If the Beatles were creating music now, with their famous lyrical references to social, political and cultural currencies, their lyrics might have been “Come together, right now, over security.”
Entering the Fourth Industrial Revolution (4IR) with all of its interconnected technological glory means a heightened need for cyber-policing. States are obliged to ensure security for their citizens. That security applies to cyberspace as well, which has complicated and expanded that obligation. The duty to cybersecurity is shared among a variety of players from state to corporations to individuals and civil society. As Xi Jinping said, at the 2015 Opening Ceremony of the Second World Internet Conference, “Cyberspace is not a place beyond the rule of law. Cyberspace is virtual, but players in cyberspace are real.”
Cybersecurity policy-making needs to be created in collaboration between the private and public sectors. There needs to be a global effort because cyberthreats defy national borders and working together builds stronger resiliency.
Some countries, such as China and India, have largely withdrawn from the global discussion on cybersecurity electing to adopt indigenous standards that they believe will improve their country’s cybersecurity through segregating themselves from the greater digital ecosystem. This desire to secure themselves often neglects the greater good. This self-segregation is often demonstrated in a retreat from internationally recognized technical standards. Such a misguided attempt leaves them more vulnerable as they often use lesser regulated products and do not benefit from international research communities. This division also increases the risk of fragmentation in policies.
When leaders debate cybersecurity policy, it is often in isolation, and there often lacks reflection on whether the sum of the cybersecurity policies amounts to a coherent whole. How does it coincide with global systems? How will it affect the global economy? To inspire effective strategies that are consistent and aligned with international goals demands dedicated international discourse and accord in support of a robust global system.
While industry can encourage international talks and collaboration, and create and share best practices, it is up to governments to lead in setting internationally operable regional and global cybersecurity legislation.
The prospect of global policy-making that actively involves both the public and private sector is daunting. Efforts to create and maintain such policies should be conducted as an ongoing, developmental process instead of just evaluating them when needed or when driven to by crisis.
The World Economic Forum (WEF) holds its annual meeting in Davos with enabling mass conversations and collaborations in mind. The WEF has created a Cyber Resilience Playbook for Public-Private Collaboration with the hope that it aids discussions on building the policies, frameworks, and processes necessary to create cyber resiliency for the 4IR.
In the Playbook, they outline fourteen fundamental policy topics that mar the policy landscape. Throughout these topics, there are multitudes of interconnections. These topics can’t be evaluated autonomously; they must be examined in conjunction with each other. For instance, an effective intelligence-sharing policy can help to minimize the distribution of malicious software. There are also overarching themes that emerge when examining cybersecurity policies that of safe harbor, compliance and security, permissible activity, international reciprocity, and prioritizing prevention.
Security policy is often hindered by lengthy indecision. The WEF’s Playbook turns a discerning eye on specific topics integral to policy development to help inspire conversations and expedite the process. With the rate that technology is developing, the lethargic pace of policy development will only exacerbate cybersecurity concerns. The fourteen policy topics according to the WEF, that both government and private sectors need to give pause and consider are following. Notice that for each issue the WEF poses the questions that need to be asked. It is just a matter of globally partnering to establish the answers.
1. Research, data and intelligence sharing
What is the government’s role in sharing threat intelligence and promoting its dissemination?
To what extent should the government be involved in the research, development, and purchase of zero-day vulnerabilities and exploits? To what extent should government share these vulnerabilities with the private sector? “A zero-day vulnerability refers to an exploitable weakness in software that is usually unknown to a vendor. Since this vulnerability has never been shared publicly, no days have gone by to address the issue; thus it is on ‘day zero.”
Zero-day vulnerabilities can be obtained through research and investigation, and are often inadvertently created. However, once discovered, they can be exploited to carry out a cyber-attack. Zero-day software vulnerabilities have the potential to “militarize cyberspace” hence the need for policy discussions around them. Google has created “Project Zero” in which they’ve invested in discovering and disclosing vulnerabilities in an attempt to guarantee security. It is also wise for corporations to have a vulnerability assessment conducted on their software, so they find any zero-day cracks in their infrastructure.
