** This op-ed first appeared in Morning Consult on October 3, 2017.**
Imagine you live in the Civil War-era United States and the railroad is your primary means of long-distance transportation. In those days, the railway gauge (or, the distance between the rails on the track) varied widely. There wasn’t just one accepted standard – there were nine, used irregularly throughout the country. As a result, the engineer would constantly have to stop the train and re-set the wheels anytime the train encountered a different gauge. With gauges changing at nearly every state border, traveling from New York to Chicago would have taken you as long as three weeks.
Who would have thought that, a century and a half later, the Internet would face the same challenge as a 19th century railroad?
Around the world, nations are adopting country-specific cybersecurity standards that function just as the proliferation of track gauges did in the 1800s, even though international standards already exist. With country-specific standards, technology products often must be modified each time they enter into a new market, and network services like cloud computing must contend with an ever more complex cacophony of compliance obligations.
In the last few years, concerns have grown as China has aggressively pursued new cybersecurity legislation requiring that products be certified against local security standards that often differ substantially from recognized international standards. Even more concerning, several other countries have begun to follow China’s lead, developing similar local approaches to cybersecurity. The launch of the European Union’s new Cybersecurity Strategy, which proposes an EU-wide cybersecurity certification framework, suggests the risk of yet another regionally specific approach, and we must act to avoid that outcome.
Unlike in the 1800s, today we enjoy the conveniences of safe, rapid, and reliable modern transportation because the international community worked over many years to harmonize technical standards and policy frameworks, enabling regional and international interoperability. The same is needed in the information technology arena, particularly when it comes to cybersecurity. Threats to the security of our Internet ecosystem know no territorial boundaries, and we must work collaboratively across borders to confront them.
As we celebrate National Cyber Security Awareness month, BSA | The Software Alliance has released a new cybersecurity policy agenda, entitled “Security in the Connected Age,” which offers a roadmap to confront key security challenges and avoid the risk of global technological balkanization that competing regional regulations and standards will bring. High among the priorities set forth by this agenda is a focus on harmonizing country-specific cybersecurity regimes around international standards, norms, and policy frameworks to enable technologies to function efficiently and securely around the world.
Skeptics have questioned whether global solutions can meet specific national needs. Yet, international cybersecurity standards are developed through inclusive, objective, transparent processes that enable stakeholders to address wide-ranging security concerns. These standards enable security professionals to establish common security requirements, organizational structures, and performance metrics, enabling collaboration to confront shared threats. Moreover, by supporting economies of scale, international standardization improves efficiency and lowers development costs for technology products, enabling innovation and investment in the next generation of security technologies.
Simply put, our global Internet ecosystem is stronger when we work together to defend it. If countries and regions pursue country-specific standards, we will engender a series of constrained local responses to a truly global – and growing – threat. We will cede the advantage to attackers that can exploit vulnerabilities arising when product development is driven by compliance with myriad national standards instead of a search for best practices proven to be effective on a global basis.
As countries around the world move in the opposite direction, we should all be concerned. The software industry is central to American economic competitiveness and an engine of global trade; we cannot afford to see the international regulatory environment bog down technological innovation with infinite labyrinths of competing regulations and standards. And one critical element of the solution is the leadership of the US government in advancing international standardization and harmonization in bilateral and multilateral trade agreements, from security agreements to trade treaties.
A disjointed and fragmented approach to cybersecurity is not the answer. We cannot afford a retreat to the inefficiency and risk of the Civil War-era railroad industry; instead, we must invest in developing and sustaining an international approach built on cross-border collaboration and common standards. US government leadership is critical to this effort.