Cybersecurity: The Role And Responsibilities Of An .
Draft October 2009Draft Background PaperCybersecurity: The Role and Responsibilities ofan Effective Regulator9th ITU Global Symposium for RegulatorsBeirut, LebanonNovember 2009
CYBERSECURITY: THE ROLE AND RESPONSIBILITIES OF AN EFFECTIVE REGULATORAcknowledgementsThis draft background paper on Cybersecurity: The Role and Responsibilities of an EffectiveRegulator, was commissioned by the ITU Telecommunication Development Sector‟s ICTApplications and Cybersecurity Division and Regulatory and Market Environment Division. Thepaper was prepared by Eric Lie, Rory Macmillan and Richard Keck of Macmillan Keck (Attorneysand Solicitors), for the 9th ITU Global Symposium for Regulators held in Beirut, Lebanon (10-12November 2009).The background paper on Cybersecurity: The Role and Responsibilities of an EffectiveRegulator is available online 9/papers.htmlAll rights reserved. No part of this publication may be reproduced in any form or by any meanswithout written permission from ITU.Denominations and classifications employed in this publication do not imply any opinion concerningthe legal or other status of any territory or any endorsement or acceptance of any boundary. Wherethe designation "country" appears in this publication, it covers countries and territories.This document has been issued without formal editing.For further information on the paper, please contact:ICT Applications and Cybersecurity Division (CYB)Policies and Strategies DepartmentBureau for Telecommunication DevelopmentInternational Telecommunication UnionPlace des Nations1211 Geneva 20SwitzerlandTelephone: 41 22 730 5825/6052Fax: 41 22 730 D/cyb/DisclaimerThe opinions expressed in this report are those of the author(s) and do not necessarily represent theviews of the International Telecommunication Union (ITU) or its membership. The designationsemployed and the presentation of material, including maps, do not imply the expression of anyopinion whatsoever on the part of ITU concerning the legal status of any country, territory, city orarea, or concerning the delimitations of its frontiers or boundaries. Mention and references to specificcountries, companies, products, initiatives or guidelines do not in any way imply that they areendorsed or recommended by ITU in preference to others of a similar nature that are not mentioned. ITU 20092 Page
CYBERSECURITY: THE ROLE AND RESPONSIBILITIES OF AN EFFECTIVE REGULATORTable of Contents1Introduction . 41.1What is cybersecurity? . 41.2What is in this paper? . 6Part I: Cybersecurity Roles and Responsibilities - An Overview2Cybersecurity and the public sector. 72.1Role and responsibility of government . 72.1.1Policy-making (and establishing a national cybersecurity strategy) . 82.1.2Legal Measures . 82.1.3Organizational Structures . 92.1.4Capacity Building . 112.1.5Public-private sector cooperation and industry regulation . 112.2Delegating cybersecurity responsibilities among government institutions . 123 Cybersecurity and the private sector . 153.1The role of the private sector . 153.2Cybersecurity and the bottom line . 154 Cybersecurity and the individual . 164.1The role of the individual . 164.2The role of civil society . 165 Cybersecurity and international cooperation . 17Part II: The Evolving Role of the Regulator in the Area of Information and NetworkSecurity6The role of the regulator . 196.1The core duties of the regulator . 196.2The evolving role of the regulator . 197 The role of the regulator in cybersecurity . 207.1Cross-cutting competencies and prerequisites . 207.1.1Institutional maturity . 207.1.2Engagement of the private sector . 217.1.3Technical and industry expertise . 217.1.4Mandate and jurisdiction . 217.1.5Appropriate resourcing . 227.2Engagement in international cooperation . 237.3Policy-making. 247.4Legal measures . 277.5Organizational structures . 297.5.1Institutional organization and coordination . 297.5.2Incident management and cybersecurity readiness assessment . 317.6Capacity building. 337.7Private sector cooperation and industry regulation . 35Part III: Conclusions and Recommendations8The ICT/telecom regulator - a key player in a national team . 393 Page
