North American Governments Must Cooperate on Cybersecurity Responses, Commerce Official Says
U.S. cybersecurity policies depend on strong partnerships with Canada and Mexico, said Deputy Assistant Secretary of Commerce Bruce Andrews and industry executives Monday. President Barack Obama, Canadian Prime Minister Justin Trudeau and Mexican President Enrique Peña Nieto agreed in June to engage on cross-border cybersecurity practices, including on incident responses that affect the three main North American nations. Andrews said during a New America event the goal is to “start a dialogue between our three governments and our business communities on our cybersecurity threats, practices and priorities.”
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“Cybersecurity threats know no borders,” Andrews said. “Hackers, hostile governments and criminal rings are constantly changing their tactics and looking for ways to inflict new harms.” Canada, Mexico and the U.S. must continue to work together to confront “one of the greatest security challenges of our time,” he said. “We must also look beyond our own borders to strengthen our cybersecurity. In today’s digital economy, international cooperation belongs online as well as offline. We must work together to overcome the unique threats of the digital age.” Andrews highlighted the National Institute of Standards and Technology-facilitated Cybersecurity Framework as an “important resource to make progress trilaterally.”
Cyber incident response center officials from the three North American nations said their information sharing role is to aid entities affected by cyberattacks, not to engage in surveillance via information sharing. The Department of Homeland Security’s U.S. Computer Emergency Response Team (US-CERT) observes information sharing protocols “that have been set up to ensure that not only is that information anonymized," said acting Director Brad Nix, "but you actually have control over what can and can’t be shared in terms of that particular piece of malicious malware."
US-CERT’s work is “all built around a circle of trust” and the center emphasizes anonymity as a result, Nix said. The White House has delineated roles of DHS and law enforcement agencies, with DHS acting as the “firefighter … meaning we’re going to walk into a burning house and do everything we can to put that fire out,” Nix said: “We’re not necessarily at that point interested in the investigation” but will cooperate with the FBI afterward.
Public Safety Canada’s CDN Cyber Incident Response Centre (C-CIRC) is a “civilian agency,” said Director Adam Hatfield: “We will go back to our federal partners” after receiving a tip about malicious software “and in the community we work in, almost never will somebody actually say as the first question ‘well who told you that?’ because it doesn’t matter who told us that.” C-CIRC will almost never “proactively share the name of a contact without them being OK with it because it’s not about the contact,” Hatfield said. “It’s about the malicious software, it’s about the incident, it’s about where else could it be seen.” C-CIRC will attempt to facilitate a voluntary meeting between a reporting entity and law enforcement, Hatfield said.
Mexico’s Centro Especializado en Respuesta Tecnologica de Mexico is part of the Mexican Federal Police, but has “rules of engagement” in which it will begin by only providing advice to an affected entity but may choose to open a formal investigation for more severe incidents, said Inspector Arturo Gomez Garcia.
Don't conflate cybersecurity information sharing with surveillance “because they’re actually two distinct issues,” said AT&T Assistant Vice President Chris Boyer. “When I think of information sharing, most of what we do is we’re monitoring the network … for attacks on ourselves.” It’s “important that we draw the distinction” because AT&T’s data flows make it difficult to monitor individual consumers’ data, he said. “What we can do is monitor attacks on our big enterprise customers.”