National Association of Attorneys General
Cybersecurity: A Multinational Group's Collaborative Approach
Patricia Agostinho, Prosecutor General�s Office, Portugal; Louise Manukian, Prosecutor General�s Office, Armenia; Rob Shapiro, Office of the Attorney General of Colorado; Olga Vysotskaya, Office of the Attorney General of North Carolina;and Haim Wismonsky, Prosecutor General's Office, Israel
This is the first of four cybercrime articles to appear in NAAGazette. They are the work of attorneys who participated in the June 2013 National Attorneys General Training and Research Institute (NAGTRI) International Fellows Program.
Cybersecurity has become a fundamental necessity involving interrelated legal, economic and national security considerations. Sovereign nations and their citizens stand at the crossroads of history because the use, and misuse, of information is both a shield and a sword in the global ability to function in a safe and secure manner. The following assumptions are uncontroverted:
- Cybersecurity is an international issue affecting national security;
- The cyberspace threat is real and immediate;
- Cyberspace is vulnerable, and since financial institutions are dependent on the Internet and the flow of online data, the compromise of financial systems poses a significant risk to the global economy.
Our discussion of cybersecurity relies liberally on Harvard Law School Professor and Center for Internet and Society Founder Lawrence Lessig�s seminal framework consisting of four pillars which influence our online behavior and provide our security and freedoms. It is our position that in order to live, work and thrive in the 21st century cyberspace world, the global community should embrace:
- The role of law to protect against cyberspace vulnerabilities;
- The development of technologies to safeguard against present and emerging threats;
- A multifaceted economic toolkit to encourage and enhance the private and public sector�s cyberspace environments; and
- An awareness of the social values and ethics of good cyberspace citizenship.
Contemporary cyberspace challenges are analyzed in this report through the lenses of the above framework. We begin our analysis with the task of defining cybersecurity, and conclude by identifying legal measures for a proactive cybersecurity environment designed to thwart cybercrime.
Definition of Cybersecurity and Identification of the Threat
A widely accepted definition of cybersecurity is difficult to achieve. Our efforts have led us to a broader concept. Thus, the definition of cybersecurity includes, but is not limited to, measures aimed at the protection of vulnerable national security targets, the financial industry, critical infrastructures and individual interests in cyberspace from potential compromises by cyberspace criminals and terrorists.
Cybersecurity should be viewed as proactive, compared to the �traditional� reactive criminal investigative model. Simply defining cybersecurity does not address the issue of how to safeguard our increasingly vulnerable cyberspace. There must be a comprehensive public and private partnership aimed at understanding, accounting for and acting against the threats to critical infrastructures, financial institutions and online personal data.
The Need for Global Cooperation for Improving Cybersecurity
According to the 2010 Council on Foreign Relations� (CFR) Special Report 56, �Internet Governance in the Age of Cyber Insecurity,� the global damage from access to critical data by unauthorized individuals and entities is estimated to be at least $1 trillion. An example of such a cyberspace threat took place in 2007, when a cyberspace attack against Estonia compromised its critical infrastructure for more than one week. Another example occurred in the former Soviet Republic of Georgia in 2008, when a large Distributed Denial of Service (�DDoS�) attack was launched contemporaneously with an invasion by Russian ground forces.
When policy makers, law enforcement agencies and technology experts are tasked with safeguarding our security and freedoms, they are better positioned to confront the challenges impacting the foundations of the Internet. The CFR�s three guiding principles, listed below, are viable components of a proactive global framework to safeguard against cyberspace threats. These three principles are:
- Using networked and distributed approaches to overcome networked and distributed challenges;
- Deterring countries engaging in intentional destructive cyberspace behavior, or those employing a �blind eye� to the actions of their citizens engaging in intentional cyberspace attacks; and
- Encouraging countries possessing a greater awareness of cybersecurity issues to �lead by example� and ensure the impenetrability of their networks from unauthorized attacks. These countries must work with other governments to implement a combined legal and technological approach against cyberspace threats.
