Cybersecurity threats defy national borders, so countries should collaborate, not clam up
Victoria A. Espinel says the trend among countries in Asia and elsewhere to withdraw from global collaboration on cybersecurity in favour of indigenous standards opens them up to greater risk
Governments in Asia confront an increasingly complex array of cybersecurity threats, which have the potential to drain millions of dollars from their economies, disrupt infrastructures critical to essential services and even put lives at risk. The ability of governments to effectively confront these threats depends on smart policies, strong institutions and robust collaboration across the international community.
As governments seek to craft cybersecurity policies, there is a growing risk of fragmentation. Encouraging policies that are effective, coherent and internationally aligned demands focused international dialogue and consensus in support of a robust global system. While industry can contribute best practices and advocate for international collaboration, it is up to governments to lead in pressing for regional and global cybersecurity policies that are strong, effective, and internationally operable.
In recent years, some governments have tended to adopt cybersecurity policies that move them out of alignment with the international community, in some cases in the misguided belief that they can improve cybersecurity by segregating their nations from the broader digital ecosystem. This fragmentation take three forms.
First, we see a retreat from internationally recognised technical standards. Countries that adopt indigenous standards force product developers to alter products or product configurations to comply with the country’s guidance.
Such alterations can generate additional risk because they cannot be vetted as broadly as products built for global use. These products may not benefit from the insights of the global security research community, which may ignore products focused on niche markets. Indigenous standards can also stifle innovation and drive developers out of these distorted markets altogether.
China has become a leading generator of indigenous standards, propagating dozens of new cybersecurity standards that overlap or conflict with existing internationally recognised standards and often refusing to comply with the latter. Vietnam and Indonesia have also turned to such standards at times. The European Union is considering legislation that could favour the development of indigenous standards.
Second, there is an uptick in data localisation requirements. While some countries have required that certain highly sensitive data in specific sectors be stored within their national boundaries, we have also seen a rise in forced, broadly applicable data localisation requirements justified on the basis of cybersecurity.
Yet, forced localisation laws can actually undermine cybersecurity. They compel multinational companies to establish country-specific data centres that may be segregated from global systems, risking weaker capabilities for managing security. This precludes some of the benefits of modern information technologies, such as cloud computing services, that depend on cross-border data transfers. These benefits include redundant storage to mitigate threats to physical infrastructure, around-the-clock network monitoring and cloud-based security tools powered by analytics of large data sets.
Moreover, data localisation drives up data storage costs, leaving fewer resources for security controls.
Some countries maintain localisation requirements narrowly targeting information of only a few sensitive types, such as data related to national security. More problematic are broad-based localisation requirements that affect basic business functions, put in place by China, Indonesia, Kazakhstan, Malaysia, Russia, South Korea and Vietnam.
Third, we are witnessing the expansion of domestic sourcing requirements. Some countries have rigid requirements limiting IT procurement to domestic sources for government agencies and critical infrastructure operators.
These requirements are based on the assumption that, by preventing foreign competition, they can protect domestic champions and develop an indigenous technology industry, which will help defend the country against the perceived cybersecurity risks of foreign products. However, even in the most advanced nations, indigenous technologies represent only a subset of global innovation.
India is currently considering domestic sourcing requirements, while China, Indonesia and Vietnam have already enacted them. Preventing foreign competition in government procurements denies government agencies access to world-class products and services. Such policies also deprive domestic technology firms of opportunities to collaborate with global leaders.
Today’s internet ecosystem is inherently transnational; it is built with technologies and code from sources around the world, and one in which malicious actors operate without respect to national borders. Strong cybersecurity depends on embracing this transnational character: taking advantage of globally distributed cloud-based security architectures, adopting cutting-edge technologies produced around the world, fostering cross-border law enforcement cooperation to disrupt malicious cyber actors and encouraging global research collaboration to identity vulnerabilities and develop new security approaches.
Asia has embraced such an approach in the Asia-Pacific Economic Cooperation cross-border privacy regulations and its emerging cybersecurity framework.
Industry efforts to encourage collaboration and consistency must be matched by governments around the world. This requires buttressing the international system through internationally recognised standards and best practices, the free flow of information, international law enforcement cooperation, and commitment to international norms for nation-state activities in cyberspace.
As cybersecurity threats grow more sophisticated, the risks of insufficient, poorly calibrated or inappropriately nationalistic cyber policy approaches are growing. A global effort built upon common policy approaches and a shared commitment to security can enable governments and citizens to take full advantage of the opportunities the digital ecosystem creates.
Building on Apec’s efforts, Asian governments are well positioned to lead the way.
Victoria A. Espinel is president and CEO of BSA The Software Alliance. Previously, she was an adviser to former president Barack Obama on intellectual property and a chief trade negotiator under former president George W. Bush