Multiple Perspectives of National Cyber Security Strategy
Riza Azmi PK-33
Faculty of Engineering and Information Science
University of Wollongong
The history of the term “cyberspace” stretches back over many decades. The term “cyber” emerged seven decades ago (Ottis & Lorents 2010). Wiener (1948, pp.144–154) coined the term “cybernetics” to describe interactions between humans (or animals) with a machine that can provide an alternative environment. The term “cyberspace” was first used in early 1980’s (Gibson 1982) which described as “a graphic representation of data abstracted from banks of every computer in the human system.” (Gibson 1984). Since then, the term has come into common usage, including the study of information system’s study (Ottis & Lorents 2010).
Despite common usage a variety of approaches to developing cyber security policy can be seen. This article provides a brief account of the factors that give rise to these differing approaches as well as the challenges in seeking to define a theory of cyber security policy development.
This article discusses two main points, which are (1) to address the concept that gives rise to “cyber space”, and (2) to explicate models of cybersecurity. The first discussion in Section 2.2 elucidates the various perspectives when defining a “border” of cyber space, while Section 2.3 clarifies the difference between Cyber and Information Security. The following discussion, Section 2.4, outline some works that provide both ex –ante and ex-post perspectives in strategy development. It is limited to two perspectives, which are model of cyber security strategy, and review of cyber security strategy.
2. Borders in Cyberspace
Defining borders in cyberspace is fraught with complexities. Given the need for nations to develop policy and legislative responses to potential threats in cyberspace it is not possible to ignore the issue of borders. For example, defining borders in cyber space is important when a country’s jurisdiction is considered (Johnson & Post 1996). However viewing borders can take on various meanings depending on which assumptions are made. For some, cyberspace is borderless and should be self-regulated (Johnson & Post 1996; Barlow 1996). Others argue that cyberspace boundaries should be classified on some basis of form, including geographical boundary, personhood, or “turf” (Motlagh 2015; Finklea 2012; Johnson & Post 1996; Cottim 2008).
Those who argue that cyberspace should remain as a borderless and unregulated entity point to cyberspace as consisting of transactions, relationships, and thought without physical interactions (Barlow 1996; Johnson & Post 1996). These arrayed communicative interactions are called the web or the internet (Barlow 1996). Since this communication is without physical interaction, it is assumed borderless. This idea is further developed where virtual space should be a place without privilege or prejudice, based on race, nationality or other identity. It should be preserved with freedom and self-governance, without power of controls, (e.g. economic power, military force, and the government) (Barlow 1996). Thus, cyberspace is a space for all, without borders and jurisdiction.
However, others argue that cyberspace is an extension of national sovereignty and should be bordered. The idea of “geographical boundary” is to distinguish a demarcation of cyber space by national laws. Thus, the geographical borders of the country constitute the cyber space borders and are rooted by jurisdictions of a nation’s institutions (Johnson & Post 1996). However, this concept has some limitation since the electronic transactions span across national borders which may be difficult to enforce in law.
Another suggested view is to focus on a personhood. The border from this perspective divides subjects who initiate action (active-personality) from those who are affected by the action (i.e. passive personality) (Cottim 2008). However, complexities still arise when this interaction occurs across international boundaries which have different legal frameworks.
The notion of “turf boundary” addresses the limitations of the two previous concepts of geography and individual personhood. This term coined from boundaries of the mafia, which is a shared place between two or more organizations that have mutual interests (Finklea 2012). This last view is often implied or referred to in many cyber security strategy documents. The benefits of this approach appear to lie in its effect of highlighting the need for international cooperation to overcome shared threats in cyberspace. This last lens therefore appears as the most practical approach to defining borders in cyberspace when the goal is to create mutual understanding.
3. Cyber vs Information Security
Further complications in the definition of cybersecurity can be found when issues of information security are considered Take for example one definition of cyberspace employed in an ITU (2012) document resonates with common understanding of Information Security with the use of terms pertaining to confidentiality, integrity, and availability of information (von Solms & van Niekerk 2013).
In this context, Von Solms et al. (2013) attempts to clarify differences between cyber security and information security. Information security deals with the protection of information as an asset, in physical or non-physical form. Whereas, cybersecurity deal with protection of with both informational and non-informational assets through the ICT infrastructure (Figure 1).
4. Cyber Security Models and Frameworks
Literature that addresses cyber security as a social policy phenomenon is limited. In this section, the discussion focuses on the work of intergovernmental organisation that represent cyber security starategies as models or frameworks. These works may be classified into two groups: (1) modelling the cyber security (ITU 2012; GCSCC 2014); and (2) reviewing the strategy (OECD 2012; ITU & ABIresearch 2015; BSA 2015; ASPI 2015; Luiijf et al. 2013).
