WEF-回應白宮關于統(tǒng)一網(wǎng)絡安全法規(guī)的請求

SystemsofCyberResilience:ElectricityInitiative

Responsetothe

WhiteHouse’sRequest

onHarmonizing

CybersecurityRegulations

WHITEPAPER

OCTOBER2023

Images:GettyImages

Contents

Executivesummary

3

1AbouttheSystemsofCyberResilience:ElectricityInitiative

4

2TheGlobalRegulationsWorkingGroup

5

3TheWhiteHouserequestforinformationoncybersecurityregulatory6

harmonization

3.1Conflictinginternationalcybersecurityrequirements

7

3.2Sectortoprioritizeforregulatoryharmonization

8

3.3Internationaldialoguesonharmonization

9

3.4Ongoinginternationalinitiatives

10

3.5Regulatoryreciprocityexamples

11

Conclusion

12

Contributors

13

Annex1:Relatedpublications

15

Endnotes

16

Disclaimer

Thisdocumentispublishedbythe

WorldEconomicForumasacontribution

toaproject,insightareaorinteraction.

Thefindings,interpretationsand

conclusionsexpressedhereinarearesult

ofacollaborativeprocessfacilitatedand

endorsedbytheWorldEconomicForum

butwhoseresultsdonotnecessarily

representtheviewsoftheWorldEconomic

Forum,northeentiretyofitsMembers,

Partnersorotherstakeholders.

?2023WorldEconomicForum.Allrights

reserved.Nopartofthispublicationmay

bereproducedortransmittedinanyform

orbyanymeans,includingphotocopying

andrecording,orbyanyinformation

storageandretrievalsystem.

ResponsetotheWhiteHouse’sRequestonHarmonizingCybersecurityRegulations2

October2023

ResponsetotheWhiteHouse’sRequestonHarmonizingCybersecurityRegulations

Executivesummary

On19July2023,theWhiteHouseOfficeofthe

NationalCyberDirector(ONCD)oftheUnitedStates(US)issuedarequestforinformation(RFI)1about

harmonizingcybersecurityregulationsgloballyand

ensuringregulatoryreciprocitybetweencountries.

ThisRFIisanextensionofthegoalsoutlinedintheUSNationalCybersecurityStrategy,2whichaimstosynchronizenotjustregulationsandguidelinesbutalsotheevaluationandinspectionprocessesfor

regulatedentities.Itmarksprogressononeofthe69initiativesunveiledinJulyaspartoftheUSNationalCybersecurityStrategyImplementationPlan.

InSeptember2022,theWorldEconomicForum

SystemsofCyberResilience:ElectricityInitiative

(SCRE)community3hadidentifiedglobalregulatoryinteroperabilityasoneofitskeyfocusareas,

andhadsetuptheGlobalRegulationsWorkingGrouptofacilitateinteroperabilityofglobalcyberregulationsintheelectricitysector.

Thisworkinggrouptacklesthechallengesof

complex,industryandsectoragnostic,fragmented,inconsistent,andsometimesconflictingregulations.

Thesesiloedregulationslackandprevent

interoperability,resultinginincreasedcostsandinefficienciesaslimitedresourcesaredivertedtoaddresscompliancechallengesinsteadof

directlyaddressingsectorialandorganizationalcybersecurityposture.

GivenSCRE’suniqueglobalvantageandexpertiseaswellasitsongoingworkonthistopic,the

communityhascometogethertoproducethis

whitepapertoanswerquestionsintheinternationalsection(Section9)oftheRFI.Thissectionaddressescybersecurityrequirementconflicts,prioritysectorsandregions,internationaldialogues,ongoing

internationalinitiativesandregulatoryreciprocity.

TheSCREcommunitywelcomesandsupportsONCD’sregulatoryharmonizationeffort.Its

recommendationsfortheONCDareasfollows:

–ContinueONCD’songoingeffortstoincrease

globalregulatoryinteroperability,increasesecurityandreducecosts.