CYBERSECURITY: THE ROLE AND RESPONSIBILITIES OF AN EFFECTIVE REGULATOR1 IntroductionInformation Communication Technologies (ICTs) are rapidly evolving while at the same timetheir usage is expanding. Today, Internet and mobile services have become an indispensiblepart of daily life for many around the world. While the benefits of ICT adoption havemultiplied, the risks and dangers associated with their use have also similarly increased.Cybercrimes such as phishing, spam, computer-related fraud and other similar offences arerapidly increasing and evolving in step with the development and adoption of new ICTservices.In response to this situation, an increased emphasis on enhancing cybersecurity is beingplaced in all countries. While cybersecurity is a shared responsibility of government, theprivate sector and individuals alike, only national governments are in a position to lead acollective national cybersecurity effort. Only when governments establish common objectives,define ways to achieve them and clarify the roles and responsibilities of stakeholders cancybersecurity be comprehensively addressed.As an integral part of government, ICT/telecom regulators play a key role in the nationalcybersecurity effort of many countries. Their broad competencies in the ICT sector, theirfamiliarity with the ICT industry and their expertise in ICT networks and infrastructure havenaturally positioned them as key players in the field of cybersecurity. However, given theconstantly changing ICT environment and the dynamics of cybersecurity, the role of theregulator in this area has to evolve and adapt. Institutional improvements and other changesmay be necessary to ensure that regulators remain relevant in this dynamic environment. It isin this context that this paper examines and discusses the roles and responsibilities ofregulators in the field of cybersecurity.1.1What is cybersecurity?In a discussion of security in the context of ICT, a number of terms are often used to describedifferent aspects of a common concept. In many instances, terms like cybersecurity andCritical Information Infrastructure Protection (CIIP) are used interchangeably, while in othercases they are used to describe different concepts.In any discussion of cybersecurity, it is useful to first understand the following terms:cybersecurity, critical infrastructure (CI), critical information infrastructure (CII), criticalinfrastructure protection (CIP), critical information infrastructure protection (CIIP) and noncritical infrastructure.1While the exact definitions may vary slightly from country to country, CI typically encompassthe vital systems, services and functions whose disruption or destruction would have adebilitating impact on public health and safety, economic activity, and/or national security. CIincludes physical elements (such as physical infrastructure and buildings) and virtualelements (such as networks and data). What constitutes “critical” varies from country tocountry, but typically includes elements of communications, energy, public utilities, finance,transportation, public health, and essential government services.1Also see ITU, List of Security-Related Terms and Definitions, available at:http://www.itu.int/dms pub/itu-t/oth/0A/0D/T0A0D00000A0002MSWE.doc .4 Page
CYBERSECURITY: THE ROLE AND RESPONSIBILITIES OF AN EFFECTIVE REGULATORCII comprises the communications network that enables these elements to operate and delivertheir services. Disruption to the CII can have an equally debilitating impact on CI thatreaches beyond just the ICT sector.CIP involves identifying, assessing, and managing risks to deter or mitigate attacks on CI andthe promotion of its resiliency. CIIP describes the range of activities that are undertaken toprotect the CII. It focuses on the prevention and deterrence of specific ICT related risks andthreats.Cybersecurity is a broad term that encompasses CIIP as well as elements that may not beconsidered to be critical information infrastructure, such as the computer networks of smalland medium enterprises, or home personal computers. Cybersecurity aims to prevent allmalicious cyber incidents that affect the critical and non-critical information infrastructuresalike. Such incidents can include denial of service attacks, the distribution of spam andmalware, phishing and pharming and other cybercrimes.ITU-T Recommendation X.1205 defines cybersecurity as:“the collection of tools, policies, guidelines, risk management approaches,actions, training, best practices, assurance and technologies that can be used toprotect the cyber environment and organization and user‟s assets. Organization anduser‟s assets include connected computing devices, users, applications, services,telecommunications systems, and the totality of transmitted and/or stored informationin the cyber environment. Cybersecurity ensures the attainment and maintenance ofthe security properties of the organization and user‟s assets against relevant securityrisks in the cyber environment. The security properties include one or more of thefollowing: