Reference architecture for public-private collaboration
In contextualizing cybersecurity policy, 14 key policy topics dot the policy landscape.
- Research, data and intelligence sharing
• What is the government’s role in sharing and promoting the dissemination of threat intelligence?
• To what extent should the government be involved in the research, development and purchase of zero-day vulnerabilities and exploits?
• To what extent should government share these vulnerabilities with the private sector?
- Vulnerability liability
• Who is liable for securing a vulnerability?
• How should that liability shift if/when products transition to end-of-life?
• How should government engage with the private sector when the private sector publicly alleges that a particular actor is responsible for a given attack?
- Botnet disruption
• What should be done to prevent the proliferation of botnets?
• How should existing botnets be researched and studied?
• How should actors throughout the ecosystem disrupt botnets?
• What should non-users be able to monitor to promote security and other valid national interests?
- Assigning national information security roles
• Which entities and organizations should be responsible for fulfilling different national information security roles?
• Who should be able to access sensitive data and communications?
- Cross-border data flows
• What are the security and non-security implications of countries exerting control over data?
- Notification requirements
• When should companies be required to notify relevant stakeholders that they have been breached or otherwise experienced a cyberincident?
• What sanctions should policy-makers apply to compromised organizations?
- Duty of assistance
• How should public resources be drawn upon in the wake of a cyberincident?
- Active defence
• What technical measures should the private sector be empowered to use to deter and respond to cyberthreats?
- Liability thresholds
• What is the reasonable duty of care that an organization should have?
• Who should bear the residual damages resulting from cyberincidents when an organization has sufficiently invested in security controls?
• What, if any, incentives should be offered to obtain insurance?
• Which entities should be prioritized for these incentives?
Across these topics, a number of linkages and interdependencies exist. For example, an effective intelligence-sharing policy will help limit the spread of malicious software, and the greater adoption of encryption may limit the ability to monitor and police network traffic. In practice, what this means for business leaders and policy-makers is that cybersecurity policy-making efforts should be more collaborative and deliberative. Efforts should also be framed in the context of an ongoing iterative process rather than ad hoc and crisis-driven, resulting in patchwork legislation. Five key themes arise across the 14 policy topics covered by this document. First, the acceptable scope of action for the public and private sectors should be more clearly defined. One manifestation of this issue is the question of where “safe harbour” provisions should or should not exist. For example:
- Policy around data and intelligence-sharing has been hindered by the absence of clear guidance for what constitutes protected industry collaboration.
- In the public-private context, the private sector has often been reluctant to share data with the public sector owing to concerns that revealed data will serve as the basis for future regulatory actions.
Second, the scope of permissible activity granted to security practitioners in the public and private sectors is often legally ambiguous at best. One common example of this difficulty arises in the context of cybersecurity research. In many jurisdictions, legitimate cybersecurity researchers — often colloquially called “white hat” ethical hackers in contrast to “black hat” malicious hackers — are uncertain as to the techniques and tools they are legally empowered to use to test systems. Furthermore, it is unclear how those researchers should inform others about security vulnerabilities. In one notable instance this past year in Hungary, in part owing to the absence of a legal framework around ethical hacking, an 18-year old was arrested after informing the Budapest Transit Authority about a vulnerability allowing customers to purchase online tickets at any desired price.4
Third, since digital traffic crosses national borders, a nation’s policy choices will usually have considerable impact on, and be impacted by, the choices of other nations. To help predict the longer-term effect of a policy position, it is worthwhile to consider the impact of a symmetric international policy response.
Fourth, in an effort to develop cybersecurity governance structures, policy-makers and, in particular, regulators, have begun exhaustively specifying processes and technologies for organizations to implement. Consequently, many organizations are devoting greater resources to achieve compliance. However, compliance may not necessarily advance cyber resilience. As more governments begin to formalize cyber-regulations, the costs undertaken by organizations to achieve compliance appear poised to grow.
Finally, for some policy questions, devoting incremental energy to developing preventive measures would avoid or limit more contentious trade-offs. For example, significant debate and intellectual energy has been devoted to discussing how software vulnerabilities should be disclosed. Considerably less policy guidance has been created to improve software coding quality standards. More secure software would reduce the stakes of the debate.
When considering the policy topic areas below, these cross-cutting issues should be taken into account while discussing each discrete policy option.
Cybersecurity policy landscape highly interdependent
Across fourteen major security topics, five key themes
Note: List of connections between topics not exhaustive.