–Prioritizesecurityovercompliancebyadoptingarisk-basedapproach.

–Engageprivate,publicandcivilsociety

stakeholdersfromtheearlieststagesofthepolicyandregulatoryprocesses.

–Leverageexistinginternationaltechnical

standardsestablishedbynon-government

bodiessuchastheInternationalOrganizationforStandardization(ISO)andtheInternationalElectrotechnicalCommission(IEC).

–Participateininternationaldialoguesandinternationalinitiativesoncybersecurity.

ResponsetotheWhiteHouse’sRequestonHarmonizingCybersecurityRegulations3

1

AbouttheSystems

ofCyberResilience:

ElectricityInitiative

Since2018,theWorldEconomicForum’sSystemsofCyberResilience:ElectricityInitiative(SCRE)hasbroughttogethergloballeadersfrommorethan

60electricityutilities,energyservicescompanies,

regulatorsandotherrelevantorganizations,to

collaborateanddevelopaclearandcoherentglobalcybersecurityvisionfortheelectricityecosystem.

SCREistheonlyglobal,electricity-industry

specific,multistakeholderpublic-private

partnershipwherecybersecurityleaders

collaborateandimproveecosystem-widecyberresilienceintheelectricitysector.

Thisinitiativeprovidesaforumforglobalelectriccompaniesand

premierindustrypartnerstotaketheleadindrivingincreasedmaturityandcapabilitytoaddresscyberthreatsallnationsarefacing.

TomWilson,SeniorVice-PresidentandChiefInformationSecurityOfficer,SouthernCompany,USA

ResponsetotheWhiteHouse’sRequestonHarmonizingCybersecurityRegulations4

2

TheGlobalRegulations

WorkingGroup

RegulatoryinteroperabilityisoneofthekeyfocusareasoftheSCREanditsGlobalRegulations

WorkingGroup.

Theworkinggroupaddressesthecomplexities

ofregulatorychallengesthatspanacrossthe

electricitysector,characterizedbyfragmentation,

inconsistencyandoccasionalconflicts.These

regulatoryhurdleshindertheachievementof

globalinteroperability,leadingtoheightenedcosts,inefficienciesandmissedopportunitiesasresourcesareredirectedtotackleregulatoryissuesrather

thanenhancingsector-specificandorganizationalcybersecuritypostures.Thekeyinsightsofthe

workinggrouphavebeen:

1.Theevolutionofthecyberthreatlandscapehasledtoanincreaseincybersecurity

regulationsglobally.

2.Globalregulationsarefragmentedand,in

somecases,conflicting,whichincreasescostsandinefficienciesandimpactscybersecurity

throughtheopportunitycostsofdivertinglimitedresources.

3.Organizationshavehadtotakehard,risk-basedapproachesrangingfrommanagingregulatorycomplexitiestoexitingcertainmarkets.

4.Regulationsneedtoprioritizesecurityover

compliancebyadoptingarisk-basedapproach.

Theworkinggrouphastakenthefollowingpositionsonthekeyglobalregulatorythemesidentified:

1.Complianceandenforcement:Global

commitmenttoprioritizesecurityovercompliance.

2.Dataprotectionandprivacy:Global

commitmenttosupportdataprotection

andprivacyregulationssuchastheGeneralDataProtectionRegulation(GDPR)ofthe

EuropeanUnion(EU).

3.Informationsharing:Globalcommitmenttocreateanduseacommoninformation-sharingprotocolandtaxonomyworldwide,andto

supporttherespectiveelectricityinformationsharingandanalysiscentres(ISACs).

4.Incidentresponseandreporting:

Globalcommitmenttoadoptacommon

andefficientinternationalincidentreportingtaxonomyandrequirements.

5.Cybersecurityhygieneinternalpoliciesandprocedures:Globalcommitmenttoestablishbasiccyberhygieneprinciplesspecifictotheelectricitysector.