availability; integrity (which may include authenticity and nonrepudiation); confidentiality”.In addition to the terms defined above, the term “cybercrime” is also used extensively in thediscussion of security in the context of ICT. The prevention of cybercrime is a key objectiveof cybersecurity.A broad definition of cybercrime describes it as encompassing any activity in whichcomputers or networks are a tool, a target or a place of criminal activity. To better understandsome of the implications of cybercrime and the need to criminalize the misuse of informationand communication technologies, ITU has developed a set of dedicated cybercrime legislationresources. An ITU publication on Understanding Cybercrime: A Guide for DevelopingCountries and a Toolkit for Cybercrime Legislation are currently available to assist countriesin understanding the legal aspects of cybersecurity and to help harmonize legal frameworks 2.However, the definition of the term cybercrime is not a uniform one internationally, withdifferent legal instruments in different countries using the term to describe a range of offences.The following categories used by several regional and international instruments illustrate apossible approach: Offences against the confidentiality, integrity and availability of computer data andsystems (i.e., illegal access, illegal interception, data interference, system interference,and misuse of devices);Computer-related offences (i.e., computer related forgery, and computer relatedfraud);2For more on the definition of “cybercrime” and an in-depth discussion on cybercrime in general, seeUnderstanding Cybercrime: A Guide for Developing Countries, ITU, 2009 available ects/crimeguide.html5 Page
CYBERSECURITY: THE ROLE AND RESPONSIBILITIES OF AN EFFECTIVE REGULATOR Content-related offences (i.e., offences related to child pornography); andCopyright-related offences (i.e., offences related to infringements of copyright andrelated rights);While some overlap exists between categories, the categories nevertheless serve as a usefulillustration of what is involved in the phenomena of cybercrime.1.2What is in this paper?This paper provides a framework for discussion on the role of the regulator in cybersecurity.Part I focuses on the roles and responsibilities of cybersecurity stakeholders: government, theprivate sector and individuals. As the role of government frames the eventual role of theregulator in cybersecurity, particular emphasis is paid here to the different aspects ofcybersecurity in which government plays a significant part. Part I also looks at the range ofinternational cybersecurity efforts where governments play a large role.Part II looks in depth into the role of the regulator in cybersecurity. It first traces the evolutionof the role of the regulator. It then goes on to discuss the range of roles available to regulatorsin the context of government involvement in cybersecurity. In that discussion the issuesassociated with the assumption of those roles and the core competencies necessary on the partof the regulator to fill those roles are highlighted.Part III highlights some of the main findings of Part I and Part II, and makes somerecommendations on the core competencies of regulators in cybersecurity issues.6 Page
CYBERSECURITY: THE ROLE AND RESPONSIBILITIES OF AN EFFECTIVE REGULATORPART I:CYBERSECURITY ROLES AND RESPONSIBILITIES- AN OVERVIEWIn today‟s modern society, ICTs have become an essential component in all aspects of dailylife, from the political, the economic and the social. They ensure economic stability, supportnational security and facilitate social interaction within nations as well as between nations.However, as a largely open, interdependent and interconnected global system, ICTs are bytheir very nature prone to vulnerabilities and the risk of exploitation.In order to ensure that society continues to enjoy the benefits that ICTs bring, thesevulnerabilities and risks are managed, to some extent or other, through the cybersecurityefforts of the stakeholders that own, develop, operate and use these networks. Thesestakeholders include government, business, other private sector organizations and individualusers.In the context of this paper, it is important to understand the relative roles and responsibilitiesof all stakeholders in order to properly situate that of the regulator‟s.2 Cybersecurity and the public sectorTo a large extent, only national governments are in a position to lead national cybersecurityefforts that involve all national stakeholders. In addition to putting in place substantivemeasures to counter cybersecurity threats, governments have the