Chapter 1. Introduction

As in other areas affecting the Internet, government policy has an important role to play in the promotion of IT Security. There is a paradox, however: a sound public policy framework can enhance security, but ill-considered government regulation can do more harm than good. Technology is changing so rapidly and new cyber threats are emerging with such swiftness that government regulation can become a straitjacket, impeding the development and deployment of innovative responses. It is important therefore to achieve the right balance of regulatory and non-regulatory measures. In seeking that balance, policymakers should appreciate some defining characteristics of the Internet. Compared with earlier information and communications technologies, cyberspace is uniquely decentralized. The Internet’s power comes in part from the fact that it has no gatekeepers. Most functionality is at the edges rather than at the center of the network. Government cyber-security policies must take into account these features of the Internet. Within this context, there is a range of steps governments can take to improve computer security, without interfering with technical design decisions.108

While the picture varies from country to country, in most countries some or all components of the communications network and many of the critical infrastructures based on computer systems (banking, transportation, energy, manufacturing, etc.) are owned and operated by the private sector. Therefore, much of the responsibility for ensuring the security of these systems lies with the private sector.109 However, these systems are critical to the national well-being and are interdependent in ways that implicate broader public interests and justify government attention. Also, of course, the government has its own computer systems, including those that are crucial to national security, emergency services, health care, and other critical functions. These systems, in turn, often depend in part on privately owned communications networks. By and large, many of the computer systems of private companies and government agencies rely on the same hardware and software, designed and built by private companies. Thus, the picture is one of mutual interdependencies.

For all of these reasons, responsibility for computer security is shared between the government sector and the private sector. As a first priority, the government has a responsibility to “get its own house in order” – that is, to implement sound security practices for its own systems. In addition, it is universally recognized that the government should use the power of the criminal law to punish and deter intentional attacks on private sector as well as on government computers. Beyond that, a growing number of governments are concluding that they must undertake additional responsibilities to promote sound computer security practices in the private sector. The challenge is to adopt government policies that maximize the benefits of government involvement without stifling innovation through overbearing regulation and technology mandates. Within a framework of partnership, the solution can be found in a balanced approach that includes:

•Market forces that encourage private enterprises to address the security of their computer systems in order to protect their profitability;

•The government’s research and awareness-building functions;

•Computer crime laws protecting both government and privately-owned computers and networks;

•Traditional concepts of legal liability translated to the computer context; and

•Laws, regulations, and government policies that are specifically focused on promoting computer security.

The issue of cybersecurity policy can be viewed as one component of the larger issue of the role of law in fostering trust online. Creating an environment of trust in cyberspace requires the adoption of laws and government policies in other areas in addition to cyber-security. These other areas include consumer protection, data and communications privacy, intellectual property rights, and the framework for e-commerce. In the offline world, the law weaves a web of rules and protections around commercial and consumer transactions. Much of that same law applies to cyberspace, but countries seeking to promote development of ICT need to assess whether there are gaps in their laws that fail to promote trust in ways that are special to cyberspace. Indeed, countries eager to promote e-commerce may find that their laws for financial services, intellectual property, and consumer protection do not provide sufficient confidence or protection for offline transactions. The process of cyberlaw reform may occur as part of broader legal reforms. This Handbook focuses on those laws and policies that directly concern attacks on computer systems, leaving to other resources (some of which are cited in Part 3 and the Annexes) the questions of the broader enabling framework for ICT and e-commerce.110

108 The following discussion draws upon the detailed surveys compiled by the American Bar Association’s Privacy & Computer Crime Committee: Jody R. Westby, ed., International Guide to Combating Cybercrime, American Bar Association, Section of Science & Technology Law, Privacy & Computer Crime Committee, 2003 (Westby Guide), http://www.abanet.org/abapubs/books/cybercrime/; Jody R. Westby, ed., International Strategy for Cyberspace Security, American Bar Association, Section of Science & Technology Law, Privacy & Computer Crime Committee, 2003 (Westby Strategy). See also International Critical Information Infrastructure Protection Handbook, edited by Andreas Wenger, Jan Metzger and Myriam Dunn, Center for Security Studies and Conflict Research, Swiss Federal Institute of Technology (2002) http://www.isn.ethz.ch/crn.

109 In some countries, privatization is quite recent, meaning that operators, regulators and policymakers are struggling with the new problem of security at the same time they are grappling with the full range of transitional problems associated with privatization.

This Part, while it discusses initiatives taken in developing and transitional countries, focuses in some detail on the programs and policies adopted by the most highly developed countries and by multi-national organizations. To a large degree, this is where the action has been to date. However, this focus on resources and models from developed countries and international bodies should not deter “the rest of the world.” It is important that all countries develop, promote, and implement the necessary framework for e-security. The budgetary and human resources available are of course different, and developing countries may have to approach the issues at a more basic level, but the principles outlined here are global in relevance. Cyberspace and cyber-insecurity are not limited by state boundaries.

