Submitted via http://www.regulations.gov
Chair of the Trade Policy Staff Committee
Office of the United States Trade Representative
600 17th Street, NW
Washington, DC 20508
The Cybersecurity Coalition (“Coalition”) submits this comment in response to the Request for Comments issued by the Office of the United States Trade Representative (“USTR”) on November 16, 2018 regarding negotiating objectives for a U.S.-United Kingdom trade agreement.1 The Coalition appreciates the opportunity to comment on the U.S.-United Kingdom trade negotiations and looks forward to working with USTR and the Trade Policy Staff Committee (“TPSC”) to encourage the promotion of cybersecurity terms that will reduce barriers to digital trade.
The Coalition is composed of leading companies with a specialty in cybersecurity products and services dedicated to finding and advancing consensus policy solutions that promote the development and adoption of cybersecurity technologies.2 We seek to ensure a robust marketplace that will encourage companies of all sizes to take steps to improve their cybersecurity risk management. We are supportive of efforts to identify and promote the adoption of cybersecurity best practices, information sharing, and voluntary standards throughout the global community.
The Coalition appreciates the opportunity to provide these comments and participate in this important discussion. Specifically, the Coalition recommends that the parties participating in the U.S.-United Kingdom trade negotiations advocate for a dedicated chapter on digital trade similar to the chapter that was included in the US-Mexico-Canada Agreement (“USMCA”) earlier this year.3 Such a chapter would help reduce existing technical, regulatory, and artificial barriers to online trade and set forth standards for enabling the seamless flow of data and information between global entities. To that end, the Coalition urges USTR to negotiate for provisions within a digital trade chapter that: 1) establish interoperable approaches to cybersecurity risk management; 2) build incident response and coordinated vulnerability disclosure capabilities; 3) strengthen effective cyber threat information sharing; 4) reduce burdensome regulatory barriers and restrictions; 5) encourage a voluntary risk management framework that emphasizes transparency for Internet of Things (“IoT”) security features; and 6) reaffirm the parties’ commitments to strong encryption mechanisms.
Interoperable Risk Management Approach to Cybersecurity. The Coalition recommends that USTR and its United Kingdom counterparts include language in a digital trade chapter that requires the development and use of voluntary, interoperable cybersecurity risk management approaches. To achieve this goal, the USTR should advocate for cybersecurity risk management terms similar to those in the USMCA.4 Risk management-focused provisions in a U.S.-United Kingdom trade agreement should build on the USMCA’s digital trade language by stressing the need for interoperability and alignment of risk management approaches in relevant jurisdictions.
A cybersecurity risk management framework is only as strong as the willingness of stakeholders to use it and governments to recognize its use. This is due in part to the fact that digital technologies bind organizations together through their supply chains, partnerships, and constituents and customers. To build a cybersecurity framework that is appealing for organizations of all sizes to leverage and reference as part of their routine practice, care must be taken to ensure that the risk management framework incorporates the economic, political, and cultural factors that interact with the cyber realm, in order to maximize adoption at a national level.
The Coalition recognizes that the parties will likely tailor their risk management approaches to their own unique national concerns. Regardless of the unique parameters that reflect a framework’s tailoring to national priorities, one element should remain present in any national or regional cybersecurity framework—that is interoperability. USTR should seek language requiring all to adopt compatible approaches to cyber-risk management so that governments and enterprises can interact and work together across borders to manage global threats without friction. An interoperable approach will bring various trade benefits to companies across all US industries: For the companies that build cybersecurity hardware and software, it can help ensure they do not need to make multiple products for varying requirements in each market, or build to country- specific standards. Interoperability can also benefit all services and manufacturing industries that will benefit from a secure digital infrastructure to conduct their US-UK trade.
To achieve this level of interoperability, the Coalition believes the parties should agree to the following common policies:
The goal is to develop an approach that all organizations across the economy will want to implement. This, in turn, will lead to greater adoption and better outcomes not generally achieved by a top-down regulatory approach. When voluntary adoption is paired with market incentives, the rate of adoption rises substantially. For example, an organization adopting a cyber framework could be offered certain competitive advantages, which would be driven by actors in the commercial market, or preferences in procurement opportunities. These incentives should provide a basis for enticing full marketplace participation, rather than selected sector-based compliance regimes that rely on enforcement. Government has a role to play in helping to incentivize adoption by industry, as well as recognize industry-led cyber risk management as an appropriate means of addressing cybersecurity concerns.
