Policy Paper on Cyber Security
by Jenny Torres  (firstname.lastname@example.org)
IAEN-Instituto de Altos Estudios Nacionales, Quito, Ecuador
draft version (April 2014)
During the last few decades new technologies, e-services and interconnected networks have become increasingly embedded in our daily life (ENISA 2012). Since, businesses, society and government become more and more dependent on the functioning of Information Technology (IT) and the operation of information infrastructures, the protection and availability of these critical assets are increasingly becoming a topic of national interest.
The Internet was not originally designed with its own security in mind and, as a result, connected computers are vulnerable to on line incursion and attacks (Tibbs 2013). Securing cyberspace has become one of the most important challenges of the 21st century since the Internet can be used as a medium for on line theft, message traffic interception, manipulation of information assets, destructive attacks on information and real-world assets such as national infrastructures.
Nowadays, cyber threat is one of the most serious economic and national security challenges that a country face. The disclosure about massive surveillance and data collection by the National Security Agency (NSA) of the United States, provoked the indignation of political leaders around the world, including Ecuador. Some countries, like Brazil, had mentioned to increase their efforts to adopt a different legislation, develop technologies and establish mechanisms to protect its citizens from illegal surveillance and interception of communications and data.
Every country needs to create conditions to prevent cyberspace from espionage, sabotage and attacks to the network infrastructure determining an optimal strategic approach to cyber security concerns. In Latin America almost all global Internet connections using fiber optic cables pass through the United States. In order to avoid crossing boundaries, countries need to form industrial alliances to create an alternative physical infrastructure for the Internet, strengthen their actual infrastructure by regulating the Internet providers sector, applying strong encryption on the communication links, and establishing cyber security strategies. This will protect countries from surveillance, and will let them achieve sovereignty and economic competitiveness.
Introduction and Focus: General Background
The term cyberspace describes systems and services connected either directly to or indirectly to the Internet, telecommunications and computer networks. The rise of cyberspace as a field of human effort is one of the most significant developments in world history (Klimburg 2012). Cyberspace impacts every facet of human existence including economic, social, cultural and political development, being one of the fields most challenged by this development, the national security.
Cyber security is the activity of protecting information and information systems, such as networks, computers, data bases, data centers and application, with appropriate procedural and technological security measures (Rai 2011). It is important to all countries because it endeavours to ensure that cyberspace continues to work even under an unexpected attack. Unless, network attacks are evolving in their ability to evade detection, have financial consequences for their victims and are becoming more targeted, it is no longer a pure computer security issue, instead, it should be considered as a national policy matter to control the illicit use of cyberspace for economic, public health, safety and national security activities.
Problems and Challenges
The documents released by the ex National Security Agency (NSA) contractor, Edward Snowden, have revealed several programs that may be potentially interfering with the privacy of millions of individuals worldwide (EFF 2014). The NSA collects telephone records, through abulk phone metadata program, from a significant portion of United States (US) telecommunications companies. The communications collected and analysed include content of people outside the country when those communications are available within the US, which means that domestic and international communications are part of this data collection. PRISM, one of the program thatcollects information from US Internet companies, had already spied more than 35 world leaders.
Another example related with the massive surveillance is Cuba. ZunZuneo was an on line social networking and microblogging service created in 2010 by the United States Agency for International Development (USAID). The main idea was to develop a basic “Cuban Twitter” (Telegrafo 2014), for sending and receiving text messages through mobile phones to circumvent the tight information control and restrictions on the use of the Internet in Cuba. This network had about 40000 users and its main objective was to interchange political contents.
