ITIF-欧洲的云安全制度应该关注技术而不是国籍(英)-2023.3.pdf
- 文档编号:18632331
- 上传时间:2023-08-23
- 格式:PDF
- 页数:21
- 大小:1.07MB
ITIF-欧洲的云安全制度应该关注技术而不是国籍(英)-2023.3.pdf
《ITIF-欧洲的云安全制度应该关注技术而不是国籍(英)-2023.3.pdf》由会员分享,可在线阅读,更多相关《ITIF-欧洲的云安全制度应该关注技术而不是国籍(英)-2023.3.pdf(21页珍藏版)》请在冰点文库上搜索。
itif.orgEuropesCloudSecurityRegimeShouldFocusonTechnology,NotNationalityNIGELCORY|MARCH2023TheEUsnewcloudcybersecurityregimeshouldfocusongoodsecuritypractices,astheU.S.FedRAMPregimedoes.EmulatingChinasprotectionistfocusonfirmnationalityisabadsecuritypracticethatweakenstransatlanticinfluenceovercybersecurityissuesglobally.KEYTAKEAWAYSLikeChina,someEuropeanUnion(EU)countrieswanttomisusecloudcybersecurityrulesfortheprotectionistpurposeofreplacingleadingU.S.cloudfirmssuchasAWSandGooglewithlocalchampions.TheproposedEuropeanCybersecurityCertificationSchemeforCloudServices(EUCS)followsChinasapproachofmakinglocalfirmownershipandcontrolthedefiningfactorsinascertainingwhetheracloudserviceprovidercanbetrusted.TheEUCSdiffersfromtheU.S.FederalRiskandAuthorizationManagementProgram(FedRAMP)inseveralrespects:
Itfocusesonfirmownership,usesclosedandpoliticizedtechnicalstandards,andassessesservicesfortheprivatesector,notjustgovernment.ProtectionistproponentsoftheEUCS(namelyFrance)wantitall:
localcloudfirms,notAmericanones,butwithallthecybersecurityassistancetheycangetfromtheU.S.governmentandthesameU.S.cloudfirmstheywanttoexcludefromtheirmarkets.AprotectionistEUCSwouldunderminetransatlanticdigitaltradebymakingthenewTransatlanticDataPrivacyFrameworkirrelevant,sinceU.S.firmswouldbeprecludedfrommanagingaconsiderableamountofEUdata,nevermindtransferringitoverseas.TheEUanditsmemberstatesshouldremovetheprotectionistrestrictionsfromtheEUCS,focusontheactualtechnicalitiesofcybersecurity,andworkwiththeUnitedStatesonglobalcybersecurityissuesthroughtheEU-U.S.TradeandTechnologyCouncil.INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|MARCH2022PAGE2CONTENTSKeyTakeaways.1Introduction.3StoppingDataFlowsandCloudMarketAccessUnderminesEuropean,Transatlantic,andGlobalCybersecurity.5ExplainingtheU.S.FedRAMPSystemforCloudCybersecurity.6HowAmericasFedRAMPDiffersFromEuropes“Sovereignty”-BasedApproachtoCybersecurity.8FedRAMPIsOpentoFirmsFromAroundtheWorld.8FedRAMPFocusesonCybersecurityPractices,NotFirmStructureandOwnership.8DataLocalizationIsaMisguidedbutThankfullyMinorPartofFedRAMP,YetItIsCentraltoSecNumCloudandtheEUCSProposal.9FedRAMPIsOnlyUsedbyFederalGovernmentAgenciesandDoesNotImpactU.S.CriticalInfrastructureortheBroaderCommercialCloudMarket.9NISTCybersecurityStandardsAreOpen,Transparent,andTechnicallyFocusedENISAandEUCSProcessesandStandardsAreNot.10Recommendations.11UseStandards“Crosswalks”toBuildTransatlanticCybersecurityCooperation.12NegotiateaTransatlanticAgreementonLawEnforcementAccesstoData.13AllowtheMutualRecognitionofU.S./EUCybersecurityCertificationandAuditingPrograms.14Conclusion.14Endnotes.15INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|MARCH2022PAGE3INTRODUCTIONLikeChina,someEuropeanUnion(EU)countrieswanttomisusecloudcybersecurityrulestoreplaceleadingU.S.cloudfirmssuchasAWS,Google,andMicrosoftwithlocalonesinotherwords,enactingdigitalprotectionism.1TheEuropeanCybersecurityCertificationSchemeforCloudServices(EUCS)isthevehiclebywhichtheEUwantstosneakthisprotectionistschemeintooperation.Atfirstglance,theEUCSissimilartowhattheU.S.FederalRiskandAuthorizationManagementProgram(FedRAMP)doesfortheU.S.federalgovernment:
