Beyond these basic similarities in encouraging cybersecurity, the two sides disagree on key points.
Eriks Selga is a Visiting Researcher at the Latvian Institute of Foreign Affairs.
Abigail LaBreck is a former intern in CEPA’s Transatlantic Leadership Program.
Although the U.S. and Europe vow to cooperate on cybersecurity, the two sides’ divergent approach to data protection threatens to undermine these ambitions.
Europe, which often struggles to set common continent-wide rules, employs a centralized privacy regulation. In contrast, the U.S. takes a fragmented approach. Europe takes a tough line, treating all personal data with the sweeping General Data Protection Regulation. The U.S. prefers to judge harm case by case.
A fundamental philosophical gulf explains these differences. Europe focuses on protecting personal data, ensuring that individuals retain control. Data privacy and protection are pillars of the European Union charter and the EU is adopting a comprehensive Data Strategy.
The U.S. prefers a laissez-faire approach. Data privacy legislation remains limited to the state level (witness California’s privacy law) or industry by industry. The U.S. Federal Data Strategy sets a foundation for collecting and using data in federal agencies, without cross-agency data centralization.
Both Europe and the U.S. do at least agree on the urgency of the cybersecurity challenge. Recent hacks of critical infrastructure at SolarWinds, Colonial Pipeline, and NotPetya highlight a common transatlantic vulnerability. Ubiquitous IoT devices and smart infrastructure create a growing danger of cyberattacks.
In response, Europe and the U.S have established cybersecurity agencies. The EU has set up the Agency for Network and Information Security (ENISA). The U.S. has the Cybersecurity and Infrastructure Agency (CISA). These agencies urge both governments and businesses to deploy what Europe calls “state of the art” security and the U.S. designates “industry best practices.”
Beyond these basic similarities in encouraging cybersecurity, the two sides disagree on key points. Europe’s NIS Directive mandates the private sector to take concrete actions. The U.S.’s NIST Framework limits itself to urging voluntary action.
Certification represents another dividing line. The EU wants ENISA to “certify” cybersecurity preparedness. The U.S. has not acted on certification and some U.S. tech companies say certification monitoring could be dangerous, opening up systems to attacks.
Perhaps the most crucial divergence concerns incident reporting. When a company discovers a hack, when should they be required to report it to regulators and customers? If it goes public before facts are clear, it risks spreading incomplete or even false information – and sparking an unneeded panic. Report too late, though, and the untreated danger could spread.
The two sides’ divergent privacy policies result in a dangerous split to deal with this dilemma. Europe imposes a high, centralized standard to report data breaches, with a single set of rules for all companies. If an individuals’ data is divulged, the individual must be informed – full stop.
The U.S., as with privacy protections, is less stringent. Under many state laws, companies are not required to notify consumers until, after a “reasonable” investigation, it is determined that customers have suffered actual harm.
Despite these varying priorities and policies, the US and EU can work together. The Transatlantic Trade and Tech Council, launched on October 29 in Pittsburgh, offers an opportunity. It includes a working group on cybersecurity.
The two sides should begin by agreeing on common standards for incident reporting. Last May, President Joseph Biden issued an Executive Order promoting the modernization of American security defenses. It opens the door to the U.S. adopting a single, harmonized agency to fight cyberattacks. The EU Commission new Joint Cyber Unit could prove an effective partner for transatlantic standard setting.
Europe and the U.S. should be able to agree on a common trigger for reporting breaches. Companies should not be allowed to wait and decide by themselves when the danger warrants reporting. They should be required to report, at least in private, to regulators, as soon as an attack is recognized.
Common rules on cyberbreach reporting represent a concrete example of how the U.S. and Europe can and should cooperate, and not just fight over a key digital challenge. Americans and Europeans will never put the same value on privacy. But they can put the same value on fighting dangerous cyberattacks.