This approach has worked well for incentivizing compliance with international technical and security standards in the past. Several EU member states have embraced similar approaches to risk management as the US. For example, Italy has adopted its own National Cybersecurity Framework.5 Here, the approach helped build industry standards, fostering innovation, while not imposing unnecessary obstacles to trade.
Incident Response and Coordinated Disclosure. A digital trade chapter in any U.S.- United Kingdom trade agreement should include provisions on building capabilities of national entities responsible for incident response and coordinated disclosure. Security incidents do not only threaten the data that is subject to a cyber-attack or the information that is accessed or acquired through a given breach; security incidents also threaten organizations on the whole, causing service outages, process slow-downs, and general reputational harm. Therefore, strong incident response and management practices benefit businesses overall and should be adopted on an international level to help develop best practices and recommended procedures.
In this context, the Coalition recommends that the USTR advocate for incident response provisions that mirror those in the USMCA.6 Affirming the parties’ commitments to building the capabilities of national entities responsible for cybersecurity incident response would help decrease barriers to digital trade, as methods and tools for reacting to security incidents and data breaches would be strengthened. Thus, a digital trade chapter in a U.S.-United Kingdom trade agreement should ensure all parties shall develop robust capabilities for detecting, triaging, analyzing, and responding to security incidents and data breaches.
In addition to bolstering cybersecurity incident response capabilities, a digital trade chapter should also ensure all parties shall build capabilities of national entities responsible for coordinated disclosure of security vulnerabilities. Coordinated disclosure involves making a software vendor aware of a cybersecurity vulnerability that has been discovered in one of its products or system configurations in order to alert the vendor to the problem and increase the possibility of mitigating it. Including terms that require developing coordinated disclosure capabilities in a U.S.-United Kingdom trade agreement would benefit digital trade. The Coalition recommends that this effort take into account both entities that facilitate the coordinated disclosure of vulnerabilities between private sector businesses and entities that facilitate the disclosure of nonpublic vulnerabilities from government to private sector organizations.
Information Sharing. The USMCA includes language requiring the parties to “endeavor to strengthen existing collaboration mechanisms for cooperating to identify and mitigate malicious intrusions or dissemination of malicious code that affect electronic networks, and use those mechanisms to swiftly address cybersecurity incidents, as well as for the sharing of information for awareness and best practices.”7 The Coalition recommends that the full text of this subsection be reproduced in the digital trade chapter of a U.S.-United Kingdom trade agreement. Terms such as these reaffirm countries’ commitments to communicating, collaborating, and cooperating to identify and mitigate cybersecurity threats and vulnerabilities.
In order to protect individuals from privacy harms caused by security incidents, many U.S. organizations (including but not limited to companies in the cybersecurity industry) process and share information about security threats. This is consistent with United States consensus best practices for comprehensive security programs, such as the NIST Cybersecurity Framework.8 Sharing threat data with other organizations—including other service providers, Information Sharing and Analysis Organizations, or computer emergency response teams—for security purposes can help those organizations mitigate vulnerabilities that compromise the confidentiality of personal information, avoid exposures that can lead to accidental breach of personal information, prepare for suspected or known malicious actors, and more. Notably, this sharing must happen across national borders in order to protect assets and systems globally, and so an ongoing commitment to promoting cross-border data flows and sharing is an important component of preventing the privacy harms associated with security threats.
Outlining a commitment to information sharing in the text of the agreement would help decrease barriers to digital trade by supporting mechanisms for identifying security threats that are present and active in multiple countries. Inviting interested parties to access a wider range of threat information by broadening threat sharing goals would help to increase companies’ ability to engage in safe and secure digital trade. As a result, a digital trade chapter in a U.S.-United Kingdom trade agreement should instruct the parties to endeavor to foster communication and information sharing internationally as needed in order to help them better prepare for and mitigate cybersecurity vulnerabilities.
Regulatory Restrictions. The Coalition urges USTR to work with trade officials in the United Kingdom to identify and minimize regulatory restrictions that encumber the processing of data for threat identification and mitigation activities, including barriers to the free flow of personal information and data.