central task of establishing,among all stakeholders, a common awareness and understanding of cybersecurity as well as acommon recognition of each stakeholder‟s roles and responsibilities.2.1Role and responsibility of governmentThe role and responsibility of government in cybersecurity is extensive. Given the vital roleof ICTs in the nation, the wide range of threats and vulnerabilities and the cross-sector natureof cybersecurity, a large number of national governments assume a variety of roles andshoulder an extensive array or responsibilities ranging from national level policy-making tocitizen level capacity-building.From a brief survey of international practice and by building on the areas emphasized in thepillars of the ITU Global Cybersecurity Agenda (GCA)3 and the related elements highlightedin the ITU National Cybersecurity/CIIP Self-Assessment Tool4, the cybersecurity roles andresponsibilities of government can be organized loosely into the following categories: Policy-making;Legal Measures;Organizational Structures;o Institutional organization and coordination; ando Incident management and cybersecurity readiness assessment;Capacity building;Public-private sector cooperation and industry regulation.3Information on the Global Cybersecurity Agenda (GCA) is available athttp://www.itu.int/cybersecurity/gca/.4ITU National Cybersecurity/CIIP Self-Assessment Tool, ITU, 2009 available cts/readiness.html7 Page
CYBERSECURITY: THE ROLE AND RESPONSIBILITIES OF AN EFFECTIVE REGULATORTo this, the dimension of engagement in international cooperation must also be added as anindispensible element of a government‟s role in cybersecurity.A holistic governmental effort that encompasses all these categories is a prerequisite for aneffective national cybersecurity response.2.1.1Policy-making (and establishing a national cybersecurity strategy)Leadership in the area of cybersecurity by national governments is manifested largely throughthe government‟s national policy-making role. Governmental policy-making in the area ofcybersecurity provides, at the highest level, a common understanding and vision of theproblem, allowing for coordinated national action that would realize national cybersecurityobjectives.The preparation of a national cybersecurity strategy is an essential first step in addressingcybersecurity challenges. Such a statement typically: highlights the importance of ICTs to the nation (e.g. by providing information on therole of ICTs in the economy, society and national security, and the industrial andgovernmental processes dependant on ICTs); identifies and evaluates potential risks and threats (e.g. cyber-attacks, cybercrime,etc.); establishes cybersecurity related objectives (e.g. containment of cyber-attacks,detection and prosecution of cybercrime, protection of data resources, etc.); identifies the actions to be taken in order to achieve those objectives (e.g.establishment of incident response centers, adoption of cybersecurity standards,building consumer awareness, etc.); and sets out the roles and responsibilities of all stakeholders in the process (including amechanism for information sharing, cooperation and collaboration).5The national cybersecurity strategy can also place cybersecurity efforts into the context ofother national efforts, such as homeland security and the development of an informationsociety.In many countries, national cybersecurity strategy is typically promulgated at a high level ofgovernment, often by the head of government, in order to get the buy-in of all stakeholders.For example, in the case of Brazil, the national cybersecurity strategy is led from the Office ofthe President (see Box 1 below). At the same time, however, national cybersecurity policy istypically developed cooperatively through consultation with all relevant stakeholders,including other government institutions, industry, academia, and civil society. In somecountries, such policies also integrate state, local, and community-based approaches that feedinto the larger national context.2.1.2Legal MeasuresAn effective cybersecurity effort requires the establishment, review and, if necessary,amendment of relevant legal infrastructures that support modern ICTs.6 This requires5Ibid. See also ITU Study Group Q.22/1 Report on Best Practices for a National Approach toCybersecurity, ITU, 2009, available at http://www.itu.int/md/meetingdoc.asp?lang en&parent D06SG01-C&question Q22/16For more information on the range of legal measures that can be undertaken in the area ofcybersecurity see the section on Legal Matters in the ITU Global Cybersecurity Agenda (GCA) High8 Page
