While national policies are bound by the borders of national sovereignty, the internet addresses an increasingly dynamic and virtual infrastructure that has close to no regard for national boundaries. An international challenge exists, and a highly co-ordinated and collaborative effort on a pan-national, pan-organisation level continues to be needed. In turn, key organisations play a pivotal role in such national security strategies, and requirements to contribute to protection of key national assets can heavily influence security needs and purchasing intent. While national strategies have traditionally focused on protection of key assets, more esoteric issues such as supporting a better functioning PACs and ICT marketplace are also increasingly becoming more explicit stated objectives. In turn, legislation is created in response to such policy initiatives, increasing synergy between strategic PACs initiatives and their actual enforcement, in areas where regulatory pressure and incentives are deemed necessary to achieve appropriate security and privacy practices across market actors.
Many different cross-cutting concerns are evident in cyber security policy-making at national and international levels. A first element is defining security domain scope, with many different security domain definitions available. Rightly or wrongly, the term “cyber security” is often used interchangeably with many other security domain terms such as “information security”, “network security”, and “internet security” for example. Cyber security also interlocks heavily with adjacent themes such as “critical infrastructure protection” (CIP),”cybercrime”, “cyber safety”, and “cyber resilience” especially as core threats, attack methods, and mitigation strategies will overlap heavily regardless of context.
Policy making also needs to consider multiple dimensions of activity [ECE14] and co-ordination across different organisations and relevant actors, with relevant co-ordination goals necessary, for example:
• Achieving “whole of Government” collaboration: within national governments and pan-national government agencies, a broad range of departments and agencies typically claim responsibility for national cyber security in various forms, including military, law enforcement, judicial, commerce, infrastructure, interior, intelligence, telecommunications, and other governmental bodies. While the breadth and scope of cybersecurity makes this understandable, it makes co-ordinated and effective action and cross-government synergy much more difficult.
• Achieving cross-border “whole of System” collaboration: the highly globalised nature of the internet increases this diversity at the international level, and national-level cyber security initiatives must typically collaborate with a wide range of international partners that typically operate outside any individual national government. International-level co-ordination emphasises activities around dimensions such as international binding treaties, politically binding agreements, security standards and non-government agreements between technical certification bodies, and so on.
• Achieving cross-sectoral “whole of Nation” collaboration: this involves interactions and co-operation between public and private agencies, as well as with relevant research establishments, and entities representing civil society. Key security contractors and critical infrastructure companies are viewed as core elements of this whole of nation approach.
Policy mandates can also be structured across other key dimensions around cyber capabilities, such as (a) military cyber activities, (b) countering cyber-crime, (c) intelligence and counter intelligence, and (d) critical infrastructure protection, (e) national crisis management, (f) internet governance and cyber diplomacy, among others.
This theme highlights key activities and initiatives around policy, legislation and standards within the PACs domain. Key PACs institutions and their interrelationships influencing overall cyber security at regional and global levels are highlighted and described – EU and US initiatives are given particular attention. Key PACs standards are legislation are broadly itemised and highlighted. A summary of various incentives available to policymakers to influence PACs outcomes is also provided.[SG1]
|Scope||This theme is decomposed further into five subthemes:
|What you will learn||The theme will allow innovators to understand the structure and goals of policymakers and their initiatives at a broad level. Also, will provide a broad understanding of key legislation and regulation initiatives, and how they may impact PACs innovators as well as the overall marketplace. Signposting to key standards and certification[SG3] initiatives.|
|Potential Uses||Support innovators in understanding the broader policy environment in PACs, and how it might impact potential idea candidates. Are emerging PACs policy, legislation, standards, or similar initiatives and enabler or barrier? Are further policy incentives needed to make my innovation viable? Are specific policy initiatives relevant or not to my go to market strategy?|
[ECE14] Report on existing EU practives for cyber security, 2014, http://ecesm.net/sites/default/files/Dev%201.1%20-%20v1.0.pdf