To help organizations satisfy their privacy obligations and protect individuals from privacy harms caused by security incidents, many organizations (including but not limited to companies in the cybersecurity industry) process and share large-scale information about cybersecurity threats. This is consistent with consensus best practices for comprehensive security programs, such as the NIST Cybersecurity Framework. However, burdensome regulatory restrictions can inhibit this beneficial defensive information processing and can therefore thwart organizations’ abilities to detect, combat, and mitigate security threats.
The processing and sharing of cyber threat information is a necessary component of a comprehensive security framework. The Coalition recommends, therefore, that any U.S.-United Kingdom trade agreement ensure this beneficial activity can continue to effectively protect security and privacy. It is important to avoid overly broad regulatory restrictions on information sharing. Similarly, the parties should avoid creating a narrow “exception” for security practices in order to ensure companies, organizations, and governments have the necessary flexibility and incentives to undertake critical cybersecurity activities.
Internet of Things. IoT devices and technologies improve the lives of consumers by giving them access to information in ways that make their lives easier. To date, these important new devices have provided myriad benefits to consumers, including enabling Internet access from the palm of a person’s hand, giving individuals the ability to better monitor their health information, allowing for smart homes and smart security systems, among others. In addition to individual consumers, private enterprises and the federal government also use IoT technologies in their day- to-day operations. Despite the significant and rapid growth of IoT technologies, IoT devices are relatively new to the technology landscape and society has barely scratched the surface of the ways in which IoT devices and technologies can improve lives and streamline business and government processes. As a result, a U.S.-United Kingdom trade agreement should contain provisions that secure these important new technologies while supporting flexibility and innovation in the space.
The best way for the United States and the United Kingdom to ensure flexibility and innovation for IoT technologies is to embrace a voluntary risk management approach that facilitates the transparency of IoT security features. USTR should work to harmonize this voluntary risk management framework with similar work that is taking place in many countries with respect to IoT, such as the United Kingdom’s Code of Practice for IoT Security and related mapping guide.9 Additionally, USTR should consider focusing its efforts on working with the United Kingdom to develop a seal, mark, or emblem that IoT devices can display to indicate that they meet basic security standards. Such an effort would support the parties’ commitments to transparency and strong security standards for IoT technologies.
Affirming the parties’ commitments to voluntary and transparent processes that include information security and risk management activities in IoT devices’ life cycles will support the development of necessary cybersecurity controls without imposing burdensome mandates that may stifle innovation. The United States has already embraced this approach to IoT in different contexts, such as through the Department of Commerce and Department of Homeland Security’s Botnet Road Map.10 As a result, the United States and the United Kingdom should commit to collaborating with the private sector and innovators in an effort to encourage a voluntary, transparent risk management approach to these technologies that will help accelerate the widespread deployment and adoption of IoT devices.
Encryption. Encryption is an important tool that allows digitized information to be protected from unauthorized access and use. Governments, private companies, and consumers alike depend on encryption protocols to secure the sensitive information they retain, use, and exchange. As a result, governments, companies, and individuals should be able to use and access strong encryption mechanisms in order to protect their data.
There should be no regulation of cryptographic capabilities in widely available products used in the domestic commercial market because mandating or favoring specific encryption technologies will raise product costs and reduce, not increase, security as security threats continue to evolve. We also would like the parties to prohibit disclosure of algorithms and strongly encourage the use of global or international standards, including for normative algorithms, to enable more secure technologies due to the peer review involved. In the limited circumstances where regulation may be necessary, we recommend the parties to advocate for transparency and non-discrimination in any regulatory requirements, either in force or being developed concerning encryption in semiconductors used in domestic commercial markets, including the conformity assessment procedures used to demonstrate compliance with those requirements.
Governments all over the world have considered whether their need to access individuals’ data for law enforcement purposes should outweigh the benefits provided by strong encryption mechanisms. Some governments have required companies to circumvent their own encryption protocols in the name of law enforcement by giving government officers a "back door" to access personal data. The Coalition believes that government mandates for a “back door” to consumer data weaken encryption, create technical barriers to trade, and present new vulnerabilities that bad actors can take advantage of in order to access sensitive information. Furthermore, legislation requiring weakened encryption and “back door” mechanisms would be technically complicated, ripe for abuse, and difficult for businesses to comply with while simultaneously ensuring they maintain strong data privacy controls.
