Chapter 3

An Overview of Related World Views of Cyber Security

Abstract

This chapter will provide a short overview of world views of cyber security broken down by regions of the world. We live in an interconnected world of computer networks, all having the ability to positively and negatively affect those attached to them.

Therefore, the purpose of providing these global views is so the cyber security officer has an overview of what others are thinking and doing to protect parts of the global information infrastructure (GII) and how that may affect the cyber security officer’s responsibilities as they relate to his or her part of the GII, national information infrastructure (NII), and related networks.

As with any subject matter these days, a search of the Internet will find more information than you ever wanted to know on a topic. This topic is no different. Therefore, it is not the intent to provide everything you always wanted to know on what the United Nations and other entities are doing but, as the chapter title says, provide an “overview” of what others are thinking and doing vis-à-vis cyber security.

Remember that in today’s world of global corporations, the cyber security officer may have to follow the cyber security policies and procedures in the various nations where his or her corporation does business. So, as a cyber security officer, it is crucial that you understand such laws, rules, regulations, etc., and work with your corporation’s legal staff to be sure that any issues identified relative to these matters are addressed.

Keywords

Africa; Asia; Canada; Comprehensive National Cyber security Initiative (CNCI); Department of Homeland Security’s (DHS’s); European Union (EU); International Telecommunications Union (ITU); South America; Trusted Internet Connections (TIC); United States

The world is a dangerous place to live; not because of the people who are evil, but because of the people who don’t do anything about it.1

Albert Einstein

Chapter Objective
This chapter will provide a short overview of world views of cyber security broken down by regions of the world. We live in an interconnected world of computer networks, all having the ability to positively and negatively affect those attached to them.
Therefore, the purpose of providing these global views is so the cyber security officer has an overview of what others are thinking and doing to protect parts of the global information infrastructure (GII) and how that may affect the cyber security officer’s responsibilities as they relate to his or her part of the GII, national information infrastructure (NII), and related networks.
As with any subject matter these days, a search of the Internet will find more information than you ever wanted to know on a topic. This topic is no different. Therefore, it is not the intent to provide everything you always wanted to know on what the United Nations (UN) and other entities are doing but, as the chapter title says, provide an “overview” of what others are thinking and doing vis-à-vis cyber security.
Remember that in today’s world of global corporations, the cyber security officer may have to follow the cyber security policies and procedures in the various nations where his or her corporation does business. So, as a cyber security officer, it is crucial that you understand such laws, rules, regulations, etc., and work with your corporation’s legal staff to be sure that any issues identified relative to these matters are addressed.

Evolution of Laws, Standards, Policies, and Procedures

In general, the evolution of laws followed the evolution of “civilization” (some argue that we have yet to be truly “civilized”) from primitive to feudal to agricultural to industrial to today’s information age, and some say that a few nations are beginning to enter the knowledge age.
Cyber security-related laws, standards, policies, and procedures have, as can be expected, evolved as the threats, vulnerabilities, and risks to computers, systems, networks, the NII, the GII, and their related information have evolved. However, they seem to have always been updated as a reaction to attacks and not using a proactive approach. In addition, even when a nation-state, for example, the United States, passes cyber security-related laws and policies, they do not seem to be followed.
The January 1, 2015, report revealed and concluded that the Department of Homeland Security’s (DHS’s) cyber security practices and programs are so bad, the DHS fails at even the basics of computer security and is “unlikely” to be able to protect both citizens and government from attacks.2
Of course such things as the Cold War, political revolutions, economic revolutions, revolutions in military affairs, human evolution and revolution, and revolutions in technology all continue to have major impacts on the need and demand for new laws, standards, policies, and procedures. This will obviously continue as various evolutions and revolutions continue.
In this overview, this topic will be broken down as follows:
• Global via the UN,
• European Union (EU),
• Asia,
• South America,
• Africa,
• Canada,
• United States.