4.1 Cyber Security Models
Two organizations have proposed a models of cyber security (ITU 2012; GCSCC 2014). These models aim to concisely represent cyber security and as a policy template.
One example is the work of the ITU (2012) who proposed the ITU Cyber security Strategy Model. The model consists of steps which starts with defining a Strategy Context, then is followed by defining Ends, Ways, and Means of the national cyber security context. The strategy context is influenced by factors such as threats and risks, national interests, as well as international treaties and conventions. The Ends of the model refers to cyber security objectives. The objectives derive Ways or approaches to executing the strategy, and Means which are resources devoted to action. There are five dimensions that frame Ways and Means. It includes Legal, Technical & Procedural, Organizational Capacity Building, and International Cooperation (Figure 2).
Alternatively, the Global Cyber Security Capacity Centre (GCSC) (2014) has proposed the Cyber Security Capability Maturity Model (CMM). This model is based on the concept of a capability maturity model in software engineering. The model is comprised into five dimensions, which are: “(1) devising cyber policy and strategy, (2) encouraging responsible cyber culture within society, (3) building cyber skills into the workforce and leadership, (4) creating effective legal and regulatory frameworks and (5) controlling risks through organization, standards and technology” (Figure 3).
4.2 Cyber Security Review
Attempts to review a strategy of cyber security are intended to capture the extent to which cyber security has been achieved. In general, there are two kinds of strategy review: (1) by qualitative analysis of the policy (OECD 2012; ENISA 2012; Luiijf et al. 2013), and (2) quantification of cyber security based on measurement frameworks (ITU & ABIresearch 2015; BSA 2015; ASPI 2015).
There are two organizations and one paper that undertakes a qualitative review of NCSS: the OECD (2012); the ENISA (2012); and a work by Luiijf et.al. (2013). While the OECD’s and ENISA’s review is based on their country membership, Luiijf et.al. (2013) analyse the NCSS that developed and published in the period between 2009 and 2011.
As an example of qualitative analysis the OECD (2012) review of ten national cyber security strategies come to the fore. This policy review is based on information provided by ten volunteer countries. It reveals four concepts shared by all strategies:
- governmental coordination;
- public-private coordination;
- international cooperation; and
- respect for fundamental values.
Another review by the ENISA (2012) identifies themes and contrasts of ten European Union (EU) Member States and three non-EU Nations. It finds five main action points covered by the strategy include:
- overcoming risks;
- foundation of socio-economics;
- establishment of a triadic policy (national security, crisis management, and nation/user protection);
- establishment policy for the economic growth; and
- building up international alliances.
Common themes that were identified included the need to:
- define a governance framework
- define an appropriate mechanism
- define clear roles, responsibilities and rights of the private and public sector
- develop legal framework.
- identify critical information infrastructures (CIIs).
- develop response and recovery plan
- define a systematic and integrated approach to national risk management
- raise awareness
- improve cyber competencies.
- establish international co-operation; and
- create comprehensive research and development programs
Luiijf et.al. (2013) has reviewed ten national cyber security strategies in the period 2009–2011. They reviewed ten NCSS based from nine aspects:
- the meaning of cyber security to the country,
- perceived threats,
- scope of NCSS,
- relationship NCSS to national strategy,
- strategic objective and guiding principle of NCSS,
- actions planned,
- strategy adaption to emerging cyber security threats, and
- function of national institution.
It found key differences of NCSS approach on the basis of economics, national security, and military defence.
Other reviews focus on quantifying the cyber security. Ascribing numbers to NCSS enables policy to be ranked and profiled. There exist several cyber security assessments on different region such as from ITU country members (ITU & ABIresearch 2015), European Region (BSA 2015), and Asia-Pacific Region (ASPI 2015)
A review of ITU and ABI Research (2015) creates national cyber security profiles of ITU country members. Its view is based on five dimensions, which are (ITU 2012):
- Capacity Building; and
In European region, Business Software Alliance (BSA) (2015) measured national cyber security maturity by its cyber resiliency. The resiliency is examined by five dimensions, which are (BSA 2015):
- Legal Foundations;
- Operational Entities;
- Plans; and
The ASPI (2015) gauged cyber maturity in the Asia-Pacific Region. They created cyber engagement scale that divided into ten categories. The categories include (ASPI 2015):
- Organisational structure;
- International engagement;
- Financial cybercrime;
- Military application;
- Government business dialogue;
- Digital economy;
- Public awareness; and
- Internet penetration.