6.Penetrationtesting:Globalcommitmentto

regularinternalpenetrationtestingwhichincludesoperationaltechnology(OT)penetrationtesting.

7.Vulnerabilitydisclosureandmanagement:Globalcommitmenttosectorialdisclosureofvulnerabilityamongclosedgroupsofsector-specific,pre-authorizedentities.

8.Riskassessmentandmanagement:Globalcommitmenttoapplyingriskassessment

methodologyconsistentlyacrossbothinformationtechnologyandoperationaltechnologyenvironments.

9.Third-partyriskmanagement:Global

commitmentthateveryorganizationinthe

supplychainmustconsiderandberesponsibleforthecybersecurityofitsscopeofwork.

10.Adoptionofexistinginternationalstandardsversuscreationofunique,national(or

regional)standards:Globalcommitmentto

adoptionofexistinginternationalstandardsthatarematuresuchasISO27001andIEC62443.

Theworkinggroupwillfurtherelaboratethese

positionsandisscheduledtopublisha“FacilitatingGlobalInteroperabilityofCyberRegulationinthe

ElectricitySector”paperon15November2023.

ResponsetotheWhiteHouse’sRequestonHarmonizingCybersecurityRegulations5

3

TheWhiteHouse

requestforinformationoncybersecurity

regulatoryharmonization

On19July2023,theWhiteHouseOfficeofthe

NationalCyberDirector(ONCD)announceda

requestforinformation(RFI)oncybersecurity

regulatoryharmonizationandregulatoryreciprocity.TheRFIbuildsonthecommitmentsmadeinthe

WhiteHouseNationalCybersecurityStrategyto

“harmonizenotonlyregulationsandrules,butalsoassessmentsandauditsofregulatedentities.”

TheRFIadvancesoneofthe69initiativesthat

theUnitedStatesNationalCybersecurityStrategyImplementationPlanannouncedinJuly.

GiventheSCRE’suniqueglobalperspectiveandproficiencyinthisfield,thecommunityhasshareditscollectiveknowledgeinthiswhitepaper.Theaimistoprovidepreciseresponsestoinquiries

intheinternationalsection(Section9)oftheRFIstatedbelow:

9.International–ManyregulatedentitieswithintheUnitedStatesoperateinternationally.InarecentreportfromthePresident’sNationalSecurity

TelecommunicationsAdvisoryCouncil(NSTAC),theNSTACnotedthatforeigngovernmentshavebeenimplementingregulatoryregimeswith“overlapping,redundantorinconsistentrequirements…”

FactSheet:OfficeoftheNationalCyberDirectorRequestsPublicCommentonHarmonizingCybersecurityRegulations–RequestforInformationonCyberRegulatoryHarmonization

A.Identifyspecificinstancesinwhich

USfederalcybersecurityrequirementsconflictwithforeigngovernment

cybersecurityrequirements.

B.Aretherespecificcountriesorsectorsthatshouldbeprioritizedinconsideringharmonizingcybersecurityrequirementsinternationally?

C.Whichinternationaldialoguesareengagedinworkonharmonizingoraligning

cybersecurityrequirements?Whichwouldbethemostpromisingvenuestopursuesuchalignment?

D.Pleaseidentifyanyongoinginitiativesbyinternationalstandardsorganizations,

tradegroupsornon-governmental

organizationsthatareengagedin

internationalcybersecuritystandardizationactivitiesrelevanttoregulatorypurposes.Describethenatureofthoseactivities.

Pleaseidentifyanyexamplesofregulatoryreciprocitywithinaforeigncountry.

E.Pleaseidentifyanyexamplesof

regulatoryreciprocitybetweenforeigncountriesorbetweenaforeigncountryandtheUnitedStates.

ResponsetotheWhiteHouse’sRequestonHarmonizingCybersecurityRegulations6

3.1

A.Conflictinginternationalcybersecurityrequirements

IdentifyspecificinstancesinwhichUSfederalcybersecurityrequirementsconflictwithforeigngovernmentcybersecurityrequirements.