Many details about the scope of these programs remain unknown. What has so far been made public suggests that such surveillance constitutes unlawful and arbitrary interference with privacy. The massive scale of the programs, along with the secrecy of underlying legal interpretations and defects in oversight, raises concerns about violations of the right to privacy.Julian Assange and Jacob Appelbaum, co-authors of the book Cryptopunks: Freedom and the Future of Internet, agree that the massive surveillance is real and warn to Latin America to take care of the sovereignty of each country, since the fiber optic cables that are used pass by the United States, as in the case of Ecuador. For that, some of the different key challenges (Rodriguez 2014), defined by EFF, concerning cyber security in any government should be:
Protect Critical Internet Infrastructure: the NSA had secretly undermined the global communications infrastructure and services, such as key cryptographic standards, obtaining private encryption keys for commercial services relied by individuals and companies, as well as have put backdoors into different equipments. No law should impose security holes in the technology in order to facilitate surveillance.
Protect Metadata: the information about communications, called metadata or non-content, should be as private as the content of communications. This informationcan include the location of a cell phone, clickstream data, and search logs, and is as invasive as reading an e-mail or listening a phone call. What is important is not the kind of data is collected, but its effect on the privacy of the individual. The law must require high standards for government access whenever that access reveals previously non-public information about individual communications.
Monitoring Equals Surveillance: if information is collected and kept without being analysed by anyone, no privacy invasion occur. Nevertheless, if computers analyse all communications in real-time for key words and other selectors is not "surveillance" for purposes of triggering legal protections. These differences in interpretation can mean the difference between targeted and mass surveillance of communications.
Definition of Communications Surveillance: The definition of "communications surveillance", encompasses the monitoring, interception, collection, analysis, use, retention, interference or access to information that includes, reflects or arises from a person’s communications. The countries should not be able to bypass privacy protections on the basis of arbitrary definitions.
Combat a Culture of Secret Law:the absence of transparency in surveillance laws and practices reflects a lack of compliance with human rights. Any country must not adopt or implement a surveillance practice without public law defining its limits. Moreover, the law must meet a standard of clarity and precision sufficient to ensure that individuals have advance notice of its application. When citizens are unaware of a law, its interpretation, or its application, it is effectively secret, and as consequence, not a legal law.
Cross-Border Access Protection: governments should not bypassnational privacy protections by relying on secretive informal data sharing agreements with foreign countries or private international companies. Individuals should not be denied privacy rightsbecause they live in another country from the one that is surveying them. Where data is flowing across borders, the law of the jurisdiction with the greatest privacy protections should be applied.
Projects and Initiatives
Among the most important worldwide initiatives for cyber security there is The Electronic Frontier Foundation (EFF), an international non-profit digital rights group based in the United States. It main goal is to ensure that rights and freedom are enhanced and protected as the use of technology grows. EFF provides funds for defend individuals and new technologies from what it considers misdirected legal threats, provides guidance to the government, organizes political action and mass mailings, supports new technologies, maintains a database and web sites of related news and information and monitors potential legislation that it believes would infringe on personal liberties. EFF defends user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development.
Another non profit association that defends the rights and freedom of citizens on the Internet is La Quadrature du Net. It advocates for the adaptation of French and European legislation to the founding principles of the Internet, most notably the free circulation of knowledge. This association get involved in public-policy debates concerning freedom of expression, copyright, regulation of telecommunications and on line privacy, among others. La Quadrature is supported by international NGOs, including the Electronic Frontier Foundation, the Open Society Institute and Privacy International.
On the other hand, among intergovernmental bodies and initiatives currently addressing cyber security at a policy level there are (OECD 2012):
Organization for Economic Co-operation and Development (OECD)
The OECD Committee for Information, Computer and Communications Policy (ICCP) promotes Internet policies that promote innovation and capture new sources of growth for more inclusive economic development and increased social well-being. Its Working Party on Information Security and Privacy (WPISP)[web page] develops flexible policy recommendations and guidance to sustain trust in the Internet Economy and the global networked society. Its work is based on in-depth policy analysis in areas such as National Cyber security Policies, Indicators for cyber security and privacy, Critical Information Infrastructure Protection (CIIP), digital identity management, malware, Radio-Frequency Identification (RFID), privacy protection and the protection of children on line. WPISP participants are delegates from 34 OECD member countries, observers, other international organizations as well as representatives of business, civil society and the Internet Technical Community.
