With round one of renegotiations behind us, and round two scheduled to begin on September 1 in Mexico City, despite efforts to move quickly, there is still a pretty long road ahead for the next version of the North American Free Trade Agreement (NAFTA).
When NAFTA was first negotiated in 1994, the information age was in its adolescence, and cybersecurity was not the headliner that it is today. The World Wide Web had been publicly accessible for just a couple of years, and the first web browser had just recently been introduced. Over 23 years later, the information age has matured significantly. Connected device technology and the broader Internet of Things have already proven great value to the economy and to society.
We now know that while rapid technological innovation and the growth of the digital economy have propelled international investments, failing to adequately secure digital assets could put global value chains at risk. The increasing quantity and value of data produced by new technologies creates a powerful incentive for a range of actors, including isolated criminals, organized crime syndicates, and foreign states, to attempt cyber intrusions to gain access to this highly coveted information.
We now know that fostering digital trade and the growth of the digital economy necessarily requires parallel efforts towards mitigating cyber risks.
Unfortunately, cybersecurity-related trade issues were not highlighted in the Summary of Objectives for the NAFTA Renegotiation as released by the Office of the U.S. Trade Representative. There are multiple areas that make cybersecurity clearly a trade issue. At the most basic level, in today’s networked world, companies need to know that their trading partners and supply chain vendors are secure as a necessary starting point to trade. Also, when companies building security products must adapt those same products to different regulatory regimes in different countries, a non-tariff trade barrier is created. The time to go to market is longer, and the products are more expensive.
But all is not lost. U.S. Trade Representative Robert Lighthizer still has an opportunity to raise these trade issues related to cybersecurity, including cyber risk management, during the next round of renegotiations.
To further efforts to reduce barriers to digital trade, leaders and policymakers engaging in the renegotiation process must pursue a thoughtful, deliberate, and holistic approach to cybersecurity that encourages all organizations, entities, and institutions in society to assess their cyber risks and implement changes to mitigate these risks on a continual basis. Fortunately, the United States, Canada, and Mexico, are aligned in their interest in applying a risk management approach to cybersecurity.
How can NAFTA support a risk management approach to cybersecurity? Successfully achieving a state of manageable cyber risk relies on the development and implementation of a comprehensive framework, supported by substantive guidance that has cross-sector, national, and international applicability. The National Institute of Standards and Technology’s (NIST) voluntary Cybersecurity Framework for Critical Infrastructure, known as the Cybersecurity Framework – which has been widely endorsed by industry and has begun to be widely used not only in the United States, but across all of North America – is a favorable and flexible approach to risk management.
The framework was developed pursuant to Executive Order 13636, issued in February 2013, which called for the development of a voluntary risk-based cybersecurity framework comprised of a set of industry standards and best practices to help organizations manage cybersecurity risks. The ensuing process, undertaken over the next year, resulted in the development of the framework, which has been successfully adopted in a wide range of contexts in the U.S. government and private sector marketplace. After breaking cybersecurity risk management into its five key elements – identify, protect, detect, respond, and recover – the framework provides an illustrative list of voluntary process standards and guidance focused on addressing data security concerns and risk management processes that are already widely used and accepted by entities around the world.
While the framework has been very successful in the United States, we recognize and expect that Canada and Mexico may want to develop their own cybersecurity risk management frameworks, with unique parameters tailored to national priorities. But two elements should remain present in any national or regional cybersecurity framework – that it be developed via a transparent public-private partnership open to all interested stakeholders, and that its use is voluntary, referencing standards and guidelines developed, issued, and adopted voluntarily by stakeholders worldwide.
Flexibility is a key concept that allows organizations to buy into a cybersecurity risk management framework and implement it in an efficient manner appropriate to their sector or industry and reflective of the risks that are most relevant to them. Also, creating a framework through a real public-private partnership encourages both stakeholders in cybersecurity policy and the organizations implementing cyber risk management processes to provide feedback to improve a framework. Stakeholders must be able to understand how their views will improve the framework. The goal is to develop an approach that all organizations across the economy will want to implement. This, in turn, will lead to greater adoption and better security outcomes not generally achieved by a top-down regulatory approach, which can be ineffective in a world of constantly evolving, borderless, cybersecurity threats and risks.
Moreover, we have already seen in the U.S. that when voluntary adoption is paired with market incentives, the rate of adoption rises substantially. Companies are asking their vendors to use the framework, and some insurance companies have begun to use the framework as an underwriting tool. These incentives should provide a basis for enticing full marketplace participation, rather than selected sector-based compliance regimes that create a hodgepodge of protections across sectors. This approach, which began during the Obama Administration, has now been embraced by the Trump Administration in their recent Cybersecurity Executive Order. Assuming we stay on this path, Gartner says that, within three years, over 50 percent of all companies will use the framework.
Many Mexican and Canadian companies also already rely upon NIST’s risk management guidelines as the foundation of their cybersecurity standards. For example, the U.S. Government Accountability Office (GAO) has reported that the North American Electric Reliability Corporation Cyber Security Standards, which are used by a subset of the energy sector, are substantially similar to the NIST risk management guidelines set out in the framework and are used in Canada, the United States, and parts of Mexico. The Investment Industry Regulatory Organization of Canada also relies upon the NIST framework as the basis of its Cybersecurity Best Practices, noting that it provides a “proven process upon which to establish and manage cybersecurity program development.” Public Safety Canada has also endorsed the Cybersecurity Framework.
Implementing a cybersecurity framework across North America allows NAFTA parties to establish a common language and set of definitions that describe cybersecurity risks, actions, practices, and responses, from which all organizations, public and private, small and large, can draw in order to design and apply the risk management framework for their specific circumstances.
The renegotiation of NAFTA presents an opportunity to ensure that cyber risk management encourages digital trade, strengthens the digital economy, and promotes innovation. Incorporating a voluntary approach to managing and reducing cyber risks as part of the NAFTA renegotiation will help NAFTA and the information age mature into the modern era.