Could Cybersecurity Cooperation Be the Low Hanging Fruit of EU-U.S. Trade Talks?
Both the U.S. and the EU face an ever-evolving cybersecurity threat landscape, and the upcoming trade discussions are a unique opportunity for both blocs to develop a shared understanding on how to address this common challenge. While there may be several challenges on specific chapters, it is in the interest of both the EU and the U.S. to set the global standard on cybersecurity and seek alignment on voluntary, risk-based cybersecurity standards and best practices.
Despite significant hurdles ahead, U.S. and EU officials are set to begin bilateral talks this week in order to set the groundwork for negotiations on a transatlantic trade deal. The prospect of a trade deal was first discussed last summer, with both U.S. and European Commission Presidents agreeing on a path forward. The EU approved trade negotiating mandates in April, and with the U.S. having released their own negotiating priorities in January, the parties are now free to enter into formal talks.
There is still a lack of a meeting of the minds on what exactly is on the negotiating table. The U.S. wants to pursue an all-encompassing free trade agreement, with the inclusion of an agriculture chapter. The EU has refused to include agriculture issues in the agenda, and the negotiating mandate for current talks declared that directives for the previous wide-ranging Transatlantic Trade and Investment Partnership (TTIP) were obsolete. The threat of new tariffs on autos, as well as the existing steel and aluminum tariffs under Section 232 of the Trade Expansion Act, further complicates and casts a shadow over the proposed talks.
But we should not ignore the many areas where the U.S. and the EU could see eye-to-eye and develop common ground during these trade discussions. One such area is cybersecurity. In fact, both parties have already signaled a strong interest in reaching an agreement on developing cybersecurity risk management principles as a part of the ongoing trade discussions. Protecting digital trade through policy means ensuring data and digitally-enabled goods and services that consumers and businesses rely on are technologically secured.
Per the Executive Working Group’s interim report published in January, the EU (DG CNECT) and the U.S. (NIST) agreed to intensify cooperation as part of talks on regulatory cooperation. The EU also noted that “globally relevant standards, including where applicable standards and technical specifications developed by US-domiciled standards development organisations, may be taken into consideration in the future development of standards and voluntary certification schemes in the EU.”
This can be achieved through supporting risk-based cybersecurity frameworks, such as the standards developed by the National Institute for Standards and Technology (NIST). The NIST framework is “based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.” Per NIST, “[i]n addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.”
The U.S.-Mexico-Canada Agreement also has strong cybersecurity provisions which could be replicated here. Article 19.15 states:
Given the evolving nature of cybersecurity threats, the Parties recognize that risk-based approaches may be more effective than prescriptive regulation in addressing those threats. Accordingly, each Party shall endeavor to employ, and encourage enterprises within its jurisdiction to use, risk-based approaches that rely on consensus-based standards and risk management best practices to identify and protect against cybersecurity risks and to detect, respond to, and recover from cybersecurity events.
Bringing global cybersecurity regulations into alignment would have a number of benefits to secure global trade. First, it would increase the ability for firms to respond en masse and provide a more cohesive approach to securing services and infrastructure across the global Internet. Second, a ‘risk management’ approach that relies on consensus-based standards and best practices rather than a compliance approach better equips firms to identify and protect against risks and detect, respond, and recover from cyber incidents in a more agile and efficient way. Third, risk-based voluntary approaches are more effective than prescriptive regulations by reducing the risk of mandatory standards or detailed compliance rules.
Both the U.S. and the EU face an ever-evolving cybersecurity threat landscape, and the upcoming trade discussions are a unique opportunity for both blocs to develop a shared understanding on how to address this common challenge.