Asia-Pacific Economic Cooperation (APEC)
APEC is a regional economic forum which groups 21 economies to promote free and open trade and investment, regional economic integration, economic and technical co-operation, human security, and a favourable and sustainable business environment to support sustainable economic growth and prosperity in the Asia-Pacific region. Its Telecommunications and Information Working Group (APEC TEL) aims to improve telecommunications and information infrastructure in the Asia-Pacific region. APEC TEL Security and Prosperity Steering Group (SPSG) carries out many activities related to security, trust and confidence in network, infrastructure, services, technologies, applications and e-commerce.
Council of Europe
The Council of Europe helps protect societies worldwide from the threat of cybercrime through the Budapest Convention on Cybercrime (COE 2001), the Cybercrime Convention Committee (T-CY) and the technical co-operation Programme on Cybercrime. The Budapest Convention on Cybercrime was adopted on 8 November 2001 as the first international treaty addressing crimes committed using or against network and information systems.
The involvement of the G8 in the field of cybercrime dates back to the late 90s, when the G8 created a mechanism to expedite contacts between countries, the so-called “G8 24/7 network of contact points”. In May 2003, the G8 adopted the G8 Principles for Protecting Critical Information Infrastructures on the fight against crimes and terrorist acts committed using or against network and information systems (“cyber-crime” and “cyber- terrorism”). In May 2004 the G8 Justice and Home Affairs Ministers adopted the Best Practices for Network Security, Incident Response and Reporting to Law Enforcement and in May 2009 a significant part of the Final Declaration was devoted to cybercrime and cyber security, focusing on collaboration between service providers and law enforcement and on the strengthening of international co-operation. G8 Leaders agreed on a “number of key principles, including freedom, respect for privacy and intellectual property, multi-stakeholder governance, cyber-security, and protection from crime, that underpin a strong and flourishing Internet” (G8 2011).
Internet Governance Forum (IGF)
The IGF was established by the World Summit on the Information Society in 2006 to bring people together from various stakeholder groups in discussions on public policy issues relating to the Internet. While there is no negotiated outcome, the IGF informs and inspires those with policy making power in both the public and private sectors. The IGF facilitates a common understanding of how to maximize Internet opportunities and address risks and challenges. It is convened under the auspices of the General Secretary of the United Nations.
North Atlantic Treaty Organization (NATO)
NATO has recently acknowledged the need to focus on cyber defence. In the 2010 Strategic Concept adopted in Lisbon, NATO Allies recognized the need to develop the ability to prevent, detect, defend against and recover from cyber-attacks. The Cooperative Cyber Defence Centre of Excellence (CCD-COE) was created in 2006 in Tallinn, Estonia. It is an international military organization whose mission is to enhance the capability, co-operation and information sharing among NATO.
Organisation for Security and Cooperation in Europe (OSCE)
The OSCE addresses a wide range of security-related concerns, including arms control, confidence and security building measures, human rights, national minorities, democratisation, policing strategies, counter-terrorism and economic and environmental activities. Enhancing cyber security has become a cross-dimensional topic and endeavour in the OSCE. OSCE has carried out a number of cyber-security events since 2005, the last of which focused on its future role in tackling challenges arising from cyberspace in 2011
Organisation of American States (OAS)
The OAS groups 35 independent states of the Americas which adopted in 2004 a Comprehensive American Strategy to Combat Threats to Cyber security (OAS 2004). The strategy involves three OAS groups which address cyber security from a different perspective: the Inter-American Committee against Terrorism (CICTE) which supports member states in their efforts to create Cyber Security Incident Response Teams (CSIRTs), promotes the creation of a Secure Hemispheric Network of National CSIRTs and fosters a culture of cyber security, the Meetings of Justice or Other Ministers or Attorneys of the Americas (REMJA) Cyber Crime Working Group which focuses on legal requirements and investigation capabilities, and the Inter-American Telecommunications Commission (CITEL) which addresses technical aspects.
