust Policy
Intel public policy: How Intel promotes innovation worldwide
The ever-increasing scale, scope and sophistication of cybersecurity attacks and global supply chains have required governments and industries to evolve their approaches to combating these threats, including better cross-sector coordination. Security is consistently at the forefront of Intel’s innovation as both a consumer and developer of cybersecurity technologies. Intel integrates security technology into our products. Our Security First Pledge highlights how Intel emphasizes security across our product lifecycle, beginning with our Security Development Lifecycle. We use coordinated vulnerability disclosure processes and collaborate with industry, academia and independent researchers.
Intel’s security objective is in direct alignment with the goal of global governments: to promote trust in technology by enabling governments, businesses and individuals to better secure their data, networks and infrastructure. To accomplish this goal, we encourage governments to focus on non-partisan approaches to security that will foster information technology innovation and economic growth. Governments should promote policies that are globally scalable and flexible enough to address the evolving security landscape by focusing on robust and transparent security solutions. We believe they should develop risk-based, evidence-driven, design-neutral approaches to security policy and be informed by consensus-driven processes.
To build sound cybersecurity policy, we ask governments to broadly focus on advancing policies that target areas of mutually beneficial outcomes:
- Improve industry and government information sharing in a way that maintains data confidentiality, integrity and availability with adequate liability protection to business.
- Promote cybersecurity research and development (R&D) and workforce development.
- Support trustworthy, transparent, and resilient supply chains.
- Design security policy that rests on a robust foundation of internationally recognized best practices, standards and technologies, while allowing flexibility for continuous innovation and growth.
Key Issues
In addition to this approach, Intel has identified several high-level themes and recommendations to guide our policy approach when it comes to security and trust.
Supply Chain Security
Cyberattacks against information and communications technology (ICT) supply chains are becoming increasingly sophisticated. The impact of these attacks has never been more significant, particularly within the context of the COVID-19 pandemic and the SolarWinds attack. Countries are beginning to favor policies that target country of origin as a means of mitigating supply chain risk rather than developing policies built on a foundation of evidence, data and transparency. Purely insular supply chain policies, particularly in the United States (U.S.), likely have reciprocal effects from other nations, causing significant negative impacts on international trade. Rather than creating barriers to building a robust global supply chain, governments should support policies that focus on domestic production investment while establishing clear, transparent standards and guidelines for securing global supply chains. Objective criteria built on trust (such as the work done by the DHS Supply Chain Risk Management Task Force) are more sustainable and more likely to avoid the impacts of political trends that result in country-specific exclusions.
5G Security
Intel has long supported policy that favors trusted 5G products grounded in transparency and technical standards. The relationship between 5G and supply chain challenges is increasingly intertwined, so policymakers need to be conscious of both areas when drafting policy. Intel supports efforts like Open RAN, which is seen internationally as an opportunity for countries to build new companies and new market entrants to roll out 5G. Since 5G will be a part of the global internet infrastructure, Intel supports a 5G policy that seeks to ensure safe, reliable and open infrastructure.
Securing Internet of Things (IoT) Devices
Ubiquitous connectivity has brought forth a new era of intelligent, connected devices and data-driven capabilities delivering benefits to society and users. Public policies should encourage innovation and competition to preserve these benefits and accelerate secure, scalable and interoperable IoT deployment. Concerns regarding expanding attack surfaces and increased embeddedness in the digital ecosystem have prompted IoT security regulation proposals globally. Intel supports design-neutral regulation rooted in internationally harmonized standards that leverage risk-based approaches to securing IoT devices and avoid fragmented requirements while supporting interoperability. Intel actively collaborates with the ecosystem in the development of international standards in ISO (JTC 1, SC27) and other organizations. Intel also participates in other consensus-driven efforts, such as NIST IoT Device Security Requirements (NISTIR 8259) and the Council to Secure the Digital Economy C2 Consensus on IoT Security Baseline Capabilities project.
Security Certification
Governments worldwide show increased interest in creating cybersecurity certification and labeling schemes to boost confidence in products, services and companies in their markets. Current proposals include the EU Cloud Certification Scheme, NIST FIPS 140-3 Security Requirements for Cryptographic Modules, and several others. Intel supports government efforts to ensure adequate security for its technologies, as long as these efforts follow a risk-based process for determining appropriate requirements and can evolve with the rate of technology advancement. The context for technology deployment is critical to determining how best to secure the environment (highlighted in ITI’s Policy Principles for Cybersecurity Certification). Blanket requirements are often too rigid to accommodate for this variance. Additionally, innovation in the technology space evolves rapidly and certification schemes are often unable to keep pace with new developments. All these factors and more need to be considered before pursuing a certification or labeling regime. Collaboration with industry during the development of such a scheme is vital to establishing and maintaining long-term success.
Encryption
Encryption is a fundamental technology essential to make ICT infrastructure secure and reliable. In past decades, researchers, industry and governments worldwide collaborated to develop encryption mechanisms that supported interoperability globally. Local technology mandates proposed in the name of national security cause harm to the compatibility of the global market. Such mandates can negatively impact users within that country by forcing the technology to be, by nature, less secure. For this reason, Intel supports globally harmonized encryption standards and regulations. See more in this blog that details Intel’s positions on encryption policy.
@IntelPolicy
Ideas and perspectives promoting a thriving innovation economy from Intel’s public policy team.