Cybersecurity Minimum Standards Needed to Keep North America Secure

North American governments should come together to create a trilateral strategy to assess and address threats in a holistic risk-based approach to cybersecurity that includes a minimum set of standards, said three experts yesterday.

As much as the pandemic has accelerated the rate in which governments have taken on new risks, it has left “some vulnerability windows open,” said Manuel Balcazar, consultant at MB Consultores, who presented this trilateral cyberthreat assessment idea during Monday’s Center for Strategic & International Studies event, Establishing a Cybersecure North America.

All three panelists agreed that a mandatory reporting requirement needs to be implemented across the continent, or at least minimum standards set, particularly for critical infrastructure sectors like electricity or transportation. 

The USMCA was signed as a revamped North American trade treaty that became effective in July 2020. Despite the agreement including cybersecurity commitments within Article 19.15 of its digital trade provision, all three panelists agreed on the need for setting standards focused on cybersecurity to set the bar for a whole-of-continent approach. 

“The issue here is that I see some asymmetrical treatment for cybersecurity” across all three countries, Balcazar added. Cyberattacks have been increasing and becoming more sophisticated. What has not matched, however, is the number of incident reports in comparison to the number of uncovered incidents, Balcazar said, pointing out that some companies in Mexico might be afraid to tarnish their prestige by admitting a breach. A lack of reporting that is not exclusive to Mexico. 

“We all know there is tremendous, tremendous underreporting when it comes to cyber incidents from the private sector,” said Vincent Rigby, former national security and intelligence adviser to Canadian Prime Minister Justin Trudeau. “It’s not just that they inform us late, sometimes they don’t inform us at all.”

But what happens, Balcazar asked, when these attacks escalate to a terrorist attack on the continent’s critical infrastructure like the power grids?

The cybersecurity provision in the USMCA does emphasize a voluntary risk-based approach which is “dead on,” said Suzanne Spaulding, senior adviser for the Department of Homeland Security. However, she added, this approach needs to “rely on consensus-based standards and risk management best practices…to identify, protect, detect, respond and recover” from cyberattacks. 

Setting these standards and mandatory requirements has been gaining traction in the market, Spaulding said,“It’s always been best to rely on market forces and voluntary approaches.” 

The trilateral strategy should look into operationalizing the 19.15 provisions, Rigby said. Right now the infrastructure most vulnerable to a cyberattack would be the power grid, which is intrinsically linked between Canada and the U.S. 

“A hit on one country is going to have a tremendous impact on the other,” he said, pointing out both countries have been looking at energy sector initiatives for cybersecurity cooperation beyond their current security and resilience strategies. 

The U.S. and Mexican power grids also overlap at some points. But the strategy cannot focus on siloed sectors, as there are a lot of critical infrastructures and it will come down to information sharing best practices between the countries with extensive collaboration from the private sector. 

This is why the trilateral strategy needs to begin with a threat assessment all three nations agree on in scope and importance, followed by a minimum standard of a national approach and then a regional one, while simultaneously implementing information sharing best practices. 

“Cyber knows no borders,” Spaulding said, and it’s not “really about protecting computers, or even its networks, but about protecting the functions that they enable.”