Submitted via http://www.regulations.gov
Office of the United States Trade Representative
600 17th Street, NW
Washington, DC 20508
The Cybersecurity Coalition (“Coalition”) submits this comment in response to the Request for Comment issued by the Office of the United States Trade Representative (“USTR”) on November 15, 2018 regarding negotiating objectives for a U.S.-European Union trade agreement.1 The Coalition appreciates the opportunity to comment on the U.S.-European Union trade negotiations and looks forward to working with USTR and the Trade Policy Staff Committee (“TPSC”) to encourage the promotion of cybersecurity terms that will reduce barriers to digital trade.
The Coalition is composed of leading companies with a specialty in cybersecurity products and services dedicated to finding and advancing consensus policy solutions that promote the development and adoption of cybersecurity technologies.2 We seek to ensure a robust marketplace that will encourage companies of all sizes to take steps to improve their cybersecurity risk management. We are supportive of efforts to identify and promote the adoption of cybersecurity best practices, information sharing, and voluntary standards throughout the global community.
The Coalition appreciates the opportunity to provide these comments and participate in this important discussion. Specifically, the Coalition recommends that the parties participating in the U.S.-European Union trade negotiations advocate for a dedicated chapter on digital trade similar to the chapter that was included in the US-Mexico-Canada Agreement (“USMCA”) earlier this year.3 Such a chapter would help reduce existing technical, regulatory, and artificial barriers to online trade and set forth standards for enabling the seamless flow of data and information between global entities. To that end, the Coalition urges USTR to negotiate for provisions within a digital trade chapter that: 1) establish interoperable approaches to cybersecurity risk management; 2) build incident response and coordinated vulnerability disclosure capabilities; and 3) strengthen effective cyber threat information sharing.
Interoperable Risk Management Approach to Cybersecurity. The Coalition recommends that USTR and its European Union counterparts include language in a digital trade chapter that requires the development and use of voluntary, interoperable cybersecurity risk management approaches. To achieve this goal, the USTR should advocate for cybersecurity risk management terms similar to those in the USMCA.4 Risk management-focused provisions in a U.S.-European Union trade agreement should build on the USMCA’s digital trade language by stressing the need for interoperability and alignment of risk management approaches in relevant jurisdictions.
A cybersecurity risk management framework is only as strong as the willingness of stakeholders to use it and governments to recognize its use. This is due in part to the fact that digital technologies bind organizations together through their supply chains, partnerships, and constituents and customers. To build a cybersecurity framework that is appealing for organizations of all sizes to leverage and reference as part of their routine practice, care must be taken to ensure that the risk management framework incorporates the economic, political, and cultural factors that interact with the cyber realm, in order to maximize adoption at a national level.
The Coalition recognizes that the parties will likely tailor their risk management approaches to their own unique national concerns. Regardless of the unique parameters that reflect a framework’s tailoring to national priorities, one element should remain present in any national or regional cybersecurity framework—that is interoperability. USTR should seek language requiring all to adopt compatible approaches to cyber-risk management so that governments and enterprises can interact and work together across borders to manage global threats without friction. An interoperable approach will bring various trade benefits to companies across all US industries: For the companies that build cybersecurity hardware and software, it can help ensure they do not need to make multiple products for varying requirements in each market, or build to country- specific standards. Interoperability can also benefit all services and manufacturing industries that will benefit from a secure digital infrastructure to conduct their US-EU trade.
To achieve this level of interoperability, the Coalition believes the parties should agree to the following common policies:
The goal is to develop an approach that all organizations across the economy will want to implement. This, in turn, will lead to greater adoption and better outcomes not generally achieved by a top-down regulatory approach. When voluntary adoption is paired with market incentives, the rate of adoption rises substantially. For example, an organization adopting a cyber framework could be offered certain competitive advantages, which would be driven by actors in the commercial market, or preferences in procurement opportunities. These incentives should provide a basis for enticing full marketplace participation, rather than selected sector-based compliance regimes that rely on enforcement. Government has a role to play in helping to incentivize adoption by industry, as well as recognize industry-led cyber risk management as an appropriate means of addressing cybersecurity concerns.
This approach has worked well for incentivizing compliance with international technical and security standards in the past. Several EU member states have embraced similar approaches to risk management as the US. For example, Italy has adopted its own National Cybersecurity Framework.5 Here, the approach helped build industry standards, fostering innovation, while not imposing unnecessary obstacles to trade.
Incident Response and Coordinated Disclosure. A digital trade chapter in any U.S.- European Union trade agreement should include provisions on building capabilities of national entities responsible for incident response and coordinated disclosure. Security incidents do not only threaten the data that is subject to a cyber-attack or the information that is accessed or acquired through a given breach; security incidents also threaten organizations on the whole, causing service outages, process slow-downs, and general reputational harm. Therefore, strong incident response and management practices benefit businesses overall and should be adopted on an international level to help develop best practices and recommended procedures.
