Cybersecurity Minimum Standards Needed to Keep North America Secure
North American governments should come together to create a trilateral strategy to assess and address threats in a holistic risk-based approach to cybersecurity that includes a minimum set of standards, said three experts yesterday.
As much as the pandemic has accelerated the rate in which governments have taken on new risks, it has left “some vulnerability windows open,” said Manuel Balcazar, consultant at MB Consultores, who presented this trilateral cyberthreat assessment idea during Monday’s Center for Strategic & International Studies event, Establishing a Cybersecure North America.
All three panelists agreed that a mandatory reporting requirement needs to be implemented across the continent, or at least minimum standards set, particularly for critical infrastructure sectors like electricity or transportation.
The USMCA was signed as a revamped North American trade treaty that became effective in July 2020. Despite the agreement including cybersecurity commitments within Article 19.15 of its digital trade provision, all three panelists agreed on the need for setting standards focused on cybersecurity to set the bar for a whole-of-continent approach.
“The issue here is that I see some asymmetrical treatment for cybersecurity” across all three countries, Balcazar added. Cyberattacks have been increasing and becoming more sophisticated. What has not matched, however, is the number of incident reports in comparison to the number of uncovered incidents, Balcazar said, pointing out that some companies in Mexico might be afraid to tarnish their prestige by admitting a breach. A lack of reporting that is not exclusive to Mexico.
“We all know there is tremendous, tremendous underreporting when it comes to cyber incidents from the private sector,” said Vincent Rigby, former national security and intelligence adviser to Canadian Prime Minister Justin Trudeau. “It’s not just that they inform us late, sometimes they don’t inform us at all.”
But what happens, Balcazar asked, when these attacks escalate to a terrorist attack on the continent’s critical infrastructure like the power grids?
The cybersecurity provision in the USMCA does emphasize a voluntary risk-based approach which is “dead on,” said Suzanne Spaulding, senior adviser for the Department of Homeland Security. However, she added, this approach needs to “rely on consensus-based standards and risk management best practices…to identify, protect, detect, respond and recover” from cyberattacks.
Setting these standards and mandatory requirements has been gaining traction in the market, Spaulding said,“It’s always been best to rely on market forces and voluntary approaches.”
The trilateral strategy should look into operationalizing the 19.15 provisions, Rigby said. Right now the infrastructure most vulnerable to a cyberattack would be the power grid, which is intrinsically linked between Canada and the U.S.
“A hit on one country is going to have a tremendous impact on the other,” he said, pointing out both countries have been looking at energy sector initiatives for cybersecurity cooperation beyond their current security and resilience strategies.
The U.S. and Mexican power grids also overlap at some points. But the strategy cannot focus on siloed sectors, as there are a lot of critical infrastructures and it will come down to information sharing best practices between the countries with extensive collaboration from the private sector.
This is why the trilateral strategy needs to begin with a threat assessment all three nations agree on in scope and importance, followed by a minimum standard of a national approach and then a regional one, while simultaneously implementing information sharing best practices.
“Cyber knows no borders,” Spaulding said, and it’s not “really about protecting computers, or even its networks, but about protecting the functions that they enable.”
In The News
WASHINGTON — Sen. Amy Klobuchar, D-Minn., has been on a crusade for swift and sweeping reform of Big Tech platforms,... Read More
WASHINGTON — Sen. Amy Klobuchar, D-Minn., has been on a crusade for swift and sweeping reform of Big Tech platforms, introducing a number of bills and even publishing a book titled “Antitrust” that looks at the history of policy toward trusts and monopolies and details how... Read More
WASHINGTON — The U.S. is at risk of creating a two-silo cybersecurity strategy impeding its ability to adequately address ever-evolving... Read More
WASHINGTON — The U.S. is at risk of creating a two-silo cybersecurity strategy impeding its ability to adequately address ever-evolving cyber threats from bad actors overseas, a former assistant secretary of defense said Friday. Speaking at an American Enterprise Institute event, Paul Stockton, who is now... Read More
GEORGETOWN, Del. — Shareholders are suing software provider SolarWinds Corp. in the Delaware Court of Chancery claiming the company directors... Read More
GEORGETOWN, Del. — Shareholders are suing software provider SolarWinds Corp. in the Delaware Court of Chancery claiming the company directors should have known of, and yet did nothing to mitigate, the risk of the massive data breach that took place in 2020. The plaintiffs, led by... Read More
WASHINGTON — Large-scale cyberattacks continued this week in the United States and abroad as computer security experts told a congressional... Read More
WASHINGTON — Large-scale cyberattacks continued this week in the United States and abroad as computer security experts told a congressional panel Tuesday that more government intervention is needed. On Monday, Microsoft announced that Russia-backed hackers were trying to steal information technology to disrupt the global supply... Read More
WASHINGTON — The Department of Commerce’s Bureau of Industry and Security announced on Wednesday it would institute new export controls... Read More
WASHINGTON — The Department of Commerce’s Bureau of Industry and Security announced on Wednesday it would institute new export controls over cybersecurity items such as cyber intrusion software that can be used maliciously. The department’s new policy also creates a new license exception for authorized cybersecurity... Read More
WASHINGTON -- If everyone were to employ proper cyber hygiene like multi-factor authentication or not clicking on links in phishing... Read More
WASHINGTON -- If everyone were to employ proper cyber hygiene like multi-factor authentication or not clicking on links in phishing emails, more than 85% of cyberattacks would be prevented, said Sen. Angus King, I-Maine, Thursday. “The best hack is the one that doesn’t happen,” King said... Read More