The role of technical standards has received increased attention from global policymakers to address challenges for the rapid development of information and communications technologies (ICT). The recent Executive Order on Improving the Nation’s Cybersecurity is leveraging technical standards and best practices as the basis for developing guidance to secure the software supply chain in the United States. Similarly, the Internet of Things (IoT) Cybersecurity Improvement Act, introduced in the 116th Congress by U.S. Senators Mark Warner and Cory Gardner, is an example of how to use vulnerability disclosure standards in legislation. In Europe, the new regulatory proposal for AI also considers technical standards as key for developing conformity assessments and certification schemes. In China, the draft Personal Information Protection Law also calls for developing more privacy standards. Standards for cybersecurity, AI, and data protection are just a few of the areas where multiple stakeholders have come together to develop solutions for the benefit of governments, industry, and consumers.
ITI and the InterNational Committee for Information Technology Standards (INCITS) recently launched an initiative “Standards as a Tool for Achieving Public Policy and Regulatory Goals (SPUR)” and developed a list of commonly used international standards for cybersecurity, privacy, AI, IoT and biometrics. The primary goals of the initiative are to facilitate policymakers’ visibility into international standards development, enable the use international standards to inform and shape legislation, and make U.S. developers of international standards more aware of US policymakers’ interests and concerns. The SPUR resource is readily available to be referenced since the technical experts have already done the work in the form of standards, so policymakers don’t have to start from scratch with legislation to protect cybersecurity, privacy, and AI.
Why international standards?
It is particularly important for the tech sector to leverage the use of international standards because digital products and services have no borders. To facilitate interoperability and promote digital trade, policymakers should prioritize using international standards (e.g. ISO/IEC/IETF), instead of adopting country-unique standards, which continue to pose barriers to markets such as China, South Korea, and India. ITI encourages governments to adopt international standards developed in industry-led, consensus-based standards development organizations (SDOs) that are open to global participation. Additionally, referencing international standards in legislation or policy can help address policymakers’ concerns and ensure that the United States is aligned with international standards, preventing technical barriers to trade and enabling U.S.-developed products and services to operate smoothly and securely across markets.
Industry Commonly Used ISO/IEC Standards
The IEC (International Electrotechnical Commission) and ISO (International Organization for Standardization) are both independent, non-governmental, not-for-profit organizations that develop and publish fully consensus-based standards. The ISO/IEC Joint Technical Committee (JTC) 1 focus on information technology and is formed to bring together technical experts to develop ICT standards to avoid duplicative or possibly incompatible standards across the globe. ISO/IEC are two of hundreds of international SDOs, but they are one of the most reputable platforms for ICT standards activities.
ISO/IEC 27001 and 27002 include very basic steps to guide organizations to manage information security for both cybersecurity and privacy. These standards are suitable for organizations big and small and are recognized internationally. In ITI’s experience engaging with policymakers around the world, we often see references to this standard in cybersecurity proposals because it is a foundation of data security management. The NIST cybersecurity and privacy frameworks also map to ISO/IEC 27001/2 and provide implementation guidance to put these standards into practice, which is why ITI recommends the NIST frameworks to all stakeholders.
Other well-known cybersecurity standard includes the Common Criteria ISO/IEC 15408, which is a dictionary including many protection profiles. ITI recommends leveraging the Common Criteria because it is well-defined and globally recognized. However, we caution against converting the Common Criteria into a set of mandatory requirements. Although Common Criteria is generally useful for ICT products and services, it is not suitable for all. Governments often use this standard in the government procurement context and not as commonly in the commercial space. ISO/IEC 20243 Open Trusted Technology Provider (OTTPS) is a software supply chain standard that includes continuous monitoring and protection. The OTTPS standard is nimble and emphasizes the continuous improvement of the software supply chain.
Other well-known cybersecurity standards include the Common Criteria ISO/IEC 15408 for general ICT products and services, ISO/IEC 20243 Open Trusted Technology Provider (OTTPS) useful for software supply chains, ISO/IEC 30111 and 29147 for vulnerability management, and ISA/IEC 62443 often used by industrial control systems and critical infrastructure.
In terms of AI, ISO/IEC 24028 and ISO/IEC 24027 provide information related to trustworthiness in AI systems including transparency, explainability and bias, which are great tools considering the many policy debates around AI. There are also various developing standards around the use of biometrics, focusing on facial recognition and fairness, such as ISO/IEC 22116 and 19795.
Because ICT products and services are so diverse and always evolving, there is no one standard that can meet the needs for everyone; therefore, policymakers should keep multiple options open and be as inclusive as possible to accommodate that different organizations have different needs. In the ICT space, policymakers are interested in developing regulatory approaches (i.e., conformity assessment and/or certification) for digital services based on those designed for goods. However, while the World Trade Organization (WTO) rules require countries to rely on international standards for goods, where they exist, there is not yet a complementary rule requiring the same for digital products.
International standards are not only essential for interoperability of products and services but they also provide a wealth of resources for policymakers and regulators – providing regulators with the ability to reference technical specifications in legislation or regulation to ensure safety, security, and consistency across technologies, while fostering innovation and avoiding technical barriers to trade. ITI additionally emphasizes that ICT products and services are always changing and improving; therefore, standards and best practices should be updated over time.