Technology has had an impact on nearly every aspect
of society, and will continue to do so in the coming years. Many of today’s
activities are increasingly dependent on information systems, electronic
devices, and data networks – a trend which is leading to hyperconnectivity. At
the same time, we are seeing new threats and vulnerabilities emerge, and as a
result, security risks are increasing in number, frequency and impact.
Therefore, the ascendancy of technology in today’s
societies, and the risks associated with its use, demonstrate the need to
protect information and other assets at various levels and in various fields,
not just for industries, companies and users, but also for countries.
Legislation in several countries is requiring increased and improved security,
based on objective moral and ethical criteria.
“We are seeing new threats and vulnerabilities
emerge, and as a result, security risks are increasing in number, frequency and
impact.”
The promulgation of laws relating to the scope of
cybersecurity highlights the importance of implementing large-scale regulatory
frameworks, which would contribute to reducing security incidents and
preventing IT crime, all while developing and establishing a culture of
cybersecurity. But despite the benefits that such legislation may bring to data
security, the reality is that there are various tensions, positions and
counterpoints, which mean that setting it up is not an easy task. In this
section, we will look at some of the most significant legislation, in international
terms, and some of the current and future challenges facing states, companies
and users/ citizens around the world.
Cybersecurity: organization, collaboration
and diffusion across the globe
We have recently seen the emergence of a trend
towards new cybersecurity legislation across the world. Based on collaboration
between public and private sectors to effect the exchange of information and
the creation of national cybersecurity agencies, the aim is to develop tools to
cope with the risks of the digital era and to legislate against cybercrime.
European Union
The EU recently adopted the NIS Directive for the security of information networks and
systems, seeking the promotion of legislation encouraging member countries to
be equipped and prepared to respond to incidents, by having a Computer Security
Incident Response Team (CSIRT) and a national authority competent in this area.
The creation of a CSIRT network is intended to
promote rapid and effective cooperation, the exchange of risk-related
information, and the development of a culture of security among sectors vital
to Europe’s economy and society, such as energy, transport, finance, health,
and digital infrastructure. The new laws are aimed at encouraging the
homogeneous development of cybersecurity capacities and at preventing incidents
that threaten economic activities, infrastructure, the confidence of users, and
the operation of systems and networks critical to each country.
United States
“Through the use of information gathering, security
checks and other protective measures, organizations and governments are able to
coordinate intelligence and defensive actions.”
At the end of 2015, the United States Congress
approved what is known as the Cybersecurity Act of 2015 to protect the country from
cyberattacks responsibly and promptly, through a framework promoting the
exchange of information between the private sector and the government about
computer threats.
Under the act, information about a threat found on
a system may be shared with the aim of preventing attacks or mitigating risks
that may affect other companies, agencies or users. Through the use of
information gathering, security checks and other protective measures,
organizations and governments are able to coordinate intelligence and defensive
actions.
Latin America
In a recent report, a model was applied to
determine cybersecurity capacity in Latin America and the Caribbean. This
document highlights the importance of responsible disclosure of information in
public and private sector organizations when a vulnerability is identified.
It also emphasizes the importance of legislative
frameworks, investigation, the processing of electronic evidence, and the
training of judges and prosecutors in the field of cybersecurity. Adherence to
international conventions, such as the Budapest Convention, and being a signatory to cross-border
agreements for cooperation, are other decisive factors. Similarly, adoption of
best practices along with the use of security technologies are considered, for
the formation of a “resilient cyber society”.
Asia-Pacific
Another study seeking to ascertain the level of
sophistication in cybersecurity, which focused on countries in the Asia-Pacific region, also considers legislation as a basic
indicator of the security landscape. In 2016, several countries in this region
launched new cybersecurity policies or strategies, and also updated existing
standards, in order to adapt to new challenges and emerging issues.
For example, Australia has implemented a
cybersecurity strategy, which provides for additional funds and has sought increased
commitment from the private sector to engage with the country’s cyber policy.
Other countries, like New Zealand, have launched national cybersecurity
strategies, focusing on improving their resilience, international cooperation,
and the ability to respond to cybercrime.
Challenges and implications of the enactment
of laws relating to cybersecurity
The current status of risks presents the need for
regulatory frameworks for security management – an increasingly popular
organizational trend. Similarly, when we refer to legislation, we are referring
to the application of standards on a large scale, with a view to cybersecurity
regulation at the national level. Generally, legislation is quite effective
when it comes to regulating behavior.
However, there are challenges to be overcome for
effective application of the laws. For example, the Global Agenda Council Report on Cybersecurity presents
the challenges faced by countries that have started to legislate in this area,
based on the Budapest Convention. Nevertheless, these countries can enter into
other global or regional conventions, and even take part in specific local initiatives.
Evidence suggests that, given the influence of
technology and the habits it instils, implementation of legislation can impact
various stakeholders ranging from technology companies to users themselves.
These tensions lead to different conflicts and challenges, which we shall
consider below.
