Regulatory Implications of the New USG Strategy for Engagement in International Cybersecurity Standardization, by Jeff Weiss
On December 21, 2015, the National Institute of Standards and Technology (NIST) transmitted to Congress a strategy for U.S. Government engagement in international standardization for cybersecurity. Development of such a strategy was required by the Cybersecurity Enhancement Act of 2014, which tasked NIST to work with relevant federal agencies to ensure interagency coordination in “the development of international technical standards related to information system security” and to “ensure consultation with appropriate private sector stakeholders.” NIST worked with the interagency to develop the strategy and accompanying supplemental through the International Cybersecurity Standards Working Group, a body established by the National Security Council’s Cybersecurity Interagency Policy Committee and chaired by the U.S. Department of Commerce and NIST.
The report articulates four U.S. government strategic objectives for the development and use of international cybersecurity standards:
– enhancing national and economic security and public safety;
– ensuring standards and assessment tools for the U.S. government are technically sound;
– facilitating international trade; and
– promoting innovation and competitiveness.
It also sets out eight recommendations for how the federal government can achieve these objectives, including: ensuring coordination across the USG, improving collaboration with the private sector and international partners, and promoting federal agency participation in international standards development and the use of international standards and assessment schemes.
One of the most noteworthy aspects of the strategy is that the United States did not develop a new, top-down, government-controlled paradigm for standards with respect to an area as critical to economic and national security as cybersecurity. Rather, it decided to apply the existing USG approach to standardization. That approach is predicated on federal agencies’ using standards developed by private sector standards developing organizations (SDOs), instead of developing government-specific approaches to problems that are likely not unique to federal agencies.
In his blog post announcing the release of the strategy, Special Assistant to the President and Cybersecurity Coordinator Michael Daniel remarked:
This non-governmental approach yields standards of better technical rigor and industry uptake, helps support innovation, and enables the rapid adaptation and evolution of standards.
When used to support cybersecurity standards, this development structure helps improve the effectiveness of those standards in promoting security and resiliency of critical information and communications infrastructure internationally. The process also builds trust among those creating and those using the solutions throughout the world. These standards include cybersecurity measures that are necessary to protect everyday applications such as online commerce, smart electricity meters, networked medical devices, and online banking. Simply put, we believe that a consensus-based, private sector-driven international standards development process, with input from all interested stakeholders, is superior to a top-down, national government-controlled approach to standards. We are committed to advocating for the adoption of a global approach to standards development around the world… The strategy is … fully consistent with the standards-related provisions of the National Technology Transfer and Advancement Act, as well as OMB Circular A-119, which sets out Federal standards policy.
The analysis underlying the strategy demonstrates that a private sector-driven approach to standards is particularly suited to cybersecurity, and the digital economy in general, and that the federal government cannot address cybersecurity issues on its own. The scope of cybersecurity standards development activity around the globe is enormous, with work being undertaken in multiple domains (e.g., supply chain risk management, cryptographic techniques, software assurance, network security) and in dozens of venues (e.g., 3GPP, The Open Group, ISO/IEC JTC1, IEEE, IETF). The vast scope of work is indicative of the increasing pace of technological change and need for private sector technical expertise and agility in navigating the challenges and opportunities of the digital economy. Efforts by governments to try to dictate the content of these standards and funnel all of the work into a handful of venues would undermine standards quality, decrease the pace of standards development, and create unnecessary national differences in approach, raising costs for suppliers without improving cybersecurity and resiliency.
Ensuring the availability of timely and robust international cybersecurity standards also supports non-regulatory solutions to cybersecurity issues – in particular, the standards-based Framework for Improving Critical Infrastructure Cybersecurity developed by NIST to improve the security and resiliency of critical infrastructure. But in situations where a federal agency believes that regulation is warranted and cybersecurity standards are needed, the strategy sets out the following hierarchy:
– As a first best option, agencies should use relevant international cybersecurity standards, where effective and appropriate, including in their regulatory activities.
– Where international cybersecurity standards do not exist or existing standards are not relevant, effective, or appropriate to fulfill an agency’s objectives, agencies should seek to work with private sector partners in SDOs to develop suitable international cybersecurity standards, and then use them in their mission and policymaking activities, including rulemaking.
– If an agency still believes that developing a U.S.-specific approach is necessary, it should develop that approach in an open and transparent manner – including through notice and comment, in the case of rulemaking – and then seek to promote adoption of that approach into international cybersecurity standards, where appropriate to do so.
This hierarchy reinforces the importance of federal agency participation in the development of international standards, which is also emphasized in the strategy, as well as in OMB Circular A-119. The strategy strongly encourages U.S. agency officials to attend technical committee meetings and actively participate in the standards development process. Participation can take many forms — including making technical contributions to standards and assessment schemes for cybersecurity and chairing technical committees where U.S. stakeholders believe doing so could be helpful. Where agency officials are not participating in the development of international cybersecurity standards, it decreases the probability that the resulting standards will meet agency needs, which increases the probability that agencies will need to develop USG-specific approaches.
Increasing coordination among federal agencies with respect to USG engagement in standards development is also called for in the strategy, and should have positive ramifications for agency rulemakings with cybersecurity components. Among other things, it should:
– improve the content and consistency of agency technical contributions to international cybersecurity standards;
– increase the likelihood that U.S. agencies adopt the same standards, which would reduce the cumulative costs of compliance for suppliers with respect to rulemakings that incorporate international cybersecurity standards by reference; and
– help NIST in carrying out its responsibilities under the Cybersecurity Enhancement Act to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes…”
Lastly, USG coordination with international partners should increase the likelihood that foreign regulators will use the same standards that U.S. regulators do, which will reduce costs for firms that need to comply with rules in multiple jurisdictions.
In his blog, Daniel also noted that the Working Group will work with the private sector to implement the strategy in 2016. The strategy itself stresses the importance of leveraging public-private sector collaboration in standards development for cybersecurity. In 2016, we plan to reach out to stakeholders for ideas, including on how to: improve coordination with the private sector and international partners, maintain USG awareness of relevant developments in the international cybersecurity standards ecosystem, set priorities for federal engagement in the development of international cybersecurity standards, and use standards as a tool to help prevent cybersecurity-related regulatory conflict and duplication in the United States.
Jeff Weiss is Senior Advisor for Standards and Global Regulatory Policy to U.S. Secretary of Commerce Penny Pritzker. He is also co-chair of the International Trade and Customs Committee of the ABA’s Section of Administrative Law and Regulatory Practice and chair of the International Cybersecurity Standards Working Group, and formerly served as the Associate Administrator of OIRA.