United Nations (UN)
The United Nations has been the host of a number of activities related to cyber security and cybercrime in the past few years (Maurer 2011). In 2003, through the resolution 58/32, the General Assembly requested the Secretary-General to consider threats to information security and possible cooperative measures. To this end a Group of Governmental Experts (GGE) was established in 2004 but consensus was not reached on a final report. The same theme was discussed by a “Group of Governmental Experts”, appointed in 2009 in pursuance of UN General Assembly resolution 60/45 of 8 December 2005. The Group produced a report on 16 July 2010 which recommends, among other things, “further dialogue among States to discuss norms pertaining to State use of ICTs, to reduce collective risk and protect critical national and international infrastructures”.
The International Telecommunication Union (ITU) is the specialised agency of the United Nations which is responsible for Information and Communication Technologies. ITU was proposed as moderator/facilitator in implementing concrete projects and initiatives along cyber security. It deals also with adopting international standards to ensure seamless global communications and interoperability for next generation networks, building confidence and security in the use of ICTs, emergency communications to develop early warning systems and to provide access to communications during and after disasters.
The Ecuadorian Political Framework
Regarding the revelations against the United States about massive surveillance and data collectiona “Codigo Organico Integral Penal” (COIP) bill was approved by the National Assembly on December 17, 2013. In the first draft of the Code, concerning this issue, an article for the data retention and recording of communications was included, Article 474. The article, with the intention of fighting against cyber crime, contradicted in its entirety, the position of Ecuador about the massive surveillance by the United States on other countries. The article, in its origin, legalised surveillance at the national level, disclaimed privacy rights and established as premise, presumption of guilt and suspicion of individuals. For the debate of this article, different meetings toke places including civil society and finally, it was removed from the Code.
Ecuador still need a law for the protection, defence and promotion of human rights, as today Brazil is doing. The principal intelligence agency in the country is the “National Intelligence Secretary” (SIN), which was created on September 2009. This institution is in charge of establishing the guidelines for the research of public safety issues and the state.
Talking about public administration, in August 2011, the National Secretary of Public Administration (SNAP), created a commission for the Information Security and the Information and Communications Technologies (ICTs) formed by representants from the Telecommunication Ministry, National Intelligence Secretary and the SNAP, with the objective of establishing security guidelines for the protection of national infraestructures, as well as the information in public administration. Following the commission goal, in September 2013 the SNAP, published an agreement saying that Public Administration entities, have to implement the technical standard INEN-ISO/IEC NTE 27000 for the Management of Information Security in every public institution in the country. The SNAP coordinate and monitor the implementation of the Government Scheme Information Security (EGSI), which will be implemented in 18 months.
Critique to capitalist models
The protection of privacy is a fundamental right guaranteed by the Universal Declaration of Human Rights. In a democratic society, privacyis an essential enabler for other fundamental rights, such as the right to freedom of expression. Nevertheless, nowadays, there is an interest, already widespread on the Internet,in weakening the protection of this fundamental right by collecting, processing, storing and trading citizen's information through surveillance.
Nowadays, the surveillance infrastructure is one of the main government concern around the world. Several governments in the Middle East and South Asia have threatened to forbid or block different communications tools, for instance Blackberry Messenger, they regarded as too secure, unless they were redesigned to remove security features and facilitate government spying. Also, Colombia adopted a new decree that compels ISPs to create infrastructure that would make it easier for law enforcement to spy on citizenship. In the case of Colombia, the law also forces ISPs and telecommunications providers to continuously collect and store for five years the location and subscriber information of millions of ordinary users.
Such surveillance has the potential to produce not only direct violations of privacy and freedom of expression, but other harms like remotely attacks, legal penalties, exposure to attack by third parties, and in general, harmful to human rights. Privacy protection needs to be adapted to the digital era and strengthened to take up these new challenges. It is essential for the continuation of democracy to force companies to be more transparent and accountable to citizens for the protection of our data.
