Ten major cybersecurity companies have written to the U.S. Trade Representative Robert Lighthizer to urge that alignment of cybersecurity standards — and the use of risk management tools like the NIST Cybersecurity Framework — should become part of the re-negotiation of the North America Free Trade Agreement that started this week.
“The government … needs to step up to the plate” in international affairs where cybersecurity is concerned, Amit Yoran, CEO of Tenable, and one of the letter’s signatories, told CyberScoop. The other companies signing on are Rapid7, Arbor Networks, Bugcrowd, CA Technologies, Cybereason, Forescout, McAfee, Mimecast and Symantec.
“Trade issues related directly to the U.S. cybersecurity industry are absent” from the lengthy list of U.S. negotiating objectives in the NAFTA rewrite released by Lighthizer’s office, the letter complains, while welcoming the inclusion of objectives related to digital trade more generally.
That omission is especially damaging, the letter suggests, because “Numerous countries are currently considering or implementing regulations related to cybersecurity that create trade barriers, such as data localization, transfer of source code, cryptographic design specification or other restrictive technology requirements.”
U.S. officials need to offer a positive alternative to protectionist-based measures supposedly undertaken to promote national cybersecurity, by backing open, interoperable standards and the use of risk management approaches like the NIST Cybersecurity Framework on the global stage, the letter argues.
Lighthizer has specifically criticized what his office calls “Technology barriers” to digital trade, “Including requirements to meet onerous and unnecessary security standards and requirements to disclose encryption algorithms or other proprietary source code.” And eliminating data localization requirements and compelled source-code transfer mechanisms are in the U.S. negotiating objective for this week’s weeks talks, where the American delegation is led by Assistant U.S. Trade Representative for the Western Hemisphere John Melle.
But the letter’s authors argue it’s not enough just to oppose such barriers — U.S. negotiators should offer a positive alternative. “Promoting standards-based cybersecurity norms would also be helpful to providing clear alternatives to detrimental practices ostensibly undertaken for cybersecurity, steering the discussion to interoperable principles and processes,” they write.
One such norm they suggest the U.S. should promote is the “development and alignment” by NAFTA parties of flexible, voluntary, risk-management based frameworks like the NIST Cybersecurity Framework. This is especially important, they argue, because of the big differences in the cybersecurity maturity of the three parties.
“If similar risk management frameworks were common across international markets, cybersecurity companies and customers would be better able to consistently communicate how products and services fit within an overarching protection plan, streamlining trade,” they state.
This isn’t necessarily a matter of getting Mexico and Canada to adopt the NIST framework, explained Yoran, “Embracing something similar could be very helpful.” The point is it had to voluntary, developed with industry input and flexible.
“This is more foundational than just NAFTA,” said Yoran, “We need a recognition on the part of government … that they need to bring this cyber issue to the table in multilateral and bilateral negotiations … [over] trade agreements, economic agreements, other agreements.”