Global via the UN

The UN appears to be heavily involved in cyber security-related matters regarding associations, committees, treaties, and the like. This is of course logical since cyber security is a global problem and needs global solutions. After all, if some cyber criminal in a foreign nation commits a cyber crime in another nation, the victim nation must have a way to bring the criminal to justice. If the criminal resides in a nation without an extradition treaty with the victim nation, and especially one that does not have any cyber laws, the chance of that criminal being brought to justice runs from slim to none, as they say.
The UN system’s collective engagement in addressing cyber threats is critical. The International Telecommunications Union (ITU) is leading the call for stakeholders to work together to set international policies and standards and to build an international framework for cyber security.3
What view you may have of the UN in general will of course taint your view of their efforts relating to cyber security. For example, are they trying to set the “laws” for the world? Do they want to control the Internet, maybe in a manner used by the UN Security Council, with permanent members such as Russia and China, as well as rotating members, for example, Saudi Arabia, Libya?
How will such a structure affect the freedom of the world’s users? Some may rejoice in such a move but others may cringe at the idea, fearing the loss of freedom that in general the Internet now provides. Even the United States has designs on more control. In fact, all government agencies around the world for the most part cannot stand to have their citizens be free to live, speak their minds, and write whatever they want without some government controls, and certainly that applies to the citizens of the world’s use of the Internet.
We all must be on guard when our Internet—yes it is ours, the users’—and other networks are to be controlled by laws, standards, rules, regulations, policies, and procedures in the name of protecting us through cyber security-related controls. Yes, some controls are needed to avoid chaos and rampant carnage of information stolen, destroyed, and such. However, we must all be vigilant when presented with controls for “our own good.” Unfortunately most people would probably prefer a little more security, sacrificing some freedoms, but when is enough enough? Will we realize it only when it is too late?
So, what has the UN been up to as relates to cyber security matters? A search of the UN’s website disclosed the following result of a Special Event on Cyber Security and Development, December 9, 2011, 10:00 a.m. to 1.00 p.m., ECOSOC Chamber, UN, New York, which provides an overview.
As a cyber security officer, you should search online for the most current UN, nation-state, and regional associations dealing with cyber security and, as used here, get an understanding of what is happening on a global basis when it comes to cyber security matters. After all, as a cyber security officer, you probably work in a global environment and, like it or not, your networks are connected to the world and, as we all know, the world is not a safe place, and that goes for our global, information- and networked-based environment.
Even as far back as 2011, which is a lifetime in cyber security, the UN stated that:

Cyber security is one of the greatest issues of our times, and it will continue to grow in importance. It is our collective duty to ensure that ICTs are safe and secure so that the 7 billion people of this planet can reap the benefits of ICTs. Today, everything is dependent on ICTs and we are all vulnerable—cyber security is a global issue that can be solved only with global solutions. Cyber security is an area that affects each and every agency and program of the UN. As we push forward the UN agenda for peace and security, we must remember that cyber security is part of this. The UN system’s collective engagement in addressing cyber threats is critical. The ITU is leading the call for stakeholders to work together to set international policies and standards and to build an international framework for cyber security.

As with the suggestion of online research on cyber security matters related to the UN, the same applies for all other areas of the world as shown below. This is important as probably at one time or another, whether you are a cyber security officer for a government agency or a corporation or association, or just an Internet user, you are likely to be connected in one form or another outside your own country. In fact, these days that is pretty much a certainty.
So, what happens in another part of the world may have an adverse impact on you personally, your association, your business, or your government agency.

The EU

The following provides some insight into the direction that the EU and United States are going. Note that this was the first meeting and was just held in December of 2014. The question is, “What’s taken them so long to meet?”
On December 5, 2014, an EU and U.S. cyber security-related meeting was held in Brussels. The purpose of the meeting was to discuss foreign policy related to the cyber environment and of course cyber security, as quoted below:4

International Security in Cyberspace

The participants welcomed the landmark consensus of the 2012–2013 Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, including its affirmation of the applicability of existing international law to cyberspace.

Internet Governance Developments in 2015

The two sides reiterated that no single entity, company, organisation or government should seek to control the Internet, and expressed their full support for multi-stakeholder governance structures of the Internet that are inclusive, transparent, accountable and technically sound….