Case Study 1: Icelandic Modern Media Initiative (IMMI)
The Icelandic Modern Media Initiative (IMMI) is an extensive program of legislative reform in Iceland founded in 2009. The WikiLeaks, after the gagging of Iceland's national broadcaster called RUV (Wikileaks 2008), by Iceland's largest bank, Kaupthing, advised the proposal to build an international "new media haven" in Iceland with the world's strongest press and whistleblower, editors and journalists protection laws. It Includes innovative laws protecting the source file protection and laws that prevent attempts to sue unfairly from another jurisdiction.
The IMMI goal is to combine the laws most friendly to journalists, so that Iceland-based media would be immune from the least friendly laws elsewhere (Hirsch 2010). For example, Sweden has a progressive law on the protection of sources, where journalists are not allowed to reveal sources. Norway and Estonia's freedom of information laws are selected for their presumption of public access to all government documents. Also, in United States, the state of New York, a law for "libel tourism" cases, attempts to protect Americans from judgements of the English high court. Most of those laws where replicated in IMMI.
“Before the creation of the IMMI, there were no pioneer country regarding legislation in the installation of Internet services. Nevertheless, countries adopting legal reforms like IMMI will be seen not only as a world leader, but as the best place to install an internet company of high technology” Julian Assange (Telegrafo 2014a).
Case Study 2: Marco Civil in Brazil
“We are a democratic country, surrounded by democratic countries that respect international law”. “Without respect to sovereignty there is no base for proper relations among nations”. “My administration will do everything within its reach and powers to defend human rights of all Brazilians and protect rights of all citizens in the world” Dilma Rouseff - president of Brazil.
In march 2014, the Brazilian Chamber of Deputies voted in favour of approving the Marco Civil bill. Nevertheless, it still need to be sent to the Federal Senate for deliberation, and later returned to the Chamber of Deputies before it can be sanctioned by the President. This Marco Civil, is the first major Brazilian law on Internet rights, which mainly includes provisions on net neutrality and intermediary liability. Among the most important items stated in the document there are:
- Data Retention
- Net Neutrality
- Rights and principles
Case Study 3: Cyber Security strategies
The Organisation for Economic Co-operation and Development (OECD) is a forum where governments work together to address the economic, social and environmental challenges of globalisation. The Organisation provides a setting where governments can compare policy experiences, seek answers to common problems, identify good practice and work to co-ordinate domestic and international policies (OECD 2012). This initiative analysed the emergence of a new generation of government policies, called “cyber security strategies”. In a total of 10 volunteer OECD countries, 8 of them had adopted the strategy between 2009 and the end of 2011 (Australia, Canada, France, Germany, Japan, Netherlands, the United Kingdom and the United States), and two were in the process of developing one (Finland and Spain).
Most participating countries which adopted a strategy between 2009 and 2010 are already in the process of reviewing it. The United Kingdom which adopted a cyber security strategy in 2009, released a new strategy in November 2011. The Australian 2009 Cyber Security Strategy was in the course of being updated by the release of the government’s Cyber White Paper, following up on a public consultation carried out in autumn 2011. The rapid progress of renewal and revision of these policies indicates the emerging and fast-evolving nature of the subject matter as well as governments’ willingness (OECD 2012), to take into account a rapidly changing environment through an iterative and relatively dynamic policy approach.
The scope of almost all new cyber security strategies has evolved from solely protecting individuals and organisations as distinct actors, to protecting society as a whole. This change results from the evolution of the role of the Internet in society (OECD 2012). Some summarized examples are:
NIST, The National Institute of Standards and Technology in United Stated, had released in February 2014, a version of a Cyber Security Framework (NIST 2014). The private-sector led the effort to develop this guide for organizations in the critical infrastructure community to enhance their cyber security during a year. Through the development of this framework, industry and government were strengthening the security and resiliency of critical infrastructure in a model of public-private cooperation. During this year, individuals and organizations throughout the country have provided their thoughts on the kinds of standards, best practices, and guidelines that would meaningfully improve critical cyber security infrastructure. The framework gathered existing global standards and practices to help organizations understand, communicate, and manage their cyber risks.