3. Vulnerability liability
Who is liable for securing software, and what are the trade-offs associated with different liability regimes? Is it enough that software companies sell their product with the forewarning of “buyer beware.” When software is now so thoroughly embedded in our processes, and the damages of exploiting software weaknesses can be so vast, is this warning enough or does there need to be stronger accountability?
How should governments engage with the private sector when the private sector publicly alleges that a particular actor is responsible for an attack?
5. Botnet disruption
What should be done to prevent the proliferation of botnets? How should existing botnets be researched and studied? How should actors throughout the ecosystem disrupt botnets? Part robot, part disease, these malware-infected devices controlled by an attacker, infiltrate a network and try to find as many weaknesses to exploit, and infect as many connected devices as possible. Ensure the technological infrastructure of your institution, agency or corporation is protected against botnet threats.
To what extent should different actors be able to monitor internet traffic and enforce security protocols? What traffic should nonusers be able to monitor in order to promote security and other national interests? A cybersecurity agency should watch for threats continuously in all government and medium to large corporate environments. There were more than 20 billion cybersecurity attacks against Cisco clients in the US every day in 2018, according to their CEO, Chuck Robbins. However, outside of those environments, it becomes a privacy question of who should be able to see what?
7. Assigning national information security roles
Which entities and organizations should serve in national information security roles?
Canada realizes that cyber resiliency is a team sport. In October 2018, the Canadian Centre for Cyber Security (Cyber Centre) opened its doors. The Cyber Centre is a shift to a unified approach to combating cyber threats, gathering under one roof are operational security experts from across the Government of Canada. The Cyber Centre’s mandate is to collaborate with government, the private sector, and academia to make Canada a safer nation, online.
Who should be able to access sensitive data and communications?
Again, it’s a matter of privacy and human rights – how much should be seen and by whom? Encryption is necessary to protect against cyber-criminals. However, there is also the misuse of encryption that can shield a wrongdoer’s communications from law enforcement that must be taken into the equation. Data-at-rest and data-in-transit must remain secure, so many companies are implementing end-to-end encryption. This can threaten specific business models though, especially those that rely on AI and machine-learning to offer tailored customer experiences.
9. Cross-border data flows
What are the security and non-security implications when countries exert control over data? Cyberspace is a domain dependant on nation-state authority.
10. Notification requirements
When should companies be required to notify relevant stakeholders that they have been breached or have otherwise experienced a cyber-incident? What sanctions should policymakers apply to compromised organizations? The EU’s GDPR has made it mandatory to notify consumers of data breaches within 72 hours of the breach becoming known. If companies fail to do this then hefty fines are in place (2% of worldwide turnover is one sanction listed).
11. Duty of assistance
How should public resources be drawn upon in the wake of a cyber-incident? In the case of a devastating natural disaster that destroys critical infrastructure, public funds are drawn upon to help those communities and industries affected. In the case of a devastating cyberattack, should the same assistive measures be employed?
12. Active defence
What technical measures should the private sector be empowered to use to deter and respond to cyber threats? This gets into a legal gray area. Active defense is turning the tables by employing similar nefarious means. Is hack-back a viable option?
13. Liability thresholds
What is the reasonable duty of care that an organization should have? Who should bear the residual damages resulting from cyber-incidents when an organization has sufficiently invested in security controls?
What incentives, if any, should be offered to obtain cyber-insurance? Which entities should be prioritized for these incentives?
Shaping cybersecurity policies that will make businesses and organizations cyber resilient can feel overwhelming.
ISA has been providing security services to Canadian companies, organizations, and government agencies for over twenty-five years. They have a proven track record of successful collaborations across every industry. Contact ISA and let them help you shape your cybersecurity policies.