The Four Pillars of Cybersecurity
The Role of Law
The law can shape cybersecurity, as penal codes can define newer cybercrimes, while government policies and procedures can encourage the private sector to improve its cybersecurity. Our primary goal in this article is to address the role of law in advancing cybersecurity. To that extent, the legal system should acknowledge cyberspace vulnerabilities and be proactive in confronting cyberspace challenges. By working with technology experts, legislatures can enact laws to counter emerging cyberspace threats.
The Role of Preventive Technological Measures
Preventive measures have always played a role in crime mitigation. For example, erecting a fence on the premises reduces the number of property crimes, and mandating seat belts in all new vehicles as well as their use has led to a decrease in motor vehicle injuries. Preventive measures must also be embedded in cyberspace technology, and the law must encourage these defensive actions.
Examples of such measures include, but are not limited to: (1) encrypting stored electronic data and Internet communications, in addition to locking government and business computers and mobile devices; (2) installing a firewall or anti-virus software; (3) encouraging the use of private virtual networks (VPNs) for transmission of critical information; and (4) requiring geotracking features on all government and business mobile devices.
The Role of Economic Interests
The private sector can strengthen cybersecurity by providing special education and training for cybersecurity specialists in information technology (IT) departments. If a private entity lacks the self-discipline to police itself based on market demands, government incentives or legislation may be necessary to achieve stronger cybersecurity. These cybersecurity measures may differ by country or even sector. For example, the banking sector may require different measures than those of the retail market. Further, government can provide economic incentives, such as through a tax credit system for investments in cybersecurity devices and applications, or in cooperation with the insurance industry, offering favorable premium policies for the reporting and repair of security breaches by businesses. Another incentive could be restricting government contracting to those businesses that implement good cybersecurity practices.
The Role of Social Values and Ethics
Cybersecurity can also be considered an educational matter. Internet users should improve their cyberspace citizenship. In addition, the government should foster public awareness of cybersecurity threats, potentially including cyberspace ethics as part of school curriculums and workplace education. Government-supported public awareness campaigns could include mass transit and billboard advertising and public service announcements on radio and TV.
What Legal Measures Can Be Used to Strengthen Cybersecurity?
Our group found the following legal initiatives to be appropriate and effective:
- Breach notification legislation requiring Internet service providers to notify the public of each serious cyberspace breach or attack.
- Legislation standardizing the use of Cyber Emergency Recovery Teams (CERTs) by governments and international agencies. Each CERT should focus on protecting its assigned network and cooperate with its private sector and international counterparts. The success of CERTs depends on information sharing and availability of government support.
- Legislation or rule making aimed at accrediting and standardizing the profession of cybersecurity to ensure professionalism and integrity.
- Establishing a centralized data protection regulating body or commissioner in each country responsible for development and implementation of standards for protecting personal information.
- Increased liability of business entities for failure to meet data protection standards by creating responsibility for losses incurred by consumers and investors due to cyberspace attacks.
- Encouragement of proactive law enforcement investigative techniques, such as sting operations and undercover agents.
Other Legal Considerations
We recognize the task of safeguarding cyberspace is not without limits. The following competing legal issues should also be considered:
- The government should not compromise the constitutional rights of privacy, freedom of speech and property rights in computer data and infrastructure under the guise of cybersecurity protection.
- The jurisdictional limits of international law should not be neglected. For example, the response of a nation that has undergone a cyberspace attack could be viewed as a reasonable law enforcement action or, alternatively, an act of war. If the response is determined to be an act of war, the attacked country may lawfully operate against servers located abroad, whereas if considered to be a law enforcement act, the attacked country might be restrained from acting unilaterally against foreign servers.
A solid framework for comprehensive cybersecurity is arguably the greatest necessity of the 21st century. The increase in debilitating cyberspace attacks is a battlefield rife with national security risks and law enforcement and intelligence challenges, requiring creative approaches in order to safeguard the world's most valuable commodity - information. It is our opinion that the combination of diverse government and international cybersecurity resources, the best practices of the private sector, and modification of end-users� lax security habits and behavior could thwart evolving cyberspace challenges.
Encryption ensures that intercepted or captured data is not decipherable to a perpetrator, thus deterring attacks on the encrypted systems