U.S.–EU Cyber Security-Related Cooperation

They would work through their EU–U.S. working group on cyber security and cyber crime. Their cooperation would encompass issues related to raising awareness, “cyber incident management,” cyber issues related to sex offenders, cooperation to fight cyber crime, and working with other Internet organizations that share mutual interests.

Asia

The following provides an Asian overview of cyber security as it relates to the Association of Southeast Asian Nations5
The Octopus Conference: Cooperation against Cybercrime was held on December 4, 2013, in Strasbourg, France,6 and included a statement entitled “Statement on Cooperation in Fighting Cyber Attack and Terrorist Misuse of Cyber Space, Kuala Lumpur, July 28, 2006.” The statement included:

… endeavor to enact and implement cyber crime and cyber security laws in accordance with their national conditions and by referring to relevant international instruments and recommendations/guidelines for the prevention, detection, reduction, and mitigation of attacks to which they are a party.

They also agreed to address criminal, terrorist, and other issues associated with cyber security and use of the Internet.
That included the following.
1. Acknowledge the importance of a national framework for cooperation and collaboration in addressing criminal, including terrorist, misuse of cyber space and encourage the formulation of such a framework.
2. Agree to work together to improve their capabilities to adequately address cyber crime, including the terrorist misuse of cyber space.
3. Commit to continue working together in the fight against cyber crime, including terrorist misuse of cyber space, through activities aimed at enhancing confidence among the various national Computer Security Incident Response Teams (SIRIs), as well as formulating advocacy and public awareness programs.

South America

Symantec and the Organization of American States (OAS) Secretariat of Multidimensional Security (SMS) and the Inter-American Committee against Terrorism (CICTE) released a report analyzing cybersecurity trends and government responses in Latin America and the Caribbean.7
The co-sponsored report explores various cybersecurity trends including the overall increase in data breaches:
• Rise of Ransomware and Cryptolocker
• ATM fraud
• Social media and mobile computing vulnerabilities
• Malware
• Spam
• Spear phishing

Africa

African Union adopts framework on cyber security and data protection8 8:30am | 22 August 2014 | by Access Policy Team,

Without much media attention, the heads of state of the African Union (AU) agreed to a landmark convention this summer affecting many aspects of digital life.

In June, leaders in the AU, a group of 54 African governments launched in 2002, met at the 23rd African Union Summit and approved the African Union Convention on Cyber Security and Personal Data Protection.

The Convention covers a very wide range of online activities, including electronic commerce, data protection, and cybercrime, with a special focus on racism, xenophobia, child pornography, and national cybersecurity …

Canada9

In Canada, they developed a three-pillar strategy as follows:
• Securing government systems
• Partnering to secure vital cyber systems outside the federal Government
• Helping Canadians to be secure online

United States

The United States has developed the “Comprehensive National Cybersecurity Initiative,”10 which is described below.

President Obama has identified cyber security as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure.

In May 2009, the President accepted the recommendations of the resulting Cyberspace Policy Review, including the selection of an Executive Branch Cybersecurity Coordinator, who will have regular access to the President. The Executive Branch was also directed to work closely with all key players in U.S. cyber security, including state and local governments and the private sector, to ensure an organized and unified response to future cyber incidents, strengthen public/private partnerships to find technology solutions that ensure U.S. security and prosperity, invest in the cutting-edge research and development necessary for the innovation and discovery to meet the digital challenges of our time, and begin a campaign to promote cyber security awareness and digital literacy from our boardrooms to our classrooms and begin to build the digital workforce of the twenty-first century. Finally, the President directed that these activities be conducted in a way that is consistent with ensuring the privacy rights and civil liberties guaranteed in the Constitution and cherished by all Americans.

The activities under way to implement the recommendations of the Cyberspace Policy Review build on the Comprehensive National Cybersecurity Initiative (CNCI) launched by President George W. Bush in National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD-23) in January 2008. President Obama determined that the CNCI and its associated activities should evolve to become key elements of a broader, updated national U.S. cyber security strategy. These CNCI initiatives will play a key role in supporting the achievement of many of the key recommendations of President Obama’s Cyberspace Policy Review.