In this context, the Coalition recommends that the USTR advocate for incident response provisions that mirror those in the USMCA.6 Affirming the parties’ commitments to building the capabilities of national entities responsible for cybersecurity incident response would help decrease barriers to digital trade, as methods and tools for reacting to security incidents and data breaches would be strengthened. Thus, a digital trade chapter in a U.S.-European Union trade agreement should ensure all parties shall develop robust capabilities for detecting, triaging, analyzing, and responding to security incidents and data breaches.
In addition to bolstering cybersecurity incident response capabilities, a digital trade chapter should also ensure all parties shall build capabilities of national entities responsible for coordinated disclosure of security vulnerabilities. Coordinated disclosure involves making a software vendor aware of a cybersecurity vulnerability that has been discovered in one of its products or system configurations in order to alert the vendor to the problem and increase the possibility of mitigating it. Including terms that require developing coordinated disclosure capabilities in a U.S.-European Union trade agreement would benefit digital trade. The Coalition recommends that this effort take into account both entities that facilitate the coordinated disclosure of vulnerabilities between private sector businesses and entities that facilitate the disclosure of nonpublic vulnerabilities from government to private sector organizations.
Information Sharing. The USMCA includes language requiring the parties to “endeavor to strengthen existing collaboration mechanisms for cooperating to identify and mitigate malicious intrusions or dissemination of malicious code that affect electronic networks, and use those mechanisms to swiftly address cybersecurity incidents, as well as for the sharing of information for awareness and best practices.”7 The Coalition recommends that the full text of this subsection be reproduced in the digital trade chapter of a U.S.-European Union trade agreement. Terms such as these reaffirm countries’ commitments to communicating, collaborating, and cooperating to identify and mitigate cybersecurity threats and vulnerabilities.
In order to protect individuals from privacy harms caused by security incidents, many U.S. organizations (including but not limited to companies in the cybersecurity industry) process and share information about security threats. This is consistent with U.S. consensus best practices for comprehensive security programs, such as the NIST Cybersecurity Framework.8 Sharing threat data with other organizations—including other service providers, Information Sharing and Analysis Organizations, or computer emergency response teams—for security purposes can help those organizations mitigate vulnerabilities that compromise the confidentiality of personal information, avoid exposures that can lead to accidental breach of personal information, prepare for suspected or known malicious actors, and more.
Outlining a commitment to information sharing in the text of the agreement would help decrease barriers to digital trade by supporting mechanisms for identifying security threats that are present and active in multiple countries. Inviting interested parties to access a wider range of threat information by broadening threat sharing goals would help to increase companies’ ability to engage in safe and secure digital trade. As a result, a digital trade chapter in a U.S.-European Union trade agreement should instruct the parties to endeavor to foster communication and information sharing in order to help them better prepare for and mitigate cybersecurity vulnerabilities.
* * *
A digital trade chapter in a U.S.-European Union trade agreement should call upon all parties to: 1) adopt interoperable approaches to cyber security risk management; 2) build the capabilities of national entities responsible for coordinated incident response and vulnerability disclosure policies; and 3) strengthen existing collaboration mechanisms to share actionable cyber threat information.
The Coalition appreciates the opportunity comment on this important effort and looks forward to continued collaboration with the USTR and the TPSC as it engages the European Union on mutually beneficial trade terms.
The Cybersecurity Coalition
December 10, 2018
CC: Ari Schwartz, Venable LLP
1 See 83 Fed. Reg. 57526-57527 (Nov. 11, 2018).
2 The views expressed in this comment reflect the consensus views of the Coalition and do not necessarily reflect the views of any individual Coalition member. For more information on the Coalition, see www.cybersecuritycoalition.org.
3 USMCA Art. 19.
4 See Coalition for Cybersecurity Policy & Law, Comment Letter on Negotiating Objectives Regarding Modernization of the North American Free Trade Agreement with Canada and Mexico (Jun. 12, 2017), https://www.regulations.gov/document?D=USTR-2017-0006-1273; see also Cybersecurity Industry Letter to USTR Regarding Incorporating Cybersecurity Trade Issues in the North American Free Trade Agreement (Aug. 9, 2017), https://www.rapid7.com/globalassets/_pdfs/rapid7-comments/cybersecurity-industry-letter-to-ustr-re-nafta- 080917.pdf.
5 ROBERTO BALDONI, LUCA MONTABARI, CYBER INTELLIGENCE AND INFORMATION SECURITY CENTER, CYBER
SECURITY NATIONAL LABORATORY, ITALIAN CYBER SECURITY REPORT (2016), http://www.cybersecurityframework
6 USMCA Art. 19.15(1)(a).
7 USMCA Art. 19.15(1)(b).
8 See, e.g., ID.RA-2 and RS.CO-5 on information sharing in the NIST Cybersecurity Framework.