providesaharmonizedapproachtocloudcybersecuritycertificationstobothensureabetteroveralllevelofprotectionandreducethecostandcomplexityforfirmsandgovernmentagenciescontractingcloudservices.However,unlikeFedRAMP,theEUCSfollowsChinasapproachinmakinglocalfirmownershipandcontrolratherthantheuseofbest-in-classcybersecuritypracticesthedefiningfactorsinascertainingwhetheracloudserviceprovidercanbedeemed“trusted”andallowedtooperateinthelocalmarket.Thiswouldhaveamajorimpactontransatlanticdigitaltrade.ByexcludingU.S.cloudfirms,theEUCSwouldmakethenewTransatlanticDataPrivacyFramework(TDPF)irrelevant,asU.S.firmswouldbeprecludedfrommanagingaconsiderableamountofdataintheEU,nevermindtransferitoverseaswhileabidingwiththeEUsGeneralDataProtectionRegulation(GDPR).TheEUanditsmemberstatesshouldremovetheseprotectionistrestrictions,focusontheactualtechnicalitiesofcybersecurity,andworkwiththeUnitedStatesonglobalcybersecurityissuesattheEU-U.S.TradeandTechnologyCouncil(TTC).Iftheydonot,theBidenadministrationshouldretaliate.Perhapsnotsurprisingly,FranceisleadingthepushtousetheEUCSfordigitalprotectionism.ThisfollowsFrencheffortstoreplaceAmericantechfirmswithlocalonesinsearchengines,onlineshort-termhousingrentals,andcloudservices.2TheEUCSisbasedonsovereigntyrequirementsincludedinFrancesnational“SecNumCloud”cybersecurityregime,whichincorporatesforeignownershipandmanagementrestrictions,forcedlocaldatastoragerequirementsforpersonalandnonpersonaldata,andlocalstaffrequirements.TwoearlierreportsfromtheInformationTechnologyandInnovationFoundation(ITIF)analyzetheseprovisions,explaininghowtheybreachFrenchandEUtradelawcommitmentsundertheWorldTradeOrganizations(WTOs)GovernmentProcurementAgreementandtheGeneralAgreementonTradeinServices.3Inforcingforeignfirmstosetupminority-ownedjointventurestobedeemed“trusted,”theEUCSproposalunfortunatelycopiesChinasapproach.4U.S.FedRAMPdiffersfromtheEUCSinthreekeyways:
FedRAMPfocusesoncybersecuritytechnicalities,notfirmownership;FedRAMPisonlyusedbythefederalgovernment,whiletheEUCSmaybeusedmorebroadlyintheeconomy;andFedRAMPisbasedonopenandtransparentstandards,EUCSisnot.Ultimately,Francewantsitallandhasthegalltopushforit:
Itwantslocalcloudfirms,notAmericanones,plusallthecybersecurityassistanceitcangetfromtheU.S.governmentandthosesameU.S.cloudfirms.FrenchpolicymakersusethehypotheticalriskthatU.S.lawenforcementagencieshaveextraterritorialaccesstodataunderU.S.law(namely,theClarifyingLawfulOverseasUseofDataActorCLOUDAct)totargetU.S.cloudfirms.5EvenGuillaumePoupard,theoutgoingdirectorofFrancescybersecurityagency,admittedthata100percentFrenchsovereigncloudisunrealistic.6AfteryearsofleadingtheattackagainstU.S.cloudINFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