Governmentagenciesworldwidethatcreate

cybersecurityrequirementsforindustry,including

thoseoftheUS,frequentlyadoptdistinct

approachestoaddressidenticalorsimilarsetsofcybersecuritychallengesduetotheabsenceofaglobalconsensus.Thisleadstocomplex,industryandsectoragnostic,fragmented,inconsistentandsometimesconflictingregulations,whichlackandpreventmutualinteroperability.

Theevolutionofthecybersecuritythreatlandscape

andregulators’reflexiveresponsetotighten

regulationsexacerbatestheproblem.Organizationsareforcedtodivertlimitedresourcestoaddress

regulatorycompliancechallengesinsteadoffocusingontheircybersecurityposture.Inadditiontoalackofconsensusoncyberrequirements,alackof

consensusexistsonwhoorwhatisinthescopeoftheseregulations(e.g.varyingcriticalinfrastructuresectordesignations,differentregulationsbringingvarioussystemsintoscope,etc.)

Today’sdigitaleconomytranscendsnational

boundaries,requiringrobustandunifiedinternationalcybersecuritystandardstoensurethatmultinationalcompaniesarebestequippedtorespondtonew

threatsbymaliciousactorsastheyarise.

Assuch,businessesaroundtheworldlookto

standardssetbynon-governmentbodiessuchastheInternationalOrganizationforStandardization

(ISO)andtheInternationalElectrotechnical

Commission(IEC)forguidanceonabroadrangeofcybersecurityissuesandasbenchmarksforglobalbestpractices.Whendifferentregulatorsusewidelyrecognizedinternationaltechnicalstandards–suchastheISO/IEC27000seriesofinformationsecuritycontrolsandtheIEC62443seriesofindustrial

controlsystemcontrols—toinformtheirpolicies,

itnotonlysetsahighstandardofsecurityfor

companiestoadheretobutalsolowerscostsand

assuresinteroperabilitywithotherregulatoryregimes.

Conversely,whendifferentregulatorsandpolicy-makersusetheirownlocalstandardsandlawsasareferenceforestablishingcybersecurity

requirements,itcontributestothegrowing

fragmentationoftheglobaldigitalpolicylandscape,inturnundulyraisingcompliancecostsformulti-

jurisdictionalcompaniesanddivertingresourcesfromsoundcyber-riskmanagementactivities.

Thecurrentsiloedapproachtocybersecurity

regulationhasnotledtoamoresecureglobal

digitaleconomy.ItiswellknownfromthePrisoner’sDilemmaproblemingametheorythatstakeholdercooperationoncybersecurityregulationswill

increasesecurityoftheglobaldigitaleconomy.

However,theinherentchallengehasalwaysbeen:whowillmovefirst?Itisimperativetoresolveandmakeprogressonthiscooperationissue.

Examplesofdivergingcybersecurityregulations

canbefoundinnationalcybersecuritylabelling

programmessuchasthoseoftheUS,EUand

Singapore.Asmoreandmoreproductsreleasedinthemarketrequireinternetconnectivity,the

surfaceareaofcyberriskstoconsumershas

increasedtremendously.Toaddressthisconcern,severalgovernmentshaveannouncedplansto

developtheirowncybersecuritylabellingschemes.Forexample,Singapore’sCyberSecurityAgencyfirstlauncheditsCybersecurityLabellingScheme(CLS)4in2020tosetsecurityratinglevelsthat

buyersofsmartdevicescouldusetomake

informedchoices.InSeptember2022,theEU

proposeditsCyberResilienceAct5toestablish

commonsecuritystandardsforproductswith

digitalelementsconnectedtoadeviceornetworkinEUmember-states.Andlastly,inJune2023,theBidenadministrationannouncedanewUSCyber

TrustMark6programmetobeledbytheFederal

CommunicationsCommissionwithverysimilar

elementstotheSingaporeanandEuropeanmodels.

