A Modern Approach to Cybersecurity & Privacy in the U.S.-Mexico-Canada Agreement
As was noted in a companion blog by my colleague Jen Sanford, the new U.S.-Mexico-Canada-Agreement (USMCA) covers a wide range of trade issues between these nations. We are particularly excited for the provisions around cybersecurity which address what our customers and the industry have been saying for a while: that regulatory and compliance-driven security doesn’t work. Along those lines, the Digital Trade Chapter of USMCA calls for risk-based cybersecurity mechanisms over prescriptive regulations. While not mentioning the document by name, the USMCA agreement actually calls out the five core functions in the NIST Framework—identify, protect, detect, respond, recover.
This result demonstrates all three governments share a common vision and commitment to effective cyber-risk management. Our three nations are connected in many ways physically via our roads, railways, and energy distribution systems. Those critical systems, in turn, increasingly leverage information technology underscoring the importance of developing a harmonized approach to cybersecurity. Therefore, a coordinated approach to cyber risk management—using a common set of tools—makes tremendous sense.
The inclusion of these new digital trade provisions will also facilitate the development of a unified market for cybersecurity products and services. Developers of these technologies can be confident that they will have access to selling into all three countries. Buyers of these technologies will in turn have greater certainty about how to map their capabilities to a commonly used approach to cyber risk management.
USMCA also establishes a series of important protections against non-tariff trade barriers around digital services. These include: 1) ensuring that data can flow freely within the trade bloc; 2) restricting the use of data storage or processing localization requirements; advancing the development of interoperable data protection mechanisms—specifically referencing the APEC Cross Border Privacy Rules under which Cisco is certified; and 4) limiting government demands source code for technology as a precondition for sale.
Cisco looks forward to to working with the three governments to turn the USMCA’s commitments around cybersecurity, privacy, and more into action once it is implemented.