The Concept of Critical Infrastructures

In a number of countries, the development of government responses to the problem of computer security has been conceptualized in terms of “critical infrastructures.” A critical infrastructure is some network of physical assets and operating systems that serves a function of critical importance to the economic or governmental well-being of a country. The financial services network, for example, is a critical infrastructure, consisting of all the private banks, the central bank, the securities exchange and commodities markets, the payment clearinghouses, and other entities involved in the flow of money and credit. In virtually every country in the world, these functions are dependent upon computers. The transportation network is another critical infrastructure, consisting of roads, bridges, canals, railroads, and airports. The transportation infrastructure is largely physical and mechanical, but it too is increasingly dependent on computers to operate traffic lights, to open and close bridges, to switch trains, and to control air traffic.

There is no common definition of critical infrastructure categories, and the list of “critical infrastructures” used by policymakers varies from country to country and from time to time. The U.S. government cyber-security strategy issued in February 2003 identifies thirteen critical infrastructure categories: 1) agriculture; 2) food; 3) water; 4) public health; 5) emergency services; 6) government; 7) defense industrial base; 8) information and telecommunications; 9) energy; 10) transportation; 11) banking and finance; 12) chemicals and hazardous material; and 13) postal and shipping.111 By comparison, Canada’s critical infrastructure protection strategy uses only six categories: 1) communications; 2) government, 3) energy and utilities; 4) services (within which Canada includes financial services, food distribution and health care); 5) safety; and 6) transportation.112 How a country defines “critical infrastructure” is not as important as the recognition of the concept itself.

The concept of critical infrastructures is important for several reasons. First, it can help crystallize why computer security is important: policymakers may better grasp the cyber-security problem if they understand that money will be frozen in banks, trains will not be able to leave their stations, and drinking water will not be pumped if certain computers fail. Second, infrastructure categories are important insofar as they help define lines of responsibility and communities of shared interest that need to work together to improve security. For example, the electric power industry and its government regulators can work together to good effect in addressing computer vulnerabilities of the electric power system. Computer security measures, including the identification of best practices and the sharing of information about vulnerabilities, can, to some extent, be developed and implemented within the context of existing institutions created along industry lines. In the private sector, these institutions include trade associations, standards bodies, and other self-regulatory bodies for various industries. On the government side, many nations implement their cybersecurity policies through existing ministries and regulatory agencies that were created along sectoral lines many years ago (such as those that have traditionally regulated the banking, telecommunications, and energy sectors).

110 The Global Internet Policy Initiative has a host of resources on the full range of policy issues affecting ICT development: http://www.internetpolicy.net.

111 The National Strategy to Secure Cyberspace [United States], February 2003 http://www.whitehouse.gov/pcipb/; http://www.dhs.gov/interweb/ assetlibrary/National_Cyberspace_Strategy.pdf.

112 Office of Critical Infrastructure Protection and Emergency Preparedness [Canada] http://www.ocipep.gc.ca/home/index_e.asp. For descriptions of how various other countries have responded to critical infrastructure protection, see "International Critical Information Infrastructure Protection Handbook," edited by Andreas Wenger, Jan Metzger and Myriam Dunn, Center for Security Studies and Conflict Research, Swiss Federal Institute of Technology (2002) http://www.isn.ethz.ch/crn.

Currently there are a number of broad initiatives to stimulate a greater degree of cross-border cooperation in these areas. For example, in May of 2003, the G8 adopted eleven principles to consider when developing a strategy for reducing risks to critical information infrastructure: (See http://www.cybersecuritycooperation.org/documents/G8_CIIP_Principles.pdf.)

I. Countries should have emergency warning networks regarding cyber vulnerabilities, threats, and incidents.

II. Countries should raise awareness to facilitate stakeholders’ understanding of the nature and extent of their critical information infrastructures, and the role each must play in protecting them.

III. Countries should examine their infrastructures and identify interdependencies among them, thereby enhancing protection of such infrastructures.

IV. Countries should promote partnerships among stakeholders, both public and private, to share and analyze critical infrastructure information in order to prevent, investigate, and respond to damage to or attacks on such infrastructures.

V. Countries should create and maintain crisis communication networks and test them to ensure that they will remain secure and stable in emergency situations.

VI. Countries should ensure that data availability policies take into account the need to protect critical information infrastructures.

VII. Countries should facilitate tracing attacks on critical information infrastructures and, where appropriate, the disclosure of tracing information to other countries.

VIII. Countries should conduct training and exercises to enhance their response capabilities and to test continuity and contingency plans in the event of an information infrastructure attack and should encourage stakeholders to engage in similar activities.

IX. Countries should ensure that they have adequate substantive and procedural laws, such as those outlined in the Council of Europe Cybercrime Convention of 23 November 2001, and trained personnel to enable them to investigate and prosecute attacks on critical information infrastructures, and to coordinate such investigations with other countries as appropriate.

X. Countries should engage in international cooperation, when appropriate, to secure critical information infrastructures, including by developing and coordinating emergency warning systems, sharing and analyzing information regarding vulnerabilities, threats, and incidents, and coordinating investigations of attacks on such infrastructures in accordance with domestic laws.

XI. Countries should promote national and international research and development and encourage the application of security technologies that are certified according to international standards.

Computer security is characterized by interrelationships across sectors, including similar or identical hardware and software and dependency on a common communications network. Therefore, governments must design policies that ensure sharing of information about vulnerabilities and solutions across infrastructure categories. This can be greatly facilitated by the designation of centralized leadership within the government to coordinate cyber-security policies and programs; we will return to this point later.