The UK government and intelligence agencies are directly targeting the most senior levels in the UK’s largest companies and providing them with advice on how to safeguard their most valuable assets, such as personal data, online services and intellectual property. The UK Government Communications Headquarters presented a guide to potential cyber threats or mitigations (CESG 2012).
Canada's Cyber Security Strategy (Public Safety Canada 2013)is the Government's plan for protecting the country from online criminals. Foreign countries are using the Internet to steal classified information from government and trade secrets, commercially sensitive and private information from business systems. The main objectives of the strategy are to secure government systems, work with others to secure systems outside of government, and help citizens to be safer online. Public Safety Canada is responsible for coordinating the implementation of the strategy. It works with provinces, territories, and the private sector to secure Canada’s vital systems. The Department also works with international partners to reduce the risk to computer systems across the globe.
The Cyber Security Cooperation Program (CSCP) was developed as a means to improve the security of Canada's vital cyber systems. The program will provide $1.5M in grants and contributions over five years in support of projects that increase the resilience of Canada's vital cyber systems through strengthened partnerships with the private sector. The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital systems outside the federal government.
India had no Cyber security policy before 2013. In July 2013, the government of India had proposed a National Cyber Security Policy (Department of Electronics and Information Technology (DeitY), Ministry of Communication and Information Technology) (Rai 2011) aimed to protect the public and private infrastructure from cyber attacks. This policy intends to safeguard personal information of web users, financial and banking information and sovereign data. Some of the strategies stated on the policy were:
- Creating an assurance framework.
- Encouraging Open Standards.
- Strengthening The regulatory Framework.
- Creating mechanism for Security Threats Early Warning, Vulnerability management and response to security threat.
- Securing E-Governance services.
- Protection and resilience of Critical Information Infrastructure.
- Promotion of Research and Development in cyber security.
- Human Resource Development (fostering education and training programs both in formal and informal sectors to support Nation's cyber security needs and build capacity.
- Creating cyber security awareness.
- Developing effective Public Private Partnership.
Preliminary General Principles for Policy Making
The following set of principles were identified by NetMundial (NetMundial 2014) in order to contribute for an Internet governance framework.
1. The security of cyber space is not an optional issue but an imperative need in view of its impact on national security, public safety and economic well-being.
2. The issue of cyber security needs to move beyond traditional technological measures such as anti-virus and firewalls. It needs to be dynamic in nature and have necessary depth to detect, stop and prevent attacks.
3. Cyber security forms an integral component of security of cyber space in order to be able to anticipate attacks, adopt suitable counter measures and attribute the attacks for possible counter action.
4. Rights that people have offline must also be protected online, in accordance with international human rights legal obligations. Among them we can mention:
- Freedom of expression: everyone has the right to hold and express opinions, and to seek, receive, and impart information on the Internet without arbitrary interference.
- Freedom of information and access to information: Everyone should have the right to access, share, create and distribute information on the Internet.
- Privacy: avoiding arbitrary or unlawful collection of personal data and surveillance and the right to the protection of the law against such interference.
- Accessibility: persons with disabilities should enjoy full access to online resources on an equal basis with others.
5. Internet governance must respect and promote cultural and linguistic diversity in all its forms.
6. Internet should continue to be a globally coherent, interconnected, stable, unfragmented, scalable and accessible network-of-networks.
7. As a universal global resource, the Internet should remain a secure, stable, resilient, and trustworthy network.
8. The Internet should be preserved as an innovative environment based on an open and distributed system architecture
9. Internet governance must continue to allow permissionless innovation and creativity through an enabling Internet environment.
10. Internet governance should promote open standards consistent with human rights which allow development and innovation.
Cyber security strategies aim at achieving two interrelated objectives: strengthening cyber security for the Internet economy to further drive economic and social prosperity, and protecting cyberspace-reliant societies against cyber threats. Managing the complexity of pursuing these two objectives in parallel, while preserving the openness of the Internet and fundamental values, is probably the main challenge of cyber security policy making today (OECD 2012).
