Security and Trust Policy

Intel public policy: How Intel promotes innovation worldwide

The ever-increasing scale, scope, and sophistication of cybersecurity attacks and global supply chains have required governments and industries to evolve their approaches to combating these threats, including better cross-sector coordination. Security is consistently at the forefront of Intel’s innovation as both a consumer and developer of cybersecurity technologies. Intel integrates security technology into our products. Our Security First Pledge highlights how Intel emphasizes security across our product lifecycle, beginning with our Security Development Lifecycle, through coordinated vulnerability disclosure processes and including our collaboration with industry, academia, and independent researchers.

Intel’s security objective is in direct alignment with that of global governments: to promote trust in technology through enabling governments, businesses, and individuals to better secure their data, networks, and infrastructure. To accomplish this goal, we encourage governments to focus on non-partisan approaches to security that will foster IT innovation and economic growth. For governments to promote policies that are globally scalable and flexible enough to address the evolving security landscape, we believe they should (1) Focus on robust and transparent security solutions, (2) develop risk-based, evidence-driven, design-neutral approaches to security policy, and (3) be informed by consensus-driven processes.

To build sound cybersecurity policy, we ask governments to broadly focus on advancing policies that target areas of mutually beneficial outcomes: (1) improving industry and government information sharing in a way that maintains appropriate data confidentiality, integrity, and availability, while providing adequate liability protection to business; (2) promoting cybersecurity research and development (R&D) and workforce development; (3) supporting trustworthy, transparent, and resilient supply chains; (4) design security policy that rests on a robust foundation of internationally recognized best practices, standards, and technologies, while allowing flexibility for continuous innovation and growth. In addition to this approach, Intel has identified several high-level themes and recommendations to guide our policy approach when it comes to security and trust:

  • Supply Chain Security: Cyber-attacks against ICT supply chains are becoming increasingly sophisticated. The impact of these attacks has never been more significant, particularly within the context of the Covid-19 pandemic and the SolarWinds attack. Countries are beginning to favor policies that target country of origin as a means of mitigating supply chain risk rather than developing policies built on a foundation of evidence, data, and transparency. Purely insular supply chain policies, particularly those in the US, likely have reciprocal effects from other nations, causing significant negative impacts on international trade. Rather than creating barriers to building a robust global supply chain, governments should support policies that focus on domestic production investment while establishing clear, transparent standards and guidelines for securing global supply chains. Objective criteria built on trust (such as the work done by the DHS Supply Chain Risk Management Task Force) are more sustainable and more likely to avoid the impacts of political trends that result in country-specific exclusions.
  • 5G Security: Intel has long been supportive of policy that favors trusted 5G products grounded in transparency and technical standards. The relationship between 5G and supply chain challenges is increasingly intertwined, so policymakers need to be conscious of both areas when drafting policy. Intel supports efforts like Open RAN, which is seen internationally as an opportunity for countries to build new companies and new market entrants to roll out 5G. Since 5G will be a part of the global Internet Infrastructure, Intel supports 5G policy that seeks to ensure safe, reliable, and open infrastructure.
  • Securing Internet of Things (IoT) Devices: Ubiquitous connectivity has brought forth a new era of intelligent, connected devices and data-driven capabilities delivering benefits to society and users. Public policies should encourage innovation and competition to preserve these benefits and accelerate secure, scalable, and interoperable IoT deployment. Concerns regarding expanding attack surfaces and increased embeddedness in the digital ecosystem have prompted IoT security regulation proposals globally. Intel supports design-neutral regulation rooted in internationally harmonized standards that leverage risk-based approaches to securing IoT devices and avoid fragmented requirements while supporting interoperability. Intel actively collaborates with the ecosystem in the development of international standards in ISO (JTC 1, SC27) and other organizations and participates in other consensus-driven efforts - such as NIST- IoT Device Security Requirements (NISTIR 8259) and the Council to Secure the Digital Economy C2 Consensus on IoT Security Baseline Capabilities project.
  • Security Certification: Governments worldwide show increased interest in creating cybersecurity certification and/or labeling schemes for products, services, or company processes in an attempt to boost confidence in product, services, and companies in their markets. Current proposals include the EU Cloud Certification Scheme, NIST FIPS 140-3 Security Requirements for Cryptographic Modules, and several others. Intel supports government efforts to ensure adequate security for its technologies, as long as these efforts are based on a risk-based process for determining appropriate requirements and are capable of evolving with the rate of technology advancement. The context for technology deployment is critical to determining how best to secure the environment (highlighted in ITI’s Policy Principles for Cybersecurity Certification). Blanket requirements are often too rigid to accommodate for this variance. Additionally, innovation in the technology space evolves rapidly and certification schemes are often unable to keep pace with new developments. All these factors, and more, need to be considered before pursuing a certification or labeling regime, and collaboration with industry during the development of such a scheme is vital to establishing and maintaining long term success.
  • Encryption: Encryption is a fundamental technology essential to make ICT infrastructure secure and reliable. In past decades, researchers, industry, and governments worldwide collaborated to develop encryption mechanisms that supported interoperability globally. Local technology mandates proposed in the name of national security cause harm to the compatibility of the global market and can negatively impact users within that country by forcing the technology to be, by nature, less secure. For this reason, Intel supports globally harmonized encryption standards and regulations. See more in this blog that details Intel’s positions on encryption policy.