President Barack Obama on 12 February issued an executive order on cybersecurity that calls for voluntary sharing of information on cyberattacks between business and government.
This followed the failure in November of the US Senate to approve administration-backed cybersecurity legislation, amid fierce opposition from businesses complaining about over-regulation.
The abandoned legislation would have increased information-sharing between intelligence agencies and private companies, with some privacy protections. It also would have set voluntary standards for businesses that control electric grids, water treatment plants and other essential facilities.
On 27 February, White House cybersecurity coordinator Michael Daniel told reporters at the RSA security conference in San Francisco that the White House would re-submit the cybersecurity bill to Congress.
White House not giving up
Daniel acknowledged that the attempt might prove fruitless, however, saying: “I don't want to leave anybody with an impression that we underestimate the challenges.”
Proposals will be brought forward in the next two months, Daniel said, but he also admitted that – if any new attempt failed in Congress – Obama would seek stronger executive measures.
The executive order directs federal authorities to improve information-sharing on cyber-threats - including some that may be classified - with companies that provide or support critical infrastructure, but the approach to reporting obligations in the private sector is overwhelmingly voluntary.
Whatever path the US goes down now looks set to be considerably more voluntary and flexible than proposed European legislation.
EU rules set to be tighter, more compulsory
The proposed legislation will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”
The directive also suggests that market operators will be liable regardless of whether or not they carry out the maintenance of their network internally or if they outsource it.
The EU singled out a number of sectors which it claimed require more action on cybersecurity including “critical” infrastructure operators in energy, transport, banking, and healthcare services.
Key internet companies including payment services, social networks, search engines, cloud services, apps providers, e-commerce platforms, video sharing platforms and voice-over-Internet providers were also earmarked by the EU strategy.
This raises the likelihood that the Brussels and Washington will implement differing levels of cybersecurity vigilance, threatening to create inconsistencies for companies whose operations span both jurisdictions, and posing problems for the high-profile attempt to broker a free trade deal between the two blocs.
Problems for trade deal and companies
Marietje Schaake, a Dutch liberal MEP and rapporteur for the first Digital Freedom Strategy in EU foreign policy, said: “It is also in the best interest of our citizens if companies are required to comply with the same high quality standards on both sides of the Atlantic, especially because many online services that EU-citizens use are incorporated in the US.”
“The EU and the US should join hands to ensure that security and freedom will not become a zero sum game. The challenge for both the EU and the US will be to ensure sufficient democratic oversight over cybersecurity measures,” Schaake added.
“Personally I think it is not realistic to divide the world once again in European firms who shall carry higher security standards than firms form other parts of the world. Why?” A senior executive with an internet-based company spanning both sides of the Atlantic asked EurActiv on condition of anonymity.
“Many leading companies are located outside the EU already and this pattern will not change quickly and definitely not because of a new European legislation,” the internet executive added.