Thesethreecyberlabellinginitiativessharethe

commongoalofprovidingassurancetoconsumersthattheproductstheypurchaseareequipped

withadequatesafeguardstoprotectthemfrom

cyberharms,buttheyhavedifferentscopesand

specificrequirements.Recognizingsectoraland

jurisdictionalnuancesinthethreatlandscape,

themostsensibleapproachindevelopingthese

nationalcybersecuritylabelsistobasethemin

internationalconsensus-basedtechnicalstandardssoastoensuremaximuminteroperability.

TheSCREcommunitywelcomesandsupports

theregulatoryharmonizationeffortbytheONCD

andrecommendsthattheycontinuetheirefforts

towardsglobalregulatoryharmonizationtoincreaseinteroperability,enhancesecurityandreducecosts.

ResponsetotheWhiteHouse’sRequestonHarmonizingCybersecurityRegulations7

3.2B.Sectortoprioritizeforregulatoryharmonization

Aretherespecificcountriesorsectorsthatshouldbeprioritizedinconsideringharmonizingcybersecurityrequirementsinternationally?

Asrenewableenergygrows,theseassumptionsmustberevisited.Likewise,differingcybersecurityreportingrequirementsapplytoUSnaturalgas

infrastructureandUSelectricityinfrastructure

—yetthesesystemsareintrinsicallylinked,withnaturalgasprovidingthesinglelargestsourceofenergytotheelectricitysector.

Furtherchangeisalreadyunderwayinthe

electricitysector.AIoffersnewcapabilitiesthat

willbeappealingtoattackersandessentialto

defenders.AIenablescybersecuritymonitoring

thatcandetectandrespondtoattackswith

machine-likespeeds,butitremainsunclearhow

regulatoryregimeswillembraceorconstrainAIininfrastructure.GenerativeAIislikelytobeabusedbyattackersseekingtocraftmoreeffectiveattacks—potentiallyproducingmorebelievablephishingattacks,bypassingmalwaresignaturedetection

orloweringtheskillrequiredtotranslatemaliciousintentintoaction.

TheEUhasbyfarbeenthemostactivein

proposingandadvancinglegislationand

regulationsforemergingtechnologiesand,as

such,hasbecomeade-factostandardsetterfordigitalpolicy,asillustratedbythewidespread

adoptionofdataprotectionlawsmodelledafter

theGDPR.TheUSshoulduseeveryavenue

ofdialogueandcooperationtoencourageand

supporttheEUtoalignitspoliciesmorecloselytowidelyrecognizedtechnicalstandardsbasedoninternationalconsensus(whilealsoensuringthatUSdomesticpoliciesaregroundedininternationalconsensus-basedtechnicalstandards).

Forexample,thenewlyproposedCyberResilienceActoftheEUmadenoreferencetointernational

standards.Onthecontrary,theEUmandated

theEuropeanstandardsorganizationstodevelopEuropeanharmonizedstandardstodemonstratecompliancewiththeCyberResilienceAct.This

regionalizationofcybersecuritystandardsdefiestheconsensusontheneedforinternational

standardsandintensifiestheburdenonglobal

companiesbyforcingthemtoconformtomultipleassessmentsindifferentmarkets.Inresponse,theUSshouldworkthroughbilateralandmultilateralforatoencourageEuropeanalignmentwith

internationalstandardstosafeguardtheglobalcompetitivenessofindustriesandprotecttheattractivenessoftheEuropeanmarket.

TheUS,EUandotherjurisdictionscanwork

towardsmutualrecognitionofcybersecurity

requirements.Nuancesindifferentjurisdictionsunderstandablycreatedifferentpriorities

forpolicy-makerstomanageandlegislate.

