After years of speculation, false starts and failed attempts, U.S. Treasury Secretary Janet Yellen finally announced in early July that more than 130 nations have signed onto an agreement that would establish a minimum corporate tax of 15%. The plan, as currently drafted, would also refine international tax rules that currently reward organizations for establishing headquarters in low tax counties where their customers and most employees do not reside.
Although the nations still have to finalize important details around policy execution and enforcement, this agreement in principle represents one of the most consequential examples of international cooperation that the modern world has ever seen.
So, with the global corporate minimum tax challenge on course for reform, the new question for global leaders becomes: Why can’t we do something very similar for cybersecurity?
Current deterrents are not working
If incongruent corporate taxation represents a global challenge, then cybersecurity represents an existential international emergency where stronger national and international regulations and frameworks are needed. Emboldened adversaries take advantage of lax laws, a regulatory environment that doesn’t cross borders, and not enough defenders to mitigate the millions of new vulnerabilities introduced by both people and technology.
Making matters worse, the increasing number of retaliatory threats issued by heads of state and the billions of dollars thrown annually at cybersecurity tools by private enterprise are not making nearly a big enough dent in the threat landscape.
For example, just weeks after U.S. President Joe Biden confronted Russian President Vladimir Putin on cybercrime, the Russia-backed REvil hacking group initiated one of the world’s largest ransomware attacks to date.
And on July 19, the U.S. and UK officially implicated the Chinese government for tacitly supporting a major cyberattack against Microsoft, an organization that undoubtedly spends as much money on cybersecurity as any enterprise in the world.
In response to these attacks, and to help mitigate the maturation of future threats, President Biden issued a cybersecurity Executive Order (EO) in which the National Institute of Standards and Technology was tasked with developing a new set of software rules.
The case for a global minimum cybersecurity agreement
It’s not clear just how effective President Biden’s new EO will turn out. However, if precedent is our guide, then such an initiative will likely amount to nothing more than just another tactic that the world’s governments and businesses are banking on to deter cybercrime that fails to reduce risk enough to make a real dent.
Today, risk mitigation has been entirely up to individual defense mechanisms and actions instead of a collective and strong international collaboration. So then, why not implement a cybersecurity version of a corporate minimum tax agreement? A “collective defense” among countries tired of all the time, money and resources being thrown towards fixing a problem that’s only getting worse and individual players struggle to address efficiently.
Now, I don’t pretend to have determined everything that such a plan would entail, or how exactly global enforcement would work. Developing and executing such a major initiative would certainly require the brainpower of many people with a breadth and depth of cybersecurity experience. However, there are some obvious items to include, including requirements around:
- Basic IT hygiene, designed around asset management, zero-trust architecture and advanced threat detection.
- Regular, mandatory security training for all employees because far too many hacks occur because of social engineering.
- Basic OT hygiene, including network security, such as anomaly network detection given that there’s usually legacy devices that are not designed for the current security paradigm, adequate asset management; and adequate security lifecycle for new devices being rolled. Ultimately, moving to a zero- trust model can avoid many of the issues we have now.
- Software and hardware management and delivery ubiquity. For example, we need to deliver on a Software Bill of Materials, signing software to validate the source, and implementing software security technologies such that it’s not possible to modify, attack, or repurpose.
By no means is this an exhaustive list – it’s simply a place to start. The idea of a cybersecurity equivalent to the global minimum tax structure – in which hundreds of countries agree to an enforceable set of cybersecurity rules - will surely be written off by many cynics as too idealistic, too difficult to manage or simply too naïve. And surely not everyone wants to commit to such framework and fair play. But we must do something. The status quo simply isn’t working.
We should use this moment in time in which 132 countries have banded together for greater tax fairness and piggyback off it to demand greater cybersecurity accountability regardless of geographic barriers. It’s clear that no one nation can tackle the cyber problem alone. That’s why we need a Global Minimum Cybersecurity Agreement: and we need it now.
Peter Oggel, chief technology officer, Irdeto