Cybersecurity legislation: organization, collaboration and diffusion across the globe, and working towards the populization of cybersecurity culture
Technology has had an impact on nearly every aspect of society, and will continue to do so in the coming years. Many of today’s activities are increasingly dependent on information systems, electronic devices, and data networks – a trend which is leading to hyperconnectivity. At the same time, we are seeing new threats and vulnerabilities emerge, and as a result, security risks are increasing in number, frequency and impact.
Therefore, the ascendancy of technology in today’s societies, and the risks associated with its use, demonstrate the need to protect information and other assets at various levels and in various fields, not just for industries, companies and users, but also for countries. Legislation in several countries is requiring increased and improved security, based on objective moral and ethical criteria.
“We are seeing new threats and vulnerabilities emerge, and as a result, security risks are increasing in number, frequency and impact.”
The promulgation of laws relating to the scope of cybersecurity highlights the importance of implementing large-scale regulatory frameworks, which would contribute to reducing security incidents and preventing IT crime, all while developing and establishing a culture of cybersecurity. But despite the benefits that such legislation may bring to data security, the reality is that there are various tensions, positions and counterpoints, which mean that setting it up is not an easy task. In this section, we will look at some of the most significant legislation, in international terms, and some of the current and future challenges facing states, companies and users/ citizens around the world.
Cybersecurity: organization, collaboration and diffusion across the globe
We have recently seen the emergence of a trend towards new cybersecurity legislation across the world. Based on collaboration between public and private sectors to effect the exchange of information and the creation of national cybersecurity agencies, the aim is to develop tools to cope with the risks of the digital era and to legislate against cybercrime.
The EU recently adopted the NIS Directive for the security of information networks and systems, seeking the promotion of legislation encouraging member countries to be equipped and prepared to respond to incidents, by having a Computer Security Incident Response Team (CSIRT) and a national authority competent in this area.
The creation of a CSIRT network is intended to promote rapid and effective cooperation, the exchange of risk-related information, and the development of a culture of security among sectors vital to Europe’s economy and society, such as energy, transport, finance, health, and digital infrastructure. The new laws are aimed at encouraging the homogeneous development of cybersecurity capacities and at preventing incidents that threaten economic activities, infrastructure, the confidence of users, and the operation of systems and networks critical to each country.
“Through the use of information gathering, security checks and other protective measures, organizations and governments are able to coordinate intelligence and defensive actions.”
At the end of 2015, the United States Congress approved what is known as the Cybersecurity Act of 2015 to protect the country from cyberattacks responsibly and promptly, through a framework promoting the exchange of information between the private sector and the government about computer threats.
Under the act, information about a threat found on a system may be shared with the aim of preventing attacks or mitigating risks that may affect other companies, agencies or users. Through the use of information gathering, security checks and other protective measures, organizations and governments are able to coordinate intelligence and defensive actions.
In a recent report, a model was applied to determine cybersecurity capacity in Latin America and the Caribbean. This document highlights the importance of responsible disclosure of information in public and private sector organizations when a vulnerability is identified.
It also emphasizes the importance of legislative frameworks, investigation, the processing of electronic evidence, and the training of judges and prosecutors in the field of cybersecurity. Adherence to international conventions, such as the Budapest Convention, and being a signatory to cross-border agreements for cooperation, are other decisive factors. Similarly, adoption of best practices along with the use of security technologies are considered, for the formation of a “resilient cyber society”.
Another study seeking to ascertain the level of sophistication in cybersecurity, which focused on countries in the Asia-Pacific region, also considers legislation as a basic indicator of the security landscape. In 2016, several countries in this region launched new cybersecurity policies or strategies, and also updated existing standards, in order to adapt to new challenges and emerging issues.
For example, Australia has implemented a cybersecurity strategy, which provides for additional funds and has sought increased commitment from the private sector to engage with the country’s cyber policy. Other countries, like New Zealand, have launched national cybersecurity strategies, focusing on improving their resilience, international cooperation, and the ability to respond to cybercrime.
Challenges and implications of the enactment of laws relating to cybersecurity
The current status of risks presents the need for regulatory frameworks for security management – an increasingly popular organizational trend. Similarly, when we refer to legislation, we are referring to the application of standards on a large scale, with a view to cybersecurity regulation at the national level. Generally, legislation is quite effective when it comes to regulating behavior.
However, there are challenges to be overcome for effective application of the laws. For example, the Global Agenda Council Report on Cybersecurity presents the challenges faced by countries that have started to legislate in this area, based on the Budapest Convention. Nevertheless, these countries can enter into other global or regional conventions, and even take part in specific local initiatives.
Evidence suggests that, given the influence of technology and the habits it instils, implementation of legislation can impact various stakeholders ranging from technology companies to users themselves. These tensions lead to different conflicts and challenges, which we shall consider below.