As the Internet and ICTs have become essential for the economy and the social development., the consequences of failures can directly impact society as a whole. Nowadays, a national cyber security strategy is considered as a tool to improve the security and resilience of national information infrastructures and services, among government priorities. Each strategy should establish a range of objectives and priorities in each country, scheduled to be achieved in a specific timeframe.
The Electronic Frontier Foundation (EFF) argues that encryption is crucial to create security. In the absence of encryption, online communications can easily be intercepted by anyone, not just the police. Individuals and government agencies should all use strong encryption routinely. The following recommendations aim to (ENISA 2012):
- define the areas of interest of a cyber-security strategy
- identify useful recommendations for public and private stakeholders
- help to develop, manage, evaluate and upgrade a national cyber security strategy
Among the general policy recommendations for Cyber Security, we have:
- The government will focus efforts on improving the security of their networks by implementing the Administration’s priority cyber security capabilities and developing metrics to measure their success.
- Transform the static security control assessment and authorization process into an integral part of a dynamic enterprise wide risk management process, through a continuous monitoring of governmental Information Systems.
- Ensure only authorized employees have access to governmental information systems by requiring a higher level of security (Personal Identity Verification standards to be considered).
- Policies could encourage the development of open standards enabling innovation for security solutions, relying on open Internet standardisation groups and avoiding unilateral modification of Internet standards.
- International enterprises, like Facebook and Google, should install their servers and store the data in each country so that, national legislation should be applied.
- A regulation for Internet Service Providers (ISPs) should be applied in order to have a strong encryption in the different communication links.
- An existing institution or a new one should be established to ensure information security compliance. This institution should be in charge of enhancing governmental co-ordination at policy and operational levels to facilitate co-operation, encourage synergies, avoid duplication, and pool initiatives. This evolution from a multi-agency to an inter-agency approach requires strong leadership to enable co-ordination and co-operation across pre- existing government silos.
- Achieve enhanced international co-operation through alliances and partnerships with different countries, including the capacity building of less developed countries.
The European Network and Information Security Agency (ENISA 2012)has identified practices of national cyber security strategies in the EU and non-EU countries, in terms of structure and content, in order to determine the relevance of the proposed measures for improving security and resilience. Based on that, policy recommendations for developing a National Cyber Security strategy are:
- Determine a national risk assessment, with a specific focus on critical information infrastructures. Risk assessment is a scientific and technologically based process consisting of three steps: risk identification, risk analysis and risk evaluation (ENISA 2012). This can provide valuable information for developing, executing and evaluating a strategy.
- Develop national cyber contingency plans determining structures and measures for responding to, and recovering services following, major incidents that involve critical information infrastructures
- Organise cyber security exercises for testing existing emergency plans, target specific weaknesses, increase cooperation between different sectors, identify interdependencies, stimulate improvements in continuity planning, and generate a culture of cooperative effort to boost resilience.
- Identify baseline security requirements defining the minimum security level that all organisations in that sector should comply with. Such requirements could be based on existing security standards or frameworks and good practices.
- Establish incident reporting mechanisms in order to enhance national cyber security. The more a person knows about major incidents the better they can understand the threat environment. Incident reporting and analysis helps in adjusting and tailoring the security measures list.
- Raising awareness about cyber-security threats and vulnerabilities and their impact on society. Through awareness-raising, individual and corporate users can learn how to behave in the online world and protect themselves from typical risks.
- Cyber security training and educational programs should be strengthen to meet the increasing needs of this sector. Cyber security should not be a separate academic topic but part of the computer science curriculum.
- Take into account national legal requirements for data protection when drafting cyber security relevant regulatory texts, since measures and tools that tackle cyber crime often invade privacy.