CYBERSECURITY: THE ROLE AND RESPONSIBILITIES OF AN EFFECTIVE REGULATORupdating of criminal laws, procedures and policies to address cybersecurity incidents andrespond to cybercrime. As a result, many countries have made amendments in their penalcodes, or are in the process of adopting amendments, taking in consideration existinginternational frameworks and recommendations.7 As a priority, criminal law, procedures andpolicy should be reviewed to ensure the prevention, investigation, and prosecution of allforms of cybercrime.8 In addition, legislation that ensures the security of information andinformation infrastructures should be introduced9. Such legislation typically deals with issuesthat include the following: Security in electronic communicationsFraudulent use of computer and computer systems;Protection of personal data and privacy;Certification, digital signatures and Public Key Infrastructure (PKI), among others.Beyond their enactment, cybersecurity laws must also be effectively enforced. An effectiveanti-cybercrime effort will require the modernization of law-enforcement agencies, theestablishment of dedicated cybercrime units, and the training of prosecutors and judges.As many instances of cybercrime cuts across borders, participation in international efforts torespond to cybercrime forms an integral part of the national cybercrime prevention effort.2.1.3Organizational StructuresInstitutional organization and coordinationThe institutional organization and coordination of government institutions for cybersecurity isa vital element of a successful cybersecurity effort. In the context of the role andresponsibility of government, it typically involves the organization and coordination ofcybersecurity roles and responsibilities among appropriate government institutions in order tocarry out the actions that are required to meet cybersecurity objectives. A detailedorganization and cooperation framework is essential in order to avoid institutional gaps in thenational cybersecurity effort as well as to avoid overlaps in responsibilities which can provejust as damaging. Where overlaps in responsibilities exist, there is often either a tendencytowards passiveness by the institutions concerned, or at the other extreme, a potential for theintroduction of conflicting regulations and approaches.Universally, a concerted cybersecurity effort at the government level requires organizing andcoordinating the work of multiple authorities and government departments, who often haveLevel Experts Group (HLEG) Global Strategic Report, ITU, 2008 available bal strategic report/index.html7To better understand some of the implications of cybercrime and the need to criminalize the misuse ofinformation and communication technologies, ITU has developed a set of dedicated cybercrimelegislation resources. An ITU publication on Understanding Cybercrime: A Guide for DevelopingCountries and a Toolkit for Cybercrime Legislation are currently available to assist countries inunderstanding the legal aspects of cybersecurity and to help harmonize legal frameworks. Theseresources are available at s/crimeguide.html ects/cyberlaw.html8As an example, the Budapest Convention on Cybercrime (2001) includes minimum requirements:substantive laws (i.e. minimum standards for what is criminalized); procedural mechanisms (i.e.investigative methods); and international legal assistance (i.e. procuring of evidence or extradition).The convention is available from the Council of Europe in various languages athttp://www.coe.int/cybercrime/9See the UNCITRAL Model Laws on Electronic Commerce and on Electronic Signatures (2001) andthe OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) forexample.9 Page
CYBERSECURITY: THE ROLE AND RESPONSIBILITIES OF AN EFFECTIVE REGULATORdifferent mandates and perspectives on the problem. As such, the delegation of roles andresponsibilities among government institutions is a delicate one and in many cases it isundertaken by a government institution with a high-level mandate, such as the cabinet or thepresidential office, as is the case with the National Infrastructure Security Co-ordinationCentre (NISCC) in the United Kingdom or the Department of Homeland Security in theUnited States. Such high level oversight is often necessary to efficiently settle potentialconflicts where overlaps in institutional jurisdiction and responsibilities exist.In practice, the actual delegation of cybersecurity roles and responsibilities among thedifferent government institutions varies widely from country to country as such decisions arebased on a wide range of considerations. This topic is discussed further in Section 2.2 below.Incident management and cybersecurity readiness assessmentThe capability to detect, to investigate and analyze, and to respond to cyber-threats andattacks is an indispensable component of cybersecurity. In this respect, computer incidentresponse teams (CIRTs) in various forms have been established by a wide range of groups(e.g. operators, businesses, universities, etc.) at the national and international level. 