Guest Blogger: Jan Neutze, Director of Cybersecurity Policy, Europe/Middle East/Africa (EMEA), Microsoft
Around the world, governments are pursuing initiatives to protect their cyberspace, developing national cybersecurity strategies, considering information sharing incentives, and assessing baseline security protections. Two important initiatives with the potential to be impactful far beyond national borders have been unveiled in the European Union (EU) and the United States over the past two years. First, the U.S. government encouraged businesses to adhere to a set of technical and organizational recommendations in its voluntary Cybersecurity Framework. Now, the EU is discussing the Network and Information Security (NIS) Directive, legislation that envisions mandatory cybersecurity requirements, the scope and detail of which will be critical to its effectiveness.
From industry’s perspective, creating products or services that must meet hundreds of varying national requirements is not only unworkable and unnecessary but also likely to decrease overall global security. Instead, governments should work together to ensure that their efforts are harmonized, taking advantage of lessons learned elsewhere to ensure the greatest possible impact.
Last week, the EU’s NIS Platform, a multi-stakeholder platform first announced in the EU’s 2013 Cybersecurity Strategy, hosted a workshop with U.S. National Institute of Standards and Technology (NIST) officials who helped to craft the Cybersecurity Framework mentioned above.
Both the NIS Platform and the NIST Cybersecurity Framework seek to advance best practices for how businesses can manage cyber risks. The former aims to draw upon best practices in the fields of risk management and information sharing, and its outputs will ultimately guide Member States’ implementation of the NIS Directive. The latter focuses on industry in the critical infrastructure sector in particular. While both the NIS Platform and NIST efforts are good individual beginnings, a more harmonized approach going forward is needed. Developing common cybersecurity risk management baselines that can be utilized by organizations operating on both sides of the Atlantic can be difficult, especially in an environment in which policies have typically ended at national borders. But pursuing a harmonized, complementary approach would allow for greater collaboration, ongoing exchange of best practices, and an increased understanding of the threat landscape.
In this context, the NIST Cybersecurity Framework in particular helps meet the difficult challenge of developing such common approaches to cybersecurity risk management, and it offers opportunities for further international collaboration because it is rooted in widely-recognized international standards and practices. We therefore welcome further and enhanced dialogue between EU and U.S. stakeholders, in the context of both the EU NIS Platform and other relevant initiatives, and encourage other governments to consider the value of adhering to international standards and best practices.
Effective cybersecurity risk management also requires industry to do its part, including by sharing cybersecurity best practices and lessons learned. In this regard, Microsoft has been an industry leader in making available our framework for secure software development, specifically our Secure Development Lifecycle, which in recent years has been adopted by many organizations in the ICT industry.
Going forward, we hope to see even stronger collaboration in the context of international public-private cybersecurity partnerships. Europe and the United States have a lot to learn from and share with each other in this space, and we believe that more effective collaboration and greater harmonization will positively reverberate far beyond the two largest economic trade areas.