Cybersecurity-Related Standardization Initiatives in the EU and the U.S.:

advertisement
ITU Regional Workshop on
Bridging the Standardization Gap
(Yangon, Myanmar, 28-29 November 2013)
Cybersecurity-Related Standardization
Initiatives in the EU and the U.S.:
Lessons for Developing Countries
Nir Kshetri
Professor, The University of North
Carolina—Greensboro
[email protected]
Yangon, Myanmar, 28-29 November 2013
Yangon, Myanmar, 28-29 November 2013
2
The EU and US cybersecurity strategies (CSS)
Strategy
Document

Released/
signed
Key
agencies to
implement
/
roles

EC’s CSS and a proposed
directive on network/
information security
February 7, 2013

US EO

February 12, 2013
ENISA:
NIST: develop a CS
 Assist the Member States in framework: finalizing
developing cyber resilience
voluntary standards and
capabilities
procedures to help
 Examine the feasibility ICS- companies address CS
CSIRTs
risks.
 Support in Cyber incident
Pentagon: recommend
exercises to test
whether CS standards
preparedness/ cope with
should be considered in
cyber-disruptions.
contracting decisions.
Kshetri & Murugesan (2013).
Yangon, Myanmar, 28-29 November 2013
3
EU CSS
Constraints 
/ next
steps

The European Parliament

needs to approve
Member States have to write
it into national legislation.
US EO
Weak legal footing It
cannot compel firms to
comply – only legislation
can do that.
Vision/pri  Achieving cyber resilience  Combat cyberattacks
 Reducing cybercrime,
orities
and cyber-espionage
 Developing cyber defense
on government
policy and capabilities
agencies and critical
related to the Common
sectors such as
Security and Defense
banking, power and
Policy (CSDP)
transportation
 Developing industrial and
technological resources for
industries and U.S.
CS
companies.
 Establishing a coherent
international cyberspace
policy/promoting core EU
Yangon, Myanmar, 28-29values
November 2013
4
Key Concerns




EU CSS
Appropriateness of pan-European
rules
Compliance costs : concerns of
the private sector’s confidentiality,
extra costs and possible damage
to reputation.
Obligation to report cyberattacks:
“vague”/ little to protect EU
citizens' data stored outside the
EU
Misdirection of funds away from
the police into intelligence
agencies
Yangon, Myanmar, 28-29 November 2013



US EO
Voluntary standards
may turn into
mandatory regulations
(de facto
requirements).
Too much focus on
information sharing/
little to address
problems related to
insecure system.
Firms outside of critical
infrastructure: EO does
little to enhance CS.
5
Effects on the Private Sector





EU CSS
Further development of European
PPP for resilience/ cooperation/
info. sharing with pub. authorities.
Investment on CS/dev. of best
practices- TDL/other initiatives.
Robust/user-friendly security
features in products/services.
Cloud providers: reduce reliance
on foreign suppliers.
Members: compel firms
(transport, telecoms, finance
energy, health, online infra.) to
disclose details of cyberattacks to
the national CERT.
Yangon, Myanmar, 28-29 November 2013



US EO
Defense and
intelligence agencies
would share classified
cyberthreats data with
companies.
Incentives to follow
security standards.
Companies are not
required to publically
disclose breaches
unless identifying
information (e.g., credit
card or Social Security
numbers) is involved.
6
Effects on Privacy and Security
Interests of Consumers

EU CSS
Defensible and
preferable in
promoting privacy
and security
interests of
consumers.




Yangon, Myanmar, 28-29 November 2013
US EO
White House: shared information
would be limited to cyberthreats
and would not contain the
contents of private emails.
The flow of data is one-way:
Private-sector firms not required
to release information about
clients.
Better protect privacy than the
CISPA (ACLU).
“privacy-neutral way to
distribute critical cyber
information”
7
Discussion of EU and US CSS
Both incomplete/lack teeth and
legitimacy
Companies’ failure to spend sufficient
resources/efforts to protect networks:
Bloomberg Government study: to prevent
95% of potential cyberattacks, 172
organizations need to spend $47b: 774%
higher than current spending.
Absence of regulatory requirements: no
incentive to spend on cybersecurity.
Yangon, Myanmar, 28-29 November 2013
8
Discussion of EU and US CSS
Fail to acknowledge: lack of CS professionals.
The U.K.’s National Audit Office: 20 years to
bridge CS skills gap.
NIST: > 700,000 new CS professionals
needed in the U.S. by 20
Both inward-oriented
Huawei: importance of working globally
US-China Business Council: asked US and
Chinese governments to work together
Yangon, Myanmar, 28-29 November 2013
9
Lessons for Developing Countries
Sound cybersecurity standard/
regulatory framework: participation of
governments, business, IT industry, law
enforcement agencies and the public
Common goal: cyberspace safe and secure,
leaving their
Working with other national govts,
political parties:
beyond vested national or political party
interests
Yangon, Myanmar, 28-29 November 2013
10
Conclusions and Recommendations
Increasing importance of CSS for
developing countries
National security, economic growth, trade
and investment politics, international
relations and other implications
Higher degree of vulnerability
Manpower challenges a higher
concern
Yangon, Myanmar, 28-29 November 2013
11
Download