- COE (2001) Convention on Cybercrime. Council of Europe. Retrieved from: http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm
- EFF (2014) Human Rights Watch and the Electronic Frontier Foundation Supplemental Submission to the Human Rights Committee During its Consideration of the Fourth Periodic Report of the United States. Electronic Frontier Foundation. Retrieved from: http://www.hrw.org/sites/default/files/related_material/HRW%20submission%20on%20privacy%20US%20CCPR%20review%20final.pdf
- ENISA (2012) European Network and Information Security Agency. National Cyber Security Strategies . Practical Guide on Development and Execution.
- G8 (2011) G8 Declaration: Renewed Commitment for Freedom and Democracy. Retrieved from: http://www.g8.utoronto.ca/summit/2011deauville/2011-declaration-en.html
- Hirsch, A. (2010) Iceland aims to become a legal safe haven for journalists. The Guardian. Retrieved from: http://www.theguardian.com/media/2010/jul/12/iceland-legal-haven-journalists-immi
- Klimburg, A. (2012) National Cyber Security Framework Manual. NATO Cooperative Cyber Defence. Centre of Excellence Tallinn. Estonia.
- NetMundial (2014) NetMundial draft outcome document. Retrieved from: http://document.netmundial.br/
- NIST (2014) Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology. Version 1.0. Retrieved from: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
- OAS (2004) Adoption of the Comprenhensive Inter-American Strategy to Combat Theats to Cybersecurity: A Multidimensional and Multidisciplinary Approach to Creating a Culture of Cybersecurity. Organization of American States. Retrieved from: http://www.oas.org/XXXIVGA/english/docs/approved_documents/adoption_strategy_combat_threats_cybersecurity.htm
- OECD (2012) Organisation for Economic Co-operation and Development. Cybersecurity Policy Making at a Turning Point. Analysing a new generation of national cybersecurity strategies for the Internet economy.
- Public Safety Canada (2013) Action Plan 2010-2015 for Canada’s Cyber Security Strategy . Government of Canada. Retrieved from: http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/index-eng.aspx
- Rai, G. (2011) National Cyber Security Policy . Department of Information Technology . Ministry of Communications and Information Technology Government of India.
- Rodriguez, K. (2014) EFF to the United Nations: Protect Individuals Right to Privacy in The Digital Age. Electronic Frontier Foundation. Retrieved from: https://www.eff.org/deeplinks/2014/02/eff-un
- Telegrafo (2014) Cables de EE.UU. proveen servicio de internet a Ecuador. Retrieved from: http://www.telegrafo.com.ec/politica/item/cables-de-ee-uu-proveen-servicio-de-internet-a-ecuador.html
- Telegrafo (2014a) Flujos de información y poder. Retrieved from: http://www.telegrafo.com.ec/politica/item/flujos-de-informacion-y-poder.html
- Tibbs, H. (2013) The Global Cyber Game. The Defence Academy Cyber Inquiry Report. Defence Academy of the United Kingdom.
- Wikileaks (2008) Financial collapse: Confidential exposure analysis of 205 companies each owing above EUR45M to Icelandic bank Kaupthing. Retrieved from: http://wikileaks.org/wiki/Financial_collapse:_Confidential_exposure_analysis_of_205_companies_each_owing_above_EUR45M_to_Icelandic_bank_Kaupthing,_26_Sep_2008
- CESG (2012) 10 steps for Cyber Security. The Information Security Arm of FCHQ. Retrieved from: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/73128/12-1120-10-steps-to-cyber-security-executive.pdf
- Maurer, T. (2011) Cyber norm emergence at the United Nations - An Analysis of the Activities at the UN Regarding Cyber-security. United Nations. Retrieved from: http://www.un.org/en/ecosoc/cybersecurity/maurer-cyber-norm-dp-2011-11.pdf
- Copyright © Copyleft 2014 Jenny Torres: GFDL and Creative Commons Attribution-ShareAlike 3.0 GFDL: Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found at http://www.gnu.org/copyleft/fdl.html CC-by-sa: You are free to copy, distribute and transmit the work, to adapt the work and to make commercial use of the work under the following conditions: a) You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). b) If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. Full license conditions can be found at http://creativecommons.org/licenses/by-sa/3.0/legalcode.