Sophisticated cyber intrusions — whether they’re ransomware attacks that shutter hospitals or theft of a multinational corporation’s data — make for headline-grabbing news. But as we have seen with the current COVID-19 crisis, neither pandemics nor cyberattacks respect international borders. No single country, no matter how powerful, can defeat these threats alone. What’s needed is effective preparation, threat mitigation, and prompt responses.
Since both cyber attackers and their victims can be anywhere in the world, it makes little sense to build up one nation’s capabilities while letting others languish. What is required — much like in the case of real-world viruses — is international cooperation and global capacity building to prepare for and mitigate the next cyberattack.
International cybersecurity capacity building involves making sure all countries have the institutional capabilities, relationships, and know-how to meet cybersecurity challenges in partnership with the private sector in their country. It also includes the exchange of best practices between countries so that they can upgrade existing cybersecurity capabilities.
Last week, the U.S. Chamber of Commerce brought together foreign governments and industry for a virtual discussion about our newest online tool — the International Cyber Law Project. This tool profiles the cybersecurity laws and capacity in select countries.
As part of the project, we set out to identify and compare baseline cybersecurity preparedness across countries, looking for commonalities and differences compared to the U.S. approach. Ultimately, this could help determine where the U.S. could be helpful to other countries and where we could learn from others.
Several important observations came from the discussion:
- Countries set different approaches with respect to how cybersecurity requirements are implemented and enforced: Some used voluntary standards, while others implemented mandatory measures.
- A risk-management approach — involving the assessment of vulnerabilities and threats and calibrating management activities — is an international best practice.
- The ways in which countries designate critical infrastructure sectors varies widely.
- More emphasis should be placed on sharing information about threats internationally.
- Countries vary in the transparency and clarity of their cybersecurity legal and regulatory frameworks.
- Not all countries have one main point of contact to coordinate private sector cybersecurity.
The bottom line is that turning cybersecurity capacity building into actionable policy requires a comprehensive approach that aligns resources and capabilities for use by government, industry, and nongovernment organizations.
As a result of ongoing international discussions, the following should be considered as key cybersecurity capacity building initiatives for any country:
- Assigning an executive branch entity to issue, and periodically update, a national cyber strategy that brings together all government and private sector partners to enhance cyber risk management and national resilience.
- Identifying and strengthening a competent national authority for cybersecurity while clearly defining responsibilities for military, law enforcement, and various agencies.
- Assigning some authority as the primary private sector contact for cybersecurity.
- Creating a national computer emergency response team (CERT) or computer security incident response team (CSIRT). These should serve as a trusted clearinghouse of incident information and as a point of contact for foreign partners.
- Consistently identifying critical infrastructure and essential functions that are important to maintain national and economic security, public health, and safety.
- Establishing legal frameworks for vital stakeholder activities like protected cyber threat information, intelligence collections, and analysis of critical infrastructure threats.
These flexible, cooperative steps will allow government, law enforcement, and the private sector to engage in a constructive dialogue and information sharing at the international level so that we can enhance cybersecurity for everyone.
After all, the global cyber threat is global and the solution must be too.