10 CIRTsvary dramatically in the services they provide and the constituents they serve. Some havenational responsibility while most belong to private organizations and are established tofulfill specific functions, depending on their situation. A key function that all CIRTs share isthe ability to provide (1) timely information about the latest threats and (2) assistance inresponse to incidents when needed.While many CIRTs have been created from the bottom-up, it is generally acknowledged thatit is important for governments to establish an incident management capability on a nationallevel to prevent, prepare for, respond to, and recover from cybersecurity incidents. NationalCIRTs also typically assume responsibilities for readiness and response to large-scale attacks.Such an incident management capability would necessarily extend beyond the traditionalCIRT role to include coordination and management capabilities in terms of cybersecuritycrisis. It would also make tactical or strategic information available to key stakeholders withinthe public and private sectors. Examples of such CIRTs can be found in Canada (IntegratedTreat Assessment Center) and in Switzerland (Reporting and Analysis Center for InformationAssurance, MELANI).Given the cross-border nature of cyber threats and attacks, active participation in internationaland regional cybersecurity incident monitoring activities forms a necessary part of the CIRTnational effort. Such activities can include active participation in an international CIRTorganization (e.g., Asia Pacific Computer Emergency Response Team (APCERT), Forum ofIncident Response Security Team (FIRST), etc.) or international incident managementexercises. For example, US-CERT has organized major international exercises (e.g.“Cyberstorm”, involving Australia, New Zealand, and Canada), simulating large-scale attackson critical sectors.The conduct of cybersecurity exercises to test readiness and responsiveness form part of thelarger role of government to evaluate and review the level of cybersecurity preparedness of10The term CIRTs is often used interchangeably with the terms computer emergency response teams(CERTs) and computer security incident response teams (CSIRTs). A CIRT is essentially a team of ITsecurity experts whose main business is to detect, analyze, monitor and respond to computer securityincidents. In some cases, these CIRTs also manage outreach, cyber-security awareness, and partnershipefforts to disseminate information to key constituencies and build collaborative actions with keystakeholders.10 P a g e
CYBERSECURITY: THE ROLE AND RESPONSIBILITIES OF AN EFFECTIVE REGULATORthe nation. Such a role typically involves the organization and execution of periodiccybersecurity risk assessments and strategy reviews on both the national and sector-specific(e.g., financial, manufacturing, retail, etc.) levels. The result of such cybersecurityassessments can, in turn, lead to a thorough review of existing cybersecurity-relatedlegislation and regulation as well as sector specific legislation and regulation, such asfinancial laws and regulation.2.1.4Capacity BuildingGenerally, many end-users (including private enterprises,
CYBERSECURITY: THE ROLE AND RESPONSIBILITIES OF AN EFFECTIVE REGULATOR 2 P a g e Acknowledgements This draft background paper on Cybersecurity: The Role and Responsibilities of an Effective Regulator, was commissioned by the ITU Telecommunication Development Sector‟s ICT Applicatio
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
CYBERSECURITY: THE ROLE AND RESPONSIBILITIES OF AN EFFECTIVE REGULATOR 2 P a g e Acknowledgements This draft background paper on Cybersecurity: The Role and Responsibilities of an Effective Regulator, was commissioned by the ITU Telecommunication Development Sector‟s ICT Applications and Cybersecurity Division and Regulatory and Market Environment Division.
Brownie Cybersecurity Explore cybersecurity by earning these three badges! Badge 1: Cybersecurity Basics Badge 2: Cybersecurity Safeguards Badge 3: Cybersecurity Investigator This Cybersecurity badge booklet for girls provides the badge requirements, background information, and fun facts about cybersecurity for all three Brownie
