These pillars of regulatory harmonization dominated the appeals from industry at the recent U.S.-EU Cyber Dialogue. On Friday, December 16th, I had the honor and privilege of participating in the latest installment of this Dialogue—an annual event initiated in 2013 to facilitate transatlantic cooperation in cybersecurity. This year’s event saw participants from the European Commission and European Agency for Cybersecurity to the U.S. Office of the National Cyber Director and the State Department’s Bureau of Cyberspace and Digital Policy. During the industry session, hosted by the U.S. Chamber of Commerce, European, American, and multinational companies shared a variety of viewpoints focused on the importance of public-private partnerships in cybersecurity, and nearly every viewpoint included a call for harmonized regulation.
Technology-minded policymakers worldwide are engrossed in the alarming increase in devastating cyberattacks on critical infrastructure, government networks, small and midsize businesses, and individual citizens. Policymakers have homed in on the need to increase the level of cybersecurity within critical infrastructure, vendor products and services, and associated supply chains – all while increasing incident reporting and information sharing with the goal of inoculating entire industries from cyber threats at machine speed. Protecting citizens and critical infrastructure from cyber threats is exactly what policymakers should do. We all agree on this point.
But the need for harmonization in these sprawling regulatory approaches is needed now more than ever. Since coming into force of the European Union General Data Protection Regulation (GDPR) in 2018, the regulations targeting technology and cybersecurity have increased markedly. Since 2018, we’ve seen the introduction of policies such as the Network and Information Systems Directives 1.0 and 2.0, the Cybersecurity Act, AI Act, Data Governance Act, Data Act, and Cyber Resilience Act in the EU; Cybersecurity Review Measures, Personal Information Protection Law, and Data Security Law in China; and the EO on Improving the Nation’s Cybersecurity, Department of Defense Cybersecurity Maturity Model Certification (CMMC), TSA Pipeline Security Directive, Cyber Incident Reporting for Critical Infrastructure Act of 2021 (CIRCIA), and the Cybersecurity Performance Goals in the U.S.—just to name a few.
What’s more alarming than the pace of new regulations is that the underlying requirements of these regulations often require industry to comply with local, national standards as opposed to existing international standards. This is costly, counterproductive, and unnecessary. The body of existing international standards in cybersecurity is both broad and deep. There are entire suites of standards and guidelines for applications such as consumer internet of things devices (e.g., ISO/IEC 27402, IoT Security Foundation (IoTSF) (2018) IoT Security Compliance Framework, European Telecommunications Standards Institute (ETSI) (2019) Cyber Security for Consumer Internet of Things, and Council to Secure the Digital Economy (CSDE) (2019) The C2 Consensus on IoT Device Security Baseline Capabilities.), industrial control systems (e.g., IEC/ISA 62443 suite), and cloud applications (e.g., ISO 27000 series). This is not to suggest that international standards are a panacea or that they exist for every application or use case, but they are a logical starting place and should be leveraged as a first step in the regulatory harmonization process by governments globally.
I left the U.S.-EU Cyber Dialogue feeling encouraged. By the end of our two-hour meeting, it was clear that the message had been received as both U.S. and EU policymakers reiterated the need and importance of regulatory harmonization multiple times. In fact, this week began with a joint statement from the U.S.-EU Trade and Technology Council (TTC) where, importantly, the two governments stated that future collaboration would be focused on the area of cybersecurity standards and that the US-EU Cyber Dialogue would be a central place to facilitate these collaborations.
The moment has arrived for both the U.S. government and European Commission to translate this momentum into practical wins. This fall, the European Commission released its proposed text of the Cyber Resilience Act, a foundational proposal for the mandatory adoption of cybersecurity features in digital products spanning multiple industries. Days later, the White House announced its intention to facilitate a cybersecurity labeling scheme for IoT products, based upon the good work of the National Institute of Standards and Technology (NIST) on IoT security. On both sides of the Atlantic, there is a real opportunity to ensure that these efforts are well coordinated, leverage existing international standards, and potentially even demonstrate mutual recognition where conformance to one scheme would satisfy the requirements of the other and vice versa. Through this collaboration and harmonization, we can focus our collective resources on improving the baseline of cybersecurity across various industries, but in a way that makes sense for policymakers and industry.