The CNCI consists of a number of mutually reinforcing initiatives with the following major goals designed to help secure the United States in cyberspace:

To establish a front line of defense against today’s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the federal government—and ultimately with state, local, and tribal governments and private sector partners—and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions.
To defend against the full spectrum of threats by enhancing U.S. counterintelligence capabilities and increasing the security of the supply chain for key information technologies.
To strengthen the future cyber security environment by expanding cyber education, coordinating and redirecting research and development efforts across the federal government, and working to define and develop strategies to deter hostile or malicious activity in cyberspace.

In building the plans for the CNCI, it was quickly realized that these goals could not be achieved without also strengthening certain key strategic foundational capabilities within the government. Therefore, the CNCI includes funding within the federal law enforcement, intelligence, and defense communities to enhance such key functions as criminal investigation; intelligence collection, processing, and analysis; and information assurance critical to enabling national cyber security efforts.

The CNCI was developed with great care and attention to privacy and civil liberties concerns in close consultation with privacy experts across the government. Protecting civil liberties and privacy rights remains a fundamental objective in the implementation of the CNCI.

In accord with President Obama’s declared intent to make transparency a touchstone of his presidency, the Cyberspace Policy Review identified enhanced information sharing as a key component of effective cyber security. To improve public understanding of federal efforts, the Cybersecurity Coordinator has directed the release of the following summary description of the CNCI.

CNCI Initiative Details

Initiative 1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections (TIC). The TIC initiative, headed by the Office of Management and Budget and the DHS, covers the consolidation of the federal government’s external access points (including those to the Internet). This consolidation will result in a common security solution, which includes facilitating the reduction of external access points, establishing baseline security capabilities, and validating agency adherence to those security capabilities. Agencies participate in the TIC initiative either as TIC access providers (a limited number of agencies that operate their own capabilities) or by contracting with commercial Managed Trusted IP Service providers through the GSA-managed Networx contract vehicle.

Initiative 2. Deploy an intrusion detection system of sensors across the federal enterprise. Intrusion detection systems using passive sensors form a vital part of U.S. government network defenses by identifying when unauthorized users attempt to gain access to those networks. The DHS is deploying, as part of its EINSTEIN 2 activities, signature-based sensors capable of inspecting Internet traffic entering federal systems for unauthorized accesses and malicious content. The EINSTEIN 2 capability enables analysis of network flow of information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. government networks for malicious activity using signature-based intrusion detection technology. Associated with this investment in technology is a parallel investment in manpower with the expertise required to accomplish the DHS’s expanded network security mission. EINSTEIN 2 is capable of alerting US-CERT in real time to the presence of malicious or potentially harmful activity in federal network traffic and provides correlation and visualization of the derived data. Owing to the capabilities within EINSTEIN 2, US-CERT analysts have a greatly improved understanding of the network environment and an increased ability to address the weaknesses and vulnerabilities in federal network security. As a result, US-CERT has greater situational awareness and can more effectively develop and more readily share security-relevant information with network defenders across the U.S. government, as well as with security professionals in the private sector and the American public. The DHS’s Privacy Office has conducted and published a Privacy Impact Assessment for the EINSTEIN 2 program.

Initiative 3. Pursue deployment of intrusion prevention systems across the federal enterprise. This initiative represents the next evolution of protection for civilian departments and agencies of the federal Executive Branch. This approach, called EINSTEIN 3, will draw on commercial technology and specialized government technology to conduct real-time full packet inspection and threat-based decision-making on network traffic entering or leaving these Executive Branch networks. The goal of EINSTEIN 3 is to identify and characterize malicious network traffic to enhance cyber security analysis, situational awareness, and security response. It will have the ability to automatically detect and respond appropriately to cyber threats before harm is done, providing an intrusion prevention system supporting dynamic defense. EINSTEIN 3 will assist the DHS US-CERT in defending, protecting, and reducing vulnerabilities of federal Executive Branch networks and systems. The EINSTEIN 3 system will also support enhanced information sharing by US-CERT with federal departments and agencies by giving the DHS the ability to automate alerting of detected network intrusion attempts and, when deemed necessary by the DHS, to send alerts that do not contain the content of communications to the National Security Agency (NSA) so that DHS efforts may be supported by NSA exercising its lawfully authorized missions. This initiative makes substantial and long-term investments to increase national intelligence capabilities to discover critical information about foreign cyber threats and use this insight to inform EINSTEIN 3 systems in real time. The DHS will be able to adapt threat signatures determined by the NSA in the course of its foreign intelligence and Department of Defense information assurance missions for use in the EINSTEIN 3 system in support of the DHS’s federal system security mission. Information sharing on cyber intrusions will be conducted in accordance with the laws and oversight for activities related to homeland security, intelligence, and defense to protect the privacy and rights of U.S. citizens.

