Chapter 1. Developing a Clear Set of Action Areas:
2. Public and International Policy
National strategy. Lack of national coordination can lead to redundant policy and legislation, thereby hindering economic growth and development. The Research produced certain recommendations:
- Each nation connected to the Internet should have a comprehensive and transparent national cyber strategy that is integrated and harmonized with the strategies and procedures across all domestic and international policy.
- As each body and organization has a role, it is crucial that the strategies developed incorporate the private and civil sectors, as well as leverage economic and security issues, among other tools, to drive the adoption of initiatives. The focus on incentives driven by the government and independent providers should be enhanced.
- Finally, a competent institution is needed to be responsible for the successful implementation and rollout of the national strategy. An identifiable, responsible institution will offer transparency to stakeholders in the process. Not having a resource to consult often leads to challenges of ownership, function and action, the research highlighted.
End-to-end criminal justice system. “Institutions can take all the actions they want on their own. However, if there is no law-enforcement mechanism to pursue and prosecute perpetrators, then our actions are meaningless,” a chief information officer (CIO) observes in an interview. Indeed, law enforcement needs to have the capability and resources to investigate cybercrimes and to have an appropriate, comprehensive and agile legal code to support its investigative and prosecutorial activities. Cyber resilience is a complex matter that may not be entirely clear to everybody in the criminal justice system. As such, it is critical that legal advocates, either through further education or other training, understand the cyber resilience ecosystem well enough to carry out due process.
Institutions can take all the actions they want on their own. However, if there is no law-enforcement mechanism to pursue and prosecute perpetrators, then our actions are meaningless.
– Chief information officer of a
financial services organisation
Domestic policy. No clear consensus emerged in the Forum-McKinsey workshops and dialogues on the nature of public-sector action needed domestically. Based on the background and regulatory history of the participants, it seemed that different sectors had different views on the most beneficial action. As such, two key points are identified:
- Private, public and civil dialogue is needed to develop a coherent mix of policy and market mechanisms for use in the cyber ecosystem. Not taking a multistakeholder approach risks eliciting a mix of responses that could be weighted unevenly in one area, resulting in limited success.
- A rapidly changing cyber resilience landscape requires all government mechanisms to support the efforts of law enforcement and to be appropriately agile. It was emphasized during a December 2013 roundtable discussion of partners in Washington DC that a major impediment to potential public-sector actions would be a rigid set of codes that did not allow changes to a highly dynamic sector.
Foreign policy. “Cyberattacks have the potential to change the nature of warfare and international relations, almost past the level of the Cold War,” says the CIO of a European aerospace and defence company. It is clear that cyber events are changing the nature of interstate relations. As such, countries should establish a national cyber doctrine to define and express their positions on the use of cyber resilience tools and weapons for national purposes.
The workshops and dialogues showed that today different organizations are sharing information and cooperating on cyber actions. Communication, formal and informal, is essential among those investigating, prosecuting and enforcing laws on cybercrime. Making the process transparent can help to cut the confusion and lag in tracking and prosecution. In addition, each level of government is responsible for identifying competent authorities and for creating interoperability among national entities and sovereign legal codes. For businesses to continue to expand, better harmonization of national policies will be needed.
All these requirements reiterate the need for a multistakeholder approach to address cyber risks. A primary concern voiced by several institutions is the often-stark differences in requirements for different nations. This challenge can drastically affect the growth of international and local businesses.
Public good. For the public good, all stakeholders need to ensure that they contribute to and maintain an evolving and robust incident-response capability. This ranges from established programs for information-sharing and incident response such as CERT (Computer Emergency Readiness Team) to information training and development of human resources. Such a dynamic space demands an ever-evolving set of capabilities to match the changing pace of the threat. Maintenance includes possible funding for cyber resilience research and greater investment in cyber resilience technical education in order to foster a more cyber-aware workforce.