Nevertheless,localnuanceneednotrendertwo

Sector:Electricity

Cybersecurityhasbecomeincreasinglyimportant

intheelectricitysector.Severalconvergingtrends

contributetoanescalatingriskenvironment:

digitized,networkeddevicesnowpermeate

energyinfrastructure;attacksoninfrastructure

haveescalated;theenergytransitionisshifting

thesectorawayfromthehistoricbusinessmodels

thatregulationstakeforgranted;aninternetof

things(IoT)composedofnetworkedconsumerand

industrialdevicesbridgesphysicalanddigitalrealms;

andartificialintelligence(AI)offersnewandpowerful

capabilitiestodefendersaswellasattackers.

Electricalinfrastructureiscriticalinfrastructure.

TheSCRE

community

highlightsthe

electricitysectorasasector

toprioritize

forachieving

interoperabilityofcybersecurityrequirements

internationally.

Withoutreliableelectricitygeneration,transmission

anddistribution,otherpartsoftheeconomy

cannotfunction.

Digitizationhasmadeelectricalinfrastructure

moreefficientwhileloweringitscarbonintensity.

Renewableenergytechnologiescannotfunction

withoutdigitalmanagementtosmoothenvariable

inputs.Manyfuturetechnologies,business

modelsandelementsofpublicinfrastructure

relyondigitizedequipment,includingelectric

vehicles,distributedgenerationandsmartcities.

Atthesametime,networked,digitalequipment

isrelativelynew.Cybersecuritypracticesacross

theindustryarenotuniformlymature.The

interconnectednatureoftheUSelectricgrid

meansthattheconsequencesofasuccessful

cyberattackononepartofthegridcould

propagateacrosstheentirephysicalinfrastructure.

Attacksagainsttheelectricitysectorcontinue

toescalate.Federalagencieshaverepeatedly

identifiedpersistent,sophisticatedthreatsthat

havepenetratedelectricitysectororganizations,

sometimeswithoutthoseorganizationsbecoming

awarethattheyhavebeencompromised.Some

oftheseattackshavebeenattributedtogroups

withnation-statebacking.InAugust2023,

theInternationalEnergyAgencyreportedthat

cyberattacksonutilitieshadmorethandoubled

from2020to2022.7Surveysofcybersecurity

professionalslikewiseshowincreasedconcern

aboutcyberattackstargetingindustrialcontrol

systems–suchasthoseoperatingtheelectricity

infrastructureincountriesincludingtheUS.8

Governmentagenciesthatcreatecybersecurity

requirementsforindustryintheUSandelsewhere

havenotkeptpacewithchangesintheenergy

sector.Forexample,federalregulationsintheUS

electricitysectorfocusonbulkdistribution.This

wasappropriateinanerawhenlarge,centralized

generationwasthedominantbusinessmodel.

ResponsetotheWhiteHouse’sRequestonHarmonizingCybersecurityRegulations8

setsofcybersecurityrequirementsincompatible.Cybersecuritystandardsshouldbeinteroperableacrossjurisdictions,withabaselineleveloftrust.Astheinternetknowsnoborders,jurisdiction-

specificcybersecuritystandardswithoutcross-borderinteroperabilityandmutualrecognitionarecounterintuitiveandcounterproductive.

3.3C.Internationaldialoguesonharmonization

Whichinternationaldialoguesareengagedinworkonharmonizingoraligningcybersecurityrequirements?Whichwouldbethemostpromisingvenuesto

pursuesuchalignment?

issues,includingthoseofregionalandinternationalsignificance.Theplatformenabledtheexchangeofinformationoncyberthreatsanddeliberationsoncyberdefenceandsecuritycollaboration.Itplayedapivotalroleindeepeningbilateralcooperation.

Thetwosidesagreedtoamplifydomestic

cybersecuritymeasuresthroughacomprehensivewhole-of-governmentapproach,underliningthecriticalityofJapan-UScollaborationincombatingcyberthreats.

