Cybersecurity threats defy national borders, so countries should collaborate, not clam up
Victoria A. Espinel says the trend among countries in Asia and elsewhere to withdraw from global collaboration on cybersecurity in favour of indigenous standards opens them up to greater risk
As governments seek to craft cybersecurity policies, there is a growing risk of fragmentation. Encouraging policies that are effective, coherent and internationally aligned demands focused international dialogue and consensus in support of a robust global system. While industry can contribute best practices and advocate for international collaboration, it is up to governments to lead in pressing for regional and global cybersecurity policies that are strong, effective, and internationally operable.
In recent years, some governments have tended to adopt cybersecurity policies that move them out of alignment with the international community, in some cases in the misguided belief that they can improve cybersecurity by segregating their nations from the broader digital ecosystem. This fragmentation take three forms.
First, we see a retreat from internationally recognised technical standards. Countries that adopt indigenous standards force product developers to alter products or product configurations to comply with the country’s guidance.
Such alterations can generate additional risk because they cannot be vetted as broadly as products built for global use. These products may not benefit from the insights of the global security research community, which may ignore products focused on niche markets. Indigenous standards can also stifle innovation and drive developers out of these distorted markets altogether.
Moreover, data localisation drives up data storage costs, leaving fewer resources for security controls.
Third, we are witnessing the expansion of domestic sourcing requirements. Some countries have rigid requirements limiting IT procurement to domestic sources for government agencies and critical infrastructure operators.
These requirements are based on the assumption that, by preventing foreign competition, they can protect domestic champions and develop an indigenous technology industry, which will help defend the country against the perceived cybersecurity risks of foreign products. However, even in the most advanced nations, indigenous technologies represent only a subset of global innovation.
Today’s internet ecosystem is inherently transnational; it is built with technologies and code from sources around the world, and one in which malicious actors operate without respect to national borders. Strong cybersecurity depends on embracing this transnational character: taking advantage of globally distributed cloud-based security architectures, adopting cutting-edge technologies produced around the world, fostering cross-border law enforcement cooperation to disrupt malicious cyber actors and encouraging global research collaboration to identity vulnerabilities and develop new security approaches.
Industry efforts to encourage collaboration and consistency must be matched by governments around the world. This requires buttressing the international system through internationally recognised standards and best practices, the free flow of information, international law enforcement cooperation, and commitment to international norms for nation-state activities in cyberspace.
As cybersecurity threats grow more sophisticated, the risks of insufficient, poorly calibrated or inappropriately nationalistic cyber policy approaches are growing. A global effort built upon common policy approaches and a shared commitment to security can enable governments and citizens to take full advantage of the opportunities the digital ecosystem creates.
Building on Apec’s efforts, Asian governments are well positioned to lead the way.
Victoria A. Espinel is president and CEO of BSA The Software Alliance. Previously, she was an adviser to former president Barack Obama on intellectual property and a chief trade negotiator under former president George W. Bush