As a result, the Coalition recommends that as a starting point, the trade agreement between the United States and United Kingdom should include the provisions that appear in Article 12.C.2 of the USMCA. Such provisions would expressly affirm the countries’ commitments to refrain from requiring private companies to weaken encryption protocols as a condition of market access.11 Furthermore, the agreement should move a step beyond the encryption provisions contained in the USMCA by prohibiting the United States and the United Kingdom from requiring private companies to implement technical designs that allow for “back door” government access to consumer data.
* * *
A digital trade chapter in a U.S.-United Kingdom trade agreement should call upon all parties to: 1) adopt interoperable approaches to cyber security risk management; 2) build the capabilities of national entities responsible for coordinated incident response and vulnerability disclosure policies; 3) strengthen existing collaboration mechanisms to share actionable cyber threat information; 4) identify and minimize regulatory restrictions; 5) support a voluntary risk management framework for IoT technologies that advocates for transparency in security features; and 6) reaffirm the parties’ commitments to strong encryption mechanisms.
The Coalition appreciates the opportunity comment on this important effort and looks forward to continued collaboration with the USTR and the TPSC as it engages the United Kingdom on mutually beneficial trade terms.
The Cybersecurity Coalition
January 15, 2019
CC: Ari Schwartz, Venable LLP
1 See 83 Fed. Reg. 57790-57791 (Nov. 16, 2018).
2 The views expressed in this comment reflect the consensus views of the Coalition and do not necessarily reflect the views of any individual Coalition member. For more information on the Coalition, see www.cybersecuritycoalition.org.
3 USMCA Art. 19.
4 See Coalition for Cybersecurity Policy & Law, Comment Letter on Negotiating Objectives Regarding Modernization of the North American Free Trade Agreement with Canada and Mexico (Jun. 12, 2017), https://www.regulations.gov/document?D=USTR-2017-0006-1273; see also Cybersecurity Industry Letter to USTR Regarding Incorporating Cybersecurity Trade Issues in the North American Free Trade Agreement (Aug. 9, 2017), https://www.rapid7.com/globalassets/_pdfs/rapid7-comments/cybersecurity-industry-letter-to-ustr-re-nafta-080917.pdf.
5 ROBERTO BALDONI, LUCA MONTABARI, CYBER INTELLIGENCE AND INFORMATION SECURITY CENTER, CYBERSECURITY NATIONAL LABORATORY, ITALIAN CYBER SECURITY REPORT (2016), http://www.cybersecurityframework.it/sites/default/files/CSR2015_ENG.pdf.
6 USMCA Art. 19.15(1)(a).
7 USMCA Art. 19.15(1)(b).
8 See, e.g., ID.RA-2 and RS.CO-5 on information sharing in the NIST Cybersecurity Framework.
9 U.K. DEP’T FOR DIGITAL, CULTURE, MEDIA, AND SPORT, CODE OF PRACTICE FOR CONSUMER IOT SECURITY (OCT.2018), located at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/ 747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf; U.K. DEP’T FOR DIGITAL CULTURE, MEDIA, AND SPORT, MAPPING OF IOT SECURITY RECOMMENDATIONS, GUIDANCE AND STANDARDS TO THE UK’S CODE OF PRACTICE FOR CONSUMER IOT SECURITY (Oct. 2018), located at https://assets.publishing.service.gov.uk/ government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT_Security_Recommendations_ Guidance_and_Standards_to_CoP_Oct_2018.pdf
10 U.S. DEP’T OF COM. & U.S. DEP’T OF HOMELAND SEC., A ROAD MAP TOWARD RESILIENCE AGAINST BOTNETS 4-10 (Nov. 29, 2018), located at https://www.commerce.gov/sites/default/files/2018-11/Botnet%20Road%20Map%20112918%20for%20posting_0.pdf (listing workstreams and tasks to encourage stakeholders to engage in a voluntary risk-management approach to IoT that emphasizes transparency for security features).
11 USMCA Art. 12.C.2.