TheEU-USCyberDialogue9

TheEU-USCyberDialogueisanencouraging

forum,butitisunclearhoweffectiveorsuccessful

ithasbeen.Between2014and2022,theEUand

theUShaveheldeightcyberdialoguestoaddress

andcoordinateoncybersecurityissues,foster

internationalcollaborationandmutualunderstanding,

andmakecybersecuritypracticesmoreconsistent

acrossthetwojurisdictions.Thematurityofthis

dialoguemakesitapromisingvenueforpromoting

greateralignmentoncybersecuritypolicy,though

itscurrenttrackrecorddoesn’tshowmuchvisible

TheSCRE

community

encourages

policy-makers

andregulators

toparticipate

ininternationaldialogueson

cybersecurity

toimprovethe

cross-border

interoperabilityofregulations,

whichcan

enhancesecurityandlowercosts.

France-UnitedKingdomCyberDialogue11

FranceandtheUnitedKingdomheldtheir

fourthcyberdialogueinParison11May2023.Bothcountriesreiteratedtheircommitment

progress.Bothjurisdictionsshouldtakeadvantage

ofthisplatformtofindcommongroundtoreachtheir

cybersecurityobjectivesandbasetheirrespective

policyagendasoninternationalstandardssuchas

theISO/IEC27000andIEC62443series.

tocollaborateinthefieldofcyberspaceto

promotesecurityandstabilityinaninclusive,

US-JapanCyberDialogue10

On1May2023,Tokyoplayedhosttothe8th

Japan-USCyberDialogue,asignificantevent

aimedataligninginternationalcyberpoliciesand

strengtheningcybersecuritymeasuresbetweenthetwocountries.Variousministriesandagenciestookpart,focusingonextensivediscussionsonbilateraloperationalcybersecuritycooperation,domestic

cyberpolicies,andJapan-UScooperationoncyber

non-fragmentedandsecurecyberspace.Theydiscussedtheiranalysisofthethreatandsharedthelatestdevelopmentsintheirrespective

cybersecuritypolicies.Thetwocountriesalso

talkedabouttheirprioritiesforongoingdiscussionsinvariousmultilateralforaanddiscussedthe

implementationofajointinitiativetoaddress

thethreatfromcommercialcyberproliferation.

Additionally,theydiscussedthestrengtheningofbilateralcoordinationinresponsetocyberthreats.

ResponsetotheWhiteHouse’sRequestonHarmonizingCybersecurityRegulations9

3.4D.Ongoinginternationalinitiatives

Pleaseidentifyanyongoinginitiativesbyinternationalstandardsorganizations,trade

groupsornon-governmentalorganizationsthatareengagedininternationalcybersecuritystandardizationactivitiesrelevanttoregulatorypurposes.Describethenatureofthose

activities.Pleaseidentifyanyexamplesofregulatoryreciprocitywithinaforeigncountry.

oftenincludeprotocolsandframeworksthat

enhancecybersecuritymeasures,suchas

encryption,authenticationandnetworksecurity.

Regulatorybodiesandorganizationsoftenrefer

toIETFstandardswhenformulatingcybersecurityregulations,astheyarewidelyrecognizedand

trustedintheindustry.IETFalsocollaborateswithotherorganizationsandstakeholderstoaddress

cybersecuritychallengesanddevelopsolutionstoensureasecureandresilientinternetinfrastructure.

InternationalOrganizationforStandardization

(ISO)andInternationalElectrotechnical

Commission(IEC)

TheISOandIECaretheworld’sleadingstandard-

settingbodies.WhiletheISOoverseesstandards

developmentacrossawidevarietyofindustries,the

IECspecializesinstandardizingsectorsrelatedto

electrical,electronicandrelatedtechnologies.Each

hasawell-establishedtrackrecordfordefining

industrynormsandbenchmarksthatareusedby

companiesaroundtheworld.

ConnectivityStandardsAlliance(CSA)17

TheISO/IEC27000serie