Last February, both the United States and the European Union announced major cybersecurity policy initiatives. In the U.S., the Executive Order on Improving Critical Infrastructure Cybersecurity put forward an industry-driven approach to developing a Cybersecurity Framework, and emphasized the role of incentives to encourage use of the Framework. In the EU, the European Commission proposed a draft Network and Information and Security (NIS) Directive that suggested a broader scope and a more regulatory approach than that in the Executive Order, including the mandatory disclosure of cybersecurity incidents. One year later, I wanted to offer observations about these initiatives, as both have advanced on their respective tracks.
With regard to the U.S. Executive Order, my hope was that implementation would follow the principles that I noted in my initial post about this topic: active collaboration and coordination with infrastructure owners and operators; a risk-based approach for enhancing cybersecurity; and the sharing of timely and actionable information to support risk management efforts. We’ve observed a real commitment to those principles in the development of the Cybersecurity Framework, which was released Wednesday by the U.S. National Institute of Standards and Technology (NIST).
NIST was proactive and drove a carefully structured process to engage a diverse group of stakeholders across the U.S. and internationally. NIST solicited public comment to help develop the Framework, receiving input from hundreds of stakeholders, and conducted regional workshops to engage stakeholders across the nation. The resulting Framework is based on sound risk management practices and should foster the exchange of technical information on cyber risks. For our part, Microsoft contributed to the NIST process and Framework by providing comments in response to NIST’s initial request for information and the request for comments on Preliminary Framework, and by participating in the regional workshops hosted by NIST. Additionally, we hosted an event at our Policy and Innovation Center in Washington, D.C. that brought together security and privacy professionals, helping to raise awareness about the Framework within the privacy community and fostering their engagement.
In the EU, deliberations about the NIS Directive are ongoing, and we are encouraged by the direction of several amendments accepted in the most recent draft. For example, by more narrowly defining critical infrastructure providers, the European Parliament has focused the Directive on what is truly critical to protect national security and public safety. It is also important to highlight progress on cybersecurity at the EU Member State level over the past year. Nearly half of the EU governments have committed to strengthening their cybersecurity efforts through a variety of initiatives, including work on national cybersecurity strategies; building cybersecurity capacity; and greater cooperation between countries, such as that occurring among the Benelux countries.
Looking ahead, cybersecurity efforts in the U.S. and EU face two key challenges. First, governments must strive to harmonize approaches to cybersecurity to enable economic advancement nationally, across the Atlantic and around the world. There are a number of forums where the governments, private sector stakeholders and civil society can come together to help harmonize approaches. Second, governments must continue to leverage industry experience and expertise as policy initiatives evolve and mature. In my post last year, I noted that government and industry must collaborate to manage the most significant risks to our most critical infrastructures. This statement remains true now, and it is ever-more urgent. We are encouraged by progress over the past year, and look forward to continued partnership with government and industry peers in the year ahead.