|MARCH2022PAGE4providers,PoupardrecentlytoldtheFrenchSenatethatFrenchcustomerswillneedtocontinuetorelyonpartnershipswithU.S.providers.7Yet,thiswontstopFrancesongoingefforttoattackU.S.techfirms.However,itshouldhopefullygivepausetootherEUpolicymakersaboutthecybersecurity,trade,andeconomicrisksofblindlyfollowingFranceslead.Incontrast,EuropeanpolicymakersshouldfollowAmericasFedRAMPleadinimplementingtheEUCS.FedRAMPdiffersfromSecNumCloudandEUCSsovereigntyrequirementsinthreekeyways.First,FedRAMPfocusesonthetechnicalitiesofcloudcybersecurityandnottheownershipofafirm;manyforeignfirmsarecertifiedunderFedRAMP.Second,FedRAMPonlyappliestothecloudservicesusedbyU.S.federalgovernmentagencies,notthebroadermarket.8SecNumCloudandtheEUCScouldpotentiallyapplytoabroadpartoftheEUeconomy.Third,theU.SNationalInstituteofStandardsandTechnology(NIST)setsthetechnicalcybersecuritystandardsusedbyFedRAMPinanopenandtransparentmanner,unliketheclosedandpoliticizedapproachtakenbytheEuropeanUnionAgencyforCybersecurity(ENISA)indevelopingthestandardsfortheEUCS.SomeEuropeanofficialshavejustifiedEUCSsovereigntyrequirements,inpartbecausetheymistakenlythinktheyarelikeprovisionsinFedRAMPwhichisfalse.Thisbriefingdetailsthesedifferencesandprovidesideasforaconstructivetransatlanticagendaoncybersecurity.ItexplainswhatFedRAMPisand,mostimportantly,isntincomparisonwithSecNumCloud,andhowitscriticallyimportantthatEuroperemovetherestrictiveandmisguidedsovereigntyrequirementsintheEUCSproposal.Thereportthenoutlinesaconstructiveagendafortransatlanticcooperationoncybersecurity.Asummaryoftherecommendations:
France,Germany,Italy,andtheirotherEUmemberstatesshouldremovethesovereigntyprovisionsintheirSecNumCloud-inspiredproposalfortheEUCS(andinFrancesownSecNumCloud).TheUnitedStatesshouldrampupengagementwithGermanyandtheEuropeanCommissionatTTCtoensurethishappens.IfEuropefailstoremovetheserestrictions,theUnitedStatesshouldreevaluatecybersecuritycooperationandinformationsharingwiththeEUanditsmemberstatesanddevelopandinitiateretaliatorymeasures.TheEUandUnitedStatesshoulduseTTCtoimprovecybersecuritycooperationviastandards“crosswalks”toidentifycommonalities,differences,andpotentialfutureworktoensurecompatibilityinthedevelopmentanduseofcybersecuritystandardsintheirrespectivesystems.TheUnitedStatesandEUshouldprovidehigh-levelattentionandsupporttonewlyrestartedeffortsonane-evidence/CLOUDActagreement,justastheydidwiththeforthcomingTDPF.TheUnitedStatesandEUshouldworktowardthemutualrecognitionofU.S./EUCybersecuritycertificationandauditingprograms.INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|MARCH2022PAGE5STOPPINGDATAFLOWSANDCLOUDMARKETACCESSUNDERMINESEUROPEAN,TRANSATLANTIC,ANDGLOBALCYBERSECURITYCybersecurityconstitutesagrowingpartofforeign,trade,andnationalsecuritypolicy.However,ifleadingU.S.cloudprovidersarenot“trusted”inEurope,theycantshareinformationandtakecoordinatedactionaspartofthepublic-privatecollaborationneededtocombatglobalcybersec
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- ITIF 欧洲 云安 制度 应该 关注 技术 而不是 国籍 2023.3