It is clear from this brief review that there are many examples of divergence as well as areas of agreement contained within these policy templates and benchmarking instruments. In order to bring greater clarity to this complexity the need for a robust and systematic analysis of cybersecurity strategy becomes clear.
This article has provided important perspectives that reveal the multiple perspectives of cyber security strategy. In attempting to address the difficulties of defining the “border” of cyber security the models and frameworks produced by intergovernmental agencies seek to provide both ex –ante and ex-post perspectives to provide guidance in strategy development. In attempts to better clarify the requirements of a NCSS the varied work of intergovernmental agencies in the development of policy templates and benchmarking instruments has demonstrated a need for research that provides a comprehensive assessment of why NCSS should be developed and how it can be reliably established
ASPI. (2015). Cyber Maturity in the Asia-Pacific Region 2015. Barton, Australia Capital Teritorry. http://doi.org/10.1017/CBO9781107415324.004 Barlow, J. P. (1996). A Declaration of the Independence of Cyberspace. Retrieved December 5, 2015, from https://projects.eff.org/~barlow/Declaration-Final.html BSA. (2015). EU Cybersecurity Dashboard: A Path to a Secure European Cyberspace. London: Business Software Alliance (BSA). Cottim, A. A. (2008). Cybercrime , Cyberterrorism and Jurisdiction : An Analysis of Article 22 of the COE Convention on Cybercrime. European Journal of Legal Studies, 17(3), 81–103. ENISA. (2012). National Cyber Security Strategies: Setting the course for national efforts to strengthen security in cyberspace. Heraklion, Greece: European Network and Information Security Agency (ENISA). Retrieved from http://www.enisa.europa.eu Finklea, K. M. (2012). the Interplay of Borders, Turf, Cyberspace, and Jurisdiction: Issues Confronting U.S. Law Enforcement. Journal of Current Issues in Crime, Law & Law Enforcement, 5(1/2), 29–67. GCSCC. (2014). Cyber Security Capability Maturity Model (CMM) (Version 1.). Oxford: Global Cyber Security Capacity Centre (GCSCC), University of Oxford. Retrieved from http://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/CMM Version 1_2_0.pdf Gibson, W. (1982). Burning Chrome. Canada: Omni. Gibson, W. (1984). Neuromancer. (T. Carr, Ed.). New York: Ace Books. ITU. (2012). ITU National Cybersecurity Strategy Guide. (F. Wamala, Ed.). Geneva: International Telecommunication Union. Retrieved from http://www.itu.int/ITU-D/cyb/cybersecurity/docs//ITUNationalCybersecurityStrategyGuide.pdf ITU, & ABIresearch. (2015). Global Cybersecurity Index & Cyberwellness Profiles (April 2015). Geneva: International Telecommunication Union (ITU). Johnson, D. R., & Post, D. (1996). Law And Borders: The Rise of Law in Cyberspace. Stanford Law Review, 48(5), 1367–1402. Luiijf, H. A. M., Besseling, K., Spoelstra, M., & De Graaf, P. (2013). Ten national cyber security strategies: A comparison. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 6983 LNCS, pp. 1–17). http://doi.org/10.1007/978-3-642-41476-3_1 Motlagh, H. (2015). Border Management of Cyberspace , First Step of Cyber Defense, 5(1), 16–24. OECD. (2012). Cybersecurity Policy Making at a Turning Point: Analysing a New Generation of National Cybersecurity Strategies for the Internet Economy. Organisation for Economic Co-operation and Development. Organisation for Economic Co-operation and Development. http://doi.org/http://dx.doi.org/10.1787/5k8zq92vdgtl-en Ottis, R., & Lorents, P. (2010). Cyberspace: Definition and Implication. In Proceeding of the 5th International Conference Information Warfare and Security (pp. 267–269). Ohio, USA: The Air Force Institute of Technology. von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102. http://doi.org/10.1016/j.cose.2013.04.004 Wiener, N. (1948). Cybernetics: Control and Communication in the Animal and the Machina (second edi). Cambridge, Massachusetss: The M.I.T Press.
 The countries include Australia, Canada, Finland, France, Germany, Japan, Netherlands, Spain, the United Kingdom and the United States.
 The countries include Estonia, Finland, Slovakia, Czech Republic, France, Germany, Lithuania, Luxembourg, Netherland, the United Kingdom.
 The countries include the United States, Canada, and Japan.
 The countries include Australia, Canada, Czech Republic, France, Germany, Japan, The Netherlands, New Zealand, the United Kingdom, and the United States.