Delay in the enactment of laws
Various considerations determine the creation
of laws in different countries, so their promulgation depends on a multiplicity
of factors; for example, political issues or other issues affecting local
initiatives, or adherence to international agreements encouraging the same
level of development for cross-border collaboration.
However, it is on account of these
very conditions and characteristics that legislation is often postponed.
For example, by 2016, almost half of the countries that had ratified
their participation in the Budapest Convention had taken a decade or more
to complete the ratification, due to – among other things – the delay in the
development of their laws. Moreover, the Convention just focuses on certain
legal aspects within the range of possibilities related to the scope of
cybersecurity.
Laws falling behind in context and time
In connection with the previous point, it should
also be considered that technology is advancing at a rapid rate; the
development of standards may, therefore, fall far behind technological
advances. Just as organizations continuously update their standards in response
to evolving risks and new technologies, the law must be at the
forefront when it comes to responding to present and emergent issues which
may need to be regulated.
“Technology is advancing at
a rapid rate; the development of standards may, therefore, fall far behind
technological advances.”
Perhaps the way to rectify this disparity between
technological innovation (and the risks it entails) and the enactment of
appropriate legal measures, is to focus on regulating human behaviors,
especially since technologies can become obsolete in a relatively short
period. This may prove to be the most reliable way for regulation to be
effective, but it is also important to note that this could lead to rising
tensions in the future. An example of this might be trying to regulate the use
of social networks, which are not supported by legislative enactment.
Technical and legal heterogeneity
We should also consider that countries’ methods
differ in the ways they adhere to international or regional conventions, and
these differences even determine specific initiatives for the development of
their laws. Legal and technical disparities make it difficult to respond to,
investigate, and rule on cybersecurity incidents, and inhibit international
collaboration. For example, regional or bilateral initiatives are developed to
meet specific needs, as is the case with the EU-US Privacy Shield, a
framework seeking to protect the fundamental rights of anyone in the EU whose
personal data are transferred to companies in the US. This, of course, does not
take into account collaboration with other countries or regions.
Conflicts of laws and basic principles
In this same context, legislation is generally
quite effective when it comes to regulating behavior. However, these laws can
always be improved, particularly if we consider that there are projects which
could undermine not only the principles on which the internet is based but even
certain basic human rights. Based on the idea that the internet is free and has
no physical borders, there are cases where although legislation is
applied on a national level, constitutional or legal conflicts arise,
mainly concerning the meanings and conceptions of privacy and freedom of
expression. In this case, the eternal debate between privacy and security may
come into play.
Limitations on the scope of application
Similarly, the absence of legislation or agreements
on specific aspects of certain issues can undermine international
collaboration, even within the same territory. Public and private sectors face
a challenge when it comes to access to information for investigations, with
implications for security, the right to privacy, and commercial interests,
mainly of tech companies.
As an example, we have the well-known case between
the FBI and Apple, in which a US judge requested the cooperation of the
technology giant in order to unlock the iPhone of a terrorist involved in an
attack, or the recent case in which a judge in Rio de Janeiro ordered the
blocking of WhatsApp throughout Brazil and fines against Facebook. Such events clearly demonstrate the
need for local and cross-border agreements to collaborate, which avoid
conflicting interests.
Working towards the development and
popularization of cybersecurity culture
The promulgation of laws relating to cybersecurity
has enjoyed prominence at an international level for some years now, on
account of the number, frequency, and impact of incidents recorded worldwide.
Various initiatives regard legislation in this area as a fundamental factor
that improves a country’s maturity.
The aim is therefore to have legal measures in
place for protection at various levels and in various fields. To this end,
legislators have also started to consider the requirements necessary for
security in their countries, including their capacity to respond to large-scale
incidents, the protection of their critical infrastructure, their ability to
collaborate with other countries, and even to consider the development of a
security culture which can be instilled in the population. Not to mention
issues already recognized such as privacy, the protection of personal
details, and cybercrime.
“The need to define rules for all stakeholders
becomes clear, in order to make legislation truly effective.”
We are experiencing a growth in the
development of new legislation that defines how a country’s assets are
protected in the context of cybersecurity, as well as promoting cooperation and
collaboration between the public and private sectors of each country, and also
at an international level so as to thwart current and emerging information
threats and attacks.
However, behind the obvious benefits of this
new legislation lie challenges that need to be overcome in order for it to
materialise. These include understanding the needs and conditions that exist in
both the public and the private sectors, and of all stakeholders in their
capacity as both users and citizens. Obstacles and limitations on
collaboration may include a lack of trust, ineffective legislation, and
differing interests between the various sectors.
In the light of these issues, the need to define
rules for all stakeholders becomes clear – rules that are based on
international, regional or national agreements and that consider all
parties – in order to make legislation truly effective. Without doubt,
there remains much to be done and it requires the collaboration between
governments, private initiatives, the academic sector, and of course, users. In
this way we work towards one common goal: working towards the development of a
cybersecurity culture.