Delay in the enactment of laws
Various considerations determine the creation of laws in different countries, so their promulgation depends on a multiplicity of factors; for example, political issues or other issues affecting local initiatives, or adherence to international agreements encouraging the same level of development for cross-border collaboration.
However, it is on account of these very conditions and characteristics that legislation is often postponed. For example, by 2016, almost half of the countries that had ratified their participation in the Budapest Convention had taken a decade or more to complete the ratification, due to – among other things – the delay in the development of their laws. Moreover, the Convention just focuses on certain legal aspects within the range of possibilities related to the scope of cybersecurity.
Laws falling behind in context and time
In connection with the previous point, it should also be considered that technology is advancing at a rapid rate; the development of standards may, therefore, fall far behind technological advances. Just as organizations continuously update their standards in response to evolving risks and new technologies, the law must be at the forefront when it comes to responding to present and emergent issues which may need to be regulated.
“Technology is advancing at a rapid rate; the development of standards may, therefore, fall far behind technological advances.”
Perhaps the way to rectify this disparity between technological innovation (and the risks it entails) and the enactment of appropriate legal measures, is to focus on regulating human behaviors, especially since technologies can become obsolete in a relatively short period. This may prove to be the most reliable way for regulation to be effective, but it is also important to note that this could lead to rising tensions in the future. An example of this might be trying to regulate the use of social networks, which are not supported by legislative enactment.
Technical and legal heterogeneity
We should also consider that countries’ methods differ in the ways they adhere to international or regional conventions, and these differences even determine specific initiatives for the development of their laws. Legal and technical disparities make it difficult to respond to, investigate, and rule on cybersecurity incidents, and inhibit international collaboration. For example, regional or bilateral initiatives are developed to meet specific needs, as is the case with the EU-US Privacy Shield, a framework seeking to protect the fundamental rights of anyone in the EU whose personal data are transferred to companies in the US. This, of course, does not take into account collaboration with other countries or regions.
Conflicts of laws and basic principles
In this same context, legislation is generally quite effective when it comes to regulating behavior. However, these laws can always be improved, particularly if we consider that there are projects which could undermine not only the principles on which the internet is based but even certain basic human rights. Based on the idea that the internet is free and has no physical borders, there are cases where although legislation is applied on a national level, constitutional or legal conflicts arise, mainly concerning the meanings and conceptions of privacy and freedom of expression. In this case, the eternal debate between privacy and security may come into play.
Limitations on the scope of application
Similarly, the absence of legislation or agreements on specific aspects of certain issues can undermine international collaboration, even within the same territory. Public and private sectors face a challenge when it comes to access to information for investigations, with implications for security, the right to privacy, and commercial interests, mainly of tech companies.
As an example, we have the well-known case between the FBI and Apple, in which a US judge requested the cooperation of the technology giant in order to unlock the iPhone of a terrorist involved in an attack, or the recent case in which a judge in Rio de Janeiro ordered the blocking of WhatsApp throughout Brazil and fines against Facebook. Such events clearly demonstrate the need for local and cross-border agreements to collaborate, which avoid conflicting interests.
Working towards the development and popularization of cybersecurity culture
The promulgation of laws relating to cybersecurity has enjoyed prominence at an international level for some years now, on account of the number, frequency, and impact of incidents recorded worldwide. Various initiatives regard legislation in this area as a fundamental factor that improves a country’s maturity.
The aim is therefore to have legal measures in place for protection at various levels and in various fields. To this end, legislators have also started to consider the requirements necessary for security in their countries, including their capacity to respond to large-scale incidents, the protection of their critical infrastructure, their ability to collaborate with other countries, and even to consider the development of a security culture which can be instilled in the population. Not to mention issues already recognized such as privacy, the protection of personal details, and cybercrime.
“The need to define rules for all stakeholders becomes clear, in order to make legislation truly effective.”
We are experiencing a growth in the development of new legislation that defines how a country’s assets are protected in the context of cybersecurity, as well as promoting cooperation and collaboration between the public and private sectors of each country, and also at an international level so as to thwart current and emerging information threats and attacks.
However, behind the obvious benefits of this new legislation lie challenges that need to be overcome in order for it to materialise. These include understanding the needs and conditions that exist in both the public and the private sectors, and of all stakeholders in their capacity as both users and citizens. Obstacles and limitations on collaboration may include a lack of trust, ineffective legislation, and differing interests between the various sectors.
In the light of these issues, the need to define rules for all stakeholders becomes clear – rules that are based on international, regional or national agreements and that consider all parties – in order to make legislation truly effective. Without doubt, there remains much to be done and it requires the collaboration between governments, private initiatives, the academic sector, and of course, users. In this way we work towards one common goal: working towards the development of a cybersecurity culture.
This article is an adapted version of the corresponding section from ESET’s 2017 trends paper, Security Held Ransom.