How Does the United States’ Approach to Security Compare to the Rest of the World?

- Alan Jamieson, BOHH VP of Business Development

Continual data breaches and the constant collection of personal information fuels debate on whether privacy is dead in the digital age. Regardless of who is winning this debate, privacy, security and trust—all increasingly at risk—are vital and must be interlinked in our data-driven society.

With the global focus to prevent cybersecurity threats or attacks, companies are investing in new strategies and even new roles, such as Chief Privacy Officer. CEO’s and their Boards say they are investing in cybersecurity to build trust with customers concerning the usage and storage of data, but is that enough?  As we have seen after many breaches, consumers will vote for responsible innovation and data use with their wallets.  In fact, we have seen a significant number of Fortune 500 companies who have lost significant earnings and customer retention because they have not adequately protected customer data as they embrace the digital times.

As security becomes more critical to the existence and growth of companies, some parts of the worlds are better prepared than others to combat these complex cyberattacks. Where does the US fit in?

The Global Cybersecurity Index (GCI) is a survey that measures the commitment of 193 Member States to cybersecurity in order to raise awareness.  In 2017, The United States was ranked 2nd globally in the Global Cybersecurity Index 2017, the first and third places were taken by Singapore and Malaysia respectively.  Europe’s best country was Estonia ranked 5th globally. 

• Singapore ranks number one as its started its cybersecurity strategy in 2005, so it has greater knowledge and experience than most other mature countries.  Singapore’s Internet Content Providers (ICPs) and Internet Access Service Providers (IASPs) are licensable under the Broadcasting Act and they are required to comply with the Internet Code of Practice to protect children online. Since 2012, all service providers have been legally obligated to offer filtering services with Internet subscriptions and to make this known to consumers when they subscribe or renew. The Info-communications Media Development Authority also symbolically blocks 100 pornographic, extremist or hate websites.  Malaysia is second in Asia and third globally, its Government is a strong advocate of cybersecurity which focuses on businesses and Government alike. Malaysia created the Information Security Certification Body (ISCB), a department of Cybersecurity Malaysia, which manages information security certification.

Leaders in the United States and European Union have recognized that the interconnected nature of information and communications systems and the global nature of the threats demand international cooperation.  Legalizations that are driving change and commonality of strategy between the US and European Union (EU) are:

• In the United States, the centerpiece is the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) issued in 2014.  It’s now undergoing revision, coupled with state data breach notification laws and regulation of data security practices by various federal and state laws and agencies.
• At the European Union level, legislation that takes effect in 2018: the Network Information Security Directive (NIS Directive) and the General Data Protection Regulation (GDPR) effective May 25, 2108.

While there are certain differences between the US and EU legal processes, their approaches to cybersecurity are aligned in essential ways.

Cybersecurity is an ecosystem where laws, organizations, skills, cooperation and technical implementation needs to be in harmony to be most effective.  Cybersecurity is not just a concern of the Federal or Central Governments, but also needs commitment from the private sector and consumers which we are starting to see happening in the tumultuous cybersecurity climate. As such, it is critical to develop a cybersecurity culture where citizens are aware of the trade-off between risks and monitoring of personal data when using electronic networks for research, data storage and/or acquisition.

While, the US was ranked 2nd in 2017 for commitment to cybersecurity, as the cyber threat grows, so must the government’s capabilities to put forth strategies to keep its citizens and their information.

Up until now, a large amount of cybersecurity protection efforts have largely fallen on private sector institutions, but many government officials and security experts believe not enough is being done and more standard regulations are needed. Already we are seeing more states bring forth their own data breach notification laws, privacy laws, and even cloud regulations, but only time will tell if and when these get passed and what impact they might have. As the number of security breaches and threats continue to rise, it is time we start to take a closer look at the standards we are using and re-evaluate what tools are needed to keep information protected from. Cyber hacks have become more complex and it is time we figure out how to flip the switch on them as well.