Computer networks spanning the globe know no national boundaries. A successful cyberattack on one computer system can have repercussions thousands of miles away.
A coordinated security strategy will protect national economies from attacks better than distinct national strategies.
Following the release of its Transatlantic Cybersecurity report earlier this year, the U.S. Chamber of Commerce hosted the EU-U.S. Cyber Dialogue stakeholder meeting. Attended by Rob Strayer of the U.S. State Department and Pawel Herczynski of the European External Action Service, it provided an opportunity for industry, civil society, and government representatives to discuss opportunities for expanding cybersecurity cooperation.
Three particular avenues have the potential to increase cyber resilience on both sides of the Atlantic:
1. Greater alignment between EU and U.S. approaches to private sector cybersecurity
With the EU’s Network and Information Security (NIS) Directive entering into force in May 2018, uncertainty remains about what this means for the private sector. Which companies will be designated as Operators of Essential Services? What security measures will they be required to implement? What is the process for cyber incident reporting?
Companies in the EU and U.S. are grappling with these questions, a situation further complicated by the divergent approaches being taken by EU member states and the looming implementation of the EU’s General Data Protection Regulation (GDPR), which creates strict requirements on companies for the processing of personal data.
While the European Commission cannot force member states to adopt a particular approach when implementing the NIS directive, further guidance from the European Union Agency for Network and Information Security (ENISA) on these questions would help to narrow the range of approaches with which companies must comply.
The commission’s new Cybersecurity Package has the potential to facilitate this goal by expanding ENISA’s mandate. Acting through the EU Cooperation Group, ENISA should highlight to member states the importance of leveraging international standards when developing benchmarks for security measures, as well as ensuring that processes for incident reporting are streamlined, taking into account GDPR requirements. This will enable companies to direct finite cybersecurity resources towards tangibly increasing resilience, rather than check-the-box compliance.
2. Cyber threat information sharing programs should be developed in a way that facilitates interaction between governments and businesses
While the threats that we face are shared, the information that the EU and the U.S. have about those threats remains constrained by national borders.
Breaking down these constraints is no mean feat. There are numerous legal, technical and, normative barriers to overcome. If our economies are to increase cyber resilience, we must focus our attention and resources on finding the necessary solutions to facilitate voluntary, protected, and cross-border information sharing, rather than relying on mandatory incident reporting in the wake of a successful attack to identify threats.
3. EU and U.S. officials must sustain a dialog between industry and government
This includes opportunities for companies to comment on proposed regulatory measures, as well as events such as stakeholder meetings, which enable the private sector to raise issues. In both the EU and the U.S., most critical infrastructure is owned and operated by the private sector. Any strategy for countering the threats we face must be predicated upon a strong partnership between public and private entities.
The U.S. Chamber will continue to push for a greater partnership between the business community and governments on these issues at the forthcoming Quadrilateral Cyber Dialogue in Brussels (December 19), at the Internet Governance Forum in Geneva (December 18-21), and throughout the years ahead.
Through better alignment of cybersecurity requirements, information sharing, and dialogue, we will be better prepared to face the shared threats to our political, economic, and social well-being.