As of this writing, the DHS is conducting a exercise to pilot the EINSTEIN 3 capabilities described in this initiative based on technology developed by the NSA and to solidify processes for managing and protecting information gleaned from observed cyber intrusions against civilian Executive Branch systems. Government civil liberties and privacy officials are working closely with the DHS and US-CERT to build appropriate and necessary privacy protections into the design and operational deployment of EINSTEIN 3.

Initiative 4. Coordinate and redirect research and development (R&D) efforts. No single individual or organization is aware of all of the cyber-related R&D activities being funded by the government. This initiative is aimed at developing strategies and structures for coordinating all cyber R&D sponsored or conducted by the U.S. government, both classified and unclassified, and redirecting that R&D where needed. This initiative is critical to eliminate redundancies in federally funded cyber security research and to identify research gaps, prioritize R&D efforts, and ensure the taxpayers are getting full value for their money as we shape our strategic investments.

Initiative 5. Connect current cyber operations centers to enhance situational awareness. There is a pressing need to ensure that government information security offices and strategic operations centers share data regarding malicious activities against federal systems, consistent with privacy protections for personally identifiable and other protected information and as legally appropriate, to have a better understanding of the entire threat to government systems and to take maximum advantage of each organization’s unique capabilities to produce the best overall national cyber defense possible. This initiative provides the key means necessary to enable and support shared situational awareness and collaboration across six centers that are responsible for carrying out U.S. cyber activities. This effort focuses on key aspects necessary to enable practical mission bridging across the elements of U.S. cyber activities: foundational capabilities and investments, such as upgraded infrastructure, increased bandwidth, and integrated operational capabilities; enhanced collaboration, including common technology, tools, and procedures; and enhanced shared situational awareness through shared analytic and collaborative technologies.

The National Cybersecurity Center within the DHS will play a key role in securing U.S. government networks and systems under this initiative by coordinating and integrating information from the six centers to provide cross-domain situational awareness, analyzing and reporting on the state of U.S. networks and systems, and fostering interagency collaboration and coordination.

Initiative 6. Develop and implement a government-wide cyber counterintelligence (CI) plan. A government-wide cyber CI plan is necessary to coordinate activities across all federal agencies to detect, deter, and mitigate the foreign-sponsored cyber intelligence threat to U.S. and private sector information systems. To accomplish these goals, the plan establishes and expands cyber CI education and awareness programs and workforce development to integrate CI into all cyber operations and analysis, increase employee awareness of the cyber CI threat, and increase CI collaboration across the government. The Cyber CI Plan is aligned with the National Counterintelligence Strategy of the United States of America (2007) and supports the other programmatic elements of the CNCI.

Initiative 7. Increase the security of our classified networks. Classified networks house the federal government’s most sensitive information and enable crucial war-fighting, diplomatic, counterterrorism, law enforcement, intelligence, and homeland security operations. Successful penetration or disruption of these networks could cause exceptionally grave damage to our national security. We need to exercise due diligence in ensuring the integrity of these networks and the data they contain.

Initiative 8. Expand cyber education. While billions of dollars are being spent on new technologies to secure the U.S. government in cyberspace, it is the people with the right knowledge, skills, and abilities to implement those technologies who will determine success. However, there are not enough cyber security experts within the federal government or private sector to implement the CNCI, nor is there an adequately established federal cyber security career field. Existing cyber security training and personnel development programs, while good, are limited in focus and lack unity of effort. To effectively ensure our continued technical advantage and future cyber security, we must develop a technologically skilled and cyber-savvy workforce and an effective pipeline of future employees. It will take a national strategy, similar to the effort to upgrade science and mathematics education in the 1950s, to meet this challenge.

