Notes from a CSIS Virtual Event: Cybersecurity Considerations for Data Localization Regulation

By Andrew Braverman

On March 9, CSIS hosted an event on the necessary cybersecurity considerations for data localization efforts, featuring the presentation of two papers by Peter Swire (Holder Chair of Law and Ethics at Georgia Institute of Technology) and DeBrae Kennedy-Mayo (Research Faculty Member with the Scheller College of Business at Georgia Institute of Technology), and Victoria Baines (Visiting Fellow at Bournemouth University). Andreas Mitrakas (Head of Market Certification and Standardisation Unit at the European Union Agency for Cybersecurity) and Raphael Marichez (Chief Security Officer for South Europe at Palo Alto Networks) then joined the speakers for a panel discussion on the topic. The panel was moderated by James A. Lewis, SVP and Director of the CSIS Strategic Technologies Program.

Peter Swire and DeBrae Kennedy-Mayo teed up the conversation with a brief presentation on their paper "The Effects of Data Localization on Cybersecurity," one of the first comprehensive analyses of defensive cybersecurity and prohibitions of transfers of data (“hard localization”). Swire helped set the stage for the recent wave of data localization laws around the world, explaining that many such regulations are justified in the name of security. He explained that the paper hoped to identify in which situations privacy and security worked together and in which they proved at odds. Kennedy-Mayo explained how they analyzed hundreds of public comments submitted to the European Data Protection Board (EDPB) to determine how this tension between the two values was navigated in the EU.

The pair’s paper looked at how risk management was complicated by privacy advocacy. ISO cybersecurity controls were greatly disrupted by data localization requirements that created a more complex division of labor and limited the data flows necessary to secure a network. According to Swire, data localization had significant effects on cybersecurity companies and cloud providers, who lost access to the best tools where localization requirements were instituted. Furthermore, the regions with these requirements then become a target for cyber criminals because of their weakened security. Swire added that, similarly, information-sharing can be greatly handicapped by localization regulation. Both scholars concluded that, unless addressed, “localization done in the name of security often will undermine security.”

Victoria Baines echoed many of these sentiments during the presentation of her paper "On joined up law-making: the privacy/safety/security dynamic, and what this means for data governance." She explained how governments have long balanced public safety and privacy but observed how this challenge is made more complex in the case of information security. For example, the EU’s Digital Services Act and Digital Markets Act complicate cybersecurity efforts. Article 5a of the DMA, for example, obliges online platforms to refrain from aggregating data between different services they offer and with third parties. Baines reminds us, though, that “cross-platform forensic investigation is very often essential” to protect networks and individuals online. Baines noted that previous data governance policies have navigated the tension between security and localization in different ways. For example, EU data governance and the U.S.-EU Trade and Technology Council largely incorporated security into transatlantic approaches to data.

Andreas Mitrakas then presented his view of this difficult balancing act between privacy, security, and free flows of data. He shared how the EU model differs from the federal model in the United States. He also explained how the EU Cybersecurity Act of 2019 largely helps guide the continent’s approach to this conversation. Mitrakas stressed how important it was that regulatory bodies in the EU have the ability to exercise their supervisory duties in every industry.

The event then opened to a panel discussion. Raphael Marichez offered some initial thoughts, echoing the security challenges posed by data localization and emphasizing the need to remember the purpose behind any aspiration of data localization (whether that’s data privacy or supply-chain security, for example). In response to a question about how Palo Alto Networks will have to adjust their business model, Marichez explained that the company necessarily stitches together and correlates data across geopolitical barriers to perform necessary cybersecurity work. If more barriers keep popping up, it will be more difficult to identify malicious behavior across the information security ecosystem.

Swire then posed a question about whether ISO controls are less effective for ENISA/the EU in the face of data localization requirements. Mitrakas mentioned that ENISA had helped produce Cybersecurity Certification Schemes. ENISA also produces data and reports and collaborates with EU-wide standards organizations. Discussion then shifted onto the topic of “side-loading” as a security concern. Baines clarified how reliant on exemptions some of the European frameworks are. Google and Apple may struggle to enforce security on their app stores and devices in the EU because security at scale would require thousands of exemptions. Marichez then observed the increasing need for in-house roles that combine legal expertise with security experience.

Multiple panelists noted the broader trend towards the service model (e.g., IaaS, SaaS) and commented on the implications of this for information security. Mitrakas observed that this inevitably means we lose some control over information systems. Additionally, Baines noted, it is very difficult to disentangle the “as-a-service" model from debates over digital sovereignty. With greater degrees of as-a-service offerings, countries and data flows are more enmeshed online. What are some effective approaches to future agreements on cross-border data flows? In a fitting summary of the conversation, Swire suggested targeted exceptions to localization requirements based on cybersecurity needs. Mitrakas brought up the Safe Harbor Framework and the U.S.-EU Privacy Shield as past attempts to protect data without sacrificing security. Baines concluded by noting how bans against end-to-end encryption are an example of our broader inconsistency to manage the tension between security and privacy.

The full conversation was recorded and is available here.

Andrew Braverman is a research intern with the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, DC.

The Strategic Technologies Blog is produced by the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).