Europe’s Cloud Security Regime Should Focus on Technology, Not Nationality

Europe’sCloudSecurityRegimeShouldFocusonTechnology,NotNationality NIGELCORY|MARCH2023 TheEU’snewcloudcybersecurityregimeshouldfocusongoodsecuritypractices,astheU.S.FedRAMPregimedoes.EmulatingChina’sprotectionistfocusonfirmnationalityisabadsecuritypracticethatweakenstransatlanticinfluenceovercybersecurityissuesglobally. KEYTAKEAWAYS LikeChina,someEuropeanUnion(EU)countrieswanttomisusecloudcybersecurityrulesfortheprotectionistpurposeofreplacingleadingU.S.cloudfirmssuchasAWSandGooglewithlocalchampions. TheproposedEuropeanCybersecurityCertificationSchemeforCloudServices(EUCS)followsChina’sapproachofmakinglocalfirmownershipandcontrolthedefiningfactorsinascertainingwhetheracloudserviceprovidercanbetrusted. TheEUCSdiffersfromtheU.S.FederalRiskandAuthorizationManagementProgram(FedRAMP)inseveralrespects:Itfocusesonfirmownership,usesclosedandpoliticizedtechnicalstandards,andassessesservicesfortheprivatesector,notjustgovernment. ProtectionistproponentsoftheEUCS(namelyFrance)wantitall:localcloudfirms,notAmericanones,butwithallthecybersecurityassistancetheycangetfromtheU.S.governmentandthesameU.S.cloudfirmstheywanttoexcludefromtheirmarkets. AprotectionistEUCSwouldunderminetransatlanticdigitaltradebymakingthenewTransatlanticDataPrivacyFrameworkirrelevant,sinceU.S.firmswouldbeprecludedfrommanagingaconsiderableamountofEUdata,nevermindtransferringitoverseas. TheEUanditsmemberstatesshouldremovetheprotectionistrestrictionsfromtheEUCS,focusontheactualtechnicalitiesofcybersecurity,andworkwiththeUnitedStatesonglobalcybersecurityissuesthroughtheEU-U.S.TradeandTechnologyCouncil. CONTENTS KeyTakeaways1 Introduction3 StoppingDataFlowsandCloudMarketAccessUnderminesEuropean,Transatlantic,and GlobalCybersecurity5 ExplainingtheU.S.FedRAMPSystemforCloudCybersecurity6 HowAmerica’sFedRAMPDiffersFromEurope’s“Sovereignty”-BasedApproachto Cybersecurity8 FedRAMPIsOpentoFirmsFromAroundtheWorld8 FedRAMPFocusesonCybersecurityPractices,NotFirmStructureandOwnership8 DataLocalizationIsaMisguidedbutThankfullyMinorPartofFedRAMP,YetItIs CentraltoSecNumCloudandtheEUCSProposal9 FedRAMPIsOnlyUsedbyFederalGovernmentAgenciesandDoesNotImpactU.S. CriticalInfrastructureortheBroaderCommercialCloudMarket9 NISTCybersecurityStandardsAreOpen,Transparent,andTechnicallyFocused— ENISAandEUCSProcessesandStandardsAreNot10 Recommendations11 UseStandards“Crosswalks”toBuildTransatlanticCybersecurityCooperation12 NegotiateaTransatlanticAgreementonLawEnforcementAccesstoData13 AllowtheMutualRecognitionofU.S./EUCybersecurityCertificationandAuditingPrograms14 Conclusion14 Endnotes15 INTRODUCTION LikeChina,someEuropeanUnion(EU)countrieswanttomisusecloudcybersecurityrulestoreplaceleadingU.S.cloudfirmssuchasAWS,Google,andMicrosoftwithlocalones—inotherwords,enactingdigitalprotectionism.1TheEuropeanCybersecurityCertificationSchemeforCloudServices’(EUCS)isthevehiclebywhichtheEUwantstosneakthisprotectionistschemeintooperation.Atfirstglance,theEUCSissimilartowhattheU.S.FederalRiskandAuthorizationManagementProgram(FedRAMP)doesfortheU.S.federalgovernment:providesaharmonizedapproachtocloudcybersecuritycertificationstobothensureabetteroveralllevelofprotectionandreducethecostandcomplexityforfirmsandgovernmentagenciescontractingcloudservices.However,unlikeFedRAMP,theEUCSfollowsChina’sapproachinmakinglocalfirmownershipandcontrol—ratherthantheuseofbest-in-classcybersecuritypractices—thedefiningfactorsinascertainingwhetheracloudserviceprovidercanbedeemed“trusted”andallowedtooperateinthelocalmarket.Thiswouldhaveamajorimpactontransatlanticdigitaltrade.ByexcludingU.S.cloudfirms,theEUCSwouldmakethenewTransatlanticDataPrivacyFramework(TDPF)irrelevant,asU.S.firmswouldbeprecludedfrommanagingaconsiderableamountofdataintheEU,nevermindtransferitoverseas—whileabidingwiththeEU’sGeneralDataProtectionRegulation(GDPR).TheEUanditsmemberstatesshouldremovetheseprotectionistrestrictions,focusontheactualtechnicalitiesofcybersecurity,andworkwiththeUnitedStatesonglobalcybersecurityissuesattheEU-U.S.TradeandTechnologyCouncil(TTC).Iftheydonot,theBidenadministrationshouldretaliate. Perhapsnotsurprisingly,FranceisleadingthepushtousetheEUCSfordigitalprotectionism.ThisfollowsFrencheffortstoreplaceAmericantechfirmswithlocalonesinsearchengines,onlineshort-termhousingrentals,andcloudservices.2TheEUCSisbasedonsovereigntyrequirementsincludedinFrance’snational“SecNumCloud”cybersecurityregime,whichincorporatesforeignownershipandmanagementrestrictions,forcedlocaldatastoragerequirementsforpersonalandnonpersonaldata,andlocalstaffrequirements.TwoearlierreportsfromtheInformationTechnologyandInnovationFoundation(ITIF)analyzetheseprovisions,explaininghowtheybreachFrenchandEUtradelawcommitmentsundertheWorldTradeOrganization’s(WTO’s)GovernmentProcurementAgreementandtheGeneralAgreementonTradeinServices.3Inforcingforeignfirmstosetupminority-ownedjointventurestobedeemed“trusted,”theEUCSproposalunfortunatelycopiesChina’sapproach.4 U.S.FedRAMPdiffersfromtheEUCSinthreekeyways:FedRAMPfocusesoncybersecuritytechnicalities,notfirmownership;