Initiative 9. Define and develop enduring “leap-ahead” technology, strategies, and programs. One goal of the CNCI is to develop technologies that provide increases in cyber security by orders of magnitude above current systems and that can be deployed within 5–10 years. This initiative seeks to develop strategies and programs to enhance the component of the government R&D portfolio that pursues high-risk/high-payoff solutions to critical cyber security problems. The federal government has begun to outline Grand Challenges for the research community to help solve these difficult problems that require “out-of-the-box” thinking. In dealing with the private sector, the government is identifying and communicating common needs that should drive mutual investment in key research areas.

Initiative 10. Define and develop enduring deterrence strategies and programs. Our nation’s senior policy makers must think through the long-range strategic options available to the United States in a world that depends on ensuring the use of cyberspace. As of this writing, the U.S. government has been implementing traditional approaches to the cyber security problem—and these measures have not achieved the level of security needed. This initiative is aimed at building an approach to cyber defense strategy that deters interference and attack in cyberspace by improving warning capabilities, articulating roles for the private sector and international partners, and developing appropriate responses for both state and nonstate actors.

Initiative 11. Develop a multipronged approach for global supply chain risk management. Globalization of the commercial information and communications technology marketplace provides increased opportunities for those intent on harming the United States by penetrating the supply chain to gain unauthorized access to data, alter data, or interrupt communications. Risks stemming from both the domestic and the globalized supply chain must be managed in a strategic and comprehensive way over the entire life cycle of products, systems, and services. Managing this risk will require a greater awareness of the threats, vulnerabilities, and consequences associated with acquisition decisions; the development and employment of tools and resources to technically and operationally mitigate risk across the life cycle of products (from design through retirement); the development of new acquisition policies and practices that reflect the complex global marketplace; and partnership with industry to develop and adopt supply chain and risk management standards and best practices. This initiative will enhance federal government skills, policies, and processes to provide departments and agencies with a robust tool set to better manage and mitigate supply chain risk at levels commensurate with the criticality of, and risks to, their systems and networks.

Initiative 12. Define the federal role in extending cyber security into critical infrastructure domains. The U.S. government depends on a variety of privately owned and operated critical infrastructures to carry out the public’s business. In turn, these critical infrastructures rely on the efficient operation of information systems and networks that are vulnerable to malicious cyber threats. This initiative builds on the existing and ongoing partnership between the federal government and the public and private sector owners and operators of critical infrastructure and key resources (CIKR). The DHS and its private sector partners have developed a plan of shared action with an aggressive series of milestones and activities. It includes both short-term and long-term recommendations, specifically incorporating and leveraging previous accomplishments and activities that are already under way. It addresses security and information assurance efforts across the cyber infrastructure to increase resiliency and operational capabilities throughout the CIKR sectors. It includes a focus on public–private sharing of information regarding cyber threats and incidents in both government and CIKR.

Summary

The above provides a short overview of what is being considered and implemented throughout the world. The important point is this: all the nation-states of the world that are depending on technology, to whatever degree, are at least talking about cyber security-related matters and many are at least trying to start to address the issues of cyber security, cyber terrorism, and cyber crime. They also seem willing to cooperate to address the issues, as the issues are as global as are the networks.
It is recommended that the cyber security officer identify all the businesses that the corporation is connected to and the nation-states that they are in and conduct research and analyses to see what they are doing as it relates to cyber security and how it affects his or her corporation.
This is just the start, but at least it gives the cyber security officer a basic understanding of the state of cyber security throughout the world. Also, the nation-states that are censoring users should also be evaluated. Furthermore, take it for granted that nation-states are monitoring your transmissions into their country and may be censoring them.
Working with corporate management, the legal staff, and the audit staff, the cyber security officer should identify key issues related to the protection of the corporation’s information in foreign countries. A project plan should then be developed and implemented to conduct risk analyses related to that connectivity. Furthermore, the cyber security officer should meet with his or her counterparts in those nation-states and establish a line of communication to address issues of mutual concern.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.106.79