C Y B E R S E C U R I T Y: D O S & D O N ’ T S

M A R T I N A F R A N C E S C A F E R R A C A N E R E S E A R C H A S S O C I A T E A T E C I P E

Q E D 2 2 J U N E 2 0 1 7

O U T L I N E

1. G E T T I N G T H E T E R M I N O L O G Y R I G H T

2. D O N ’ T S

3. D O S

O U T L I N E

1. G E T T I N G T H E T E R M I N O L O G Y R I G H T

2. D O N ’ T S

3. D O S

C Y B E R S E C U R I T Y

Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers,

programs and data from attack, damage or unauthorized access.

Elements of cybersecurity include: Application security; Information security; Network

security; Disaster recovery / business continuity planning; Operational security; End-user education.

Source: http://whatis.techtarget.com

C Y B E R S E C U R I T Y

Cyber threats can be grouped in 4 categories:

- Crime: fraud, extorsion, theft, DoS, etc

- Commercial espionage

- Nation-State espionage

- Warfare

Source: Information Technology Industry Council (2015)

A C C E S S T O D A TA F O R N A T I O N A L S E C U R I T Y

& L A W E N F O R C E M E N T

Different issues such as:

- Counter-terrorism measures

- MLATs

- Data sovereignty

D A TA P R I VA C Y

Data privacy concerns the collection, protection and

dissemination of personal or private information about

individuals or organisations.

Source: http://lexicon.ft.com/

F R E E D O M O F E X P R E S S I O N

Different issues such as:

- Fake news

- Censorship

- Hate speech

O U T L I N E

1. G E T T I N G T H E T E R M I N O L O G Y R I G H T

2. D O N ’ T S

3. D O S

F R A G M E N TA T I O N ( I )

“Member States have very different levels of preparedness, which has led to fragmented approaches

across the Union. This results in an unequal level of protection of consumers and businesses, and

undermines the overall level of security of network and information systems within the Union.”

Recital (5) - NIS Directive

F R A G M E N TA T I O N ( I I )

“Each Member State shall adopt a national strategy on the security of network and information systems defining

the strategic objectives and appropriate policy and regulatory measures with a view to achieving and

maintaining a high level of security of network and information systems (…)”

Article 7 - NIS Directive

F R A G M E N TA T I O N ( I I I )

“Member States shall lay down the rules on penalties applicable to infringements of national provisions

adopted pursuant to this Directive and shall take all measures necessary to ensure that they are

implemented (…)”

Article 21 - NIS Directive

N O T I F I C A T I O N O F I N C I D E N T S

Digital services: have to report those incidents that have a ‘substantial impact on the provision of a service (…)

they offer in the EU’.

Operators of essential services have to report those incidents ‘having significant impact on the continuity of

the essential services they provide’

Art. 14 & Art. 16 - NIS Directive

‘without undue delay’

C O M P U L S O R Y S E C U R I T Y S TA N D A R D S ( I )

“Member States shall (…) encourage the use of European or internationally accepted standards and specifications relevant to the security of network and

information systems.”

Article 19 - NIS Directive

C O M P U L S O R Y S E C U R I T Y S TA N D A R D S ( I I )

- Multi-Level Protection Scheme (MPLS) - China

- Preferential Market Access (PMA) - India

- Cybersecurity Law - China

‘The security reviews will not target any country or region, they will not discriminate against foreign technology or

products, nor limit their access to the Chinese market. On the contrary, they will boost consumer confidence in such

products and services, and expand their markets.’ CAC China

“We cannot allow [terrorism] the safe space it needs to breed – yet that is precisely what the internet, and the big companies that provide

internet-based services provide” Theresa May

H O W S E C U R I T Y S TA N D A R D S C O U L D B E A B U S E D …

‘Personal information and important data collected and generated by critical information infrastructure operators

in the PRC must be stored domestically’

Art. 37 - China Cybersecurity Law - June 2017

D A TA L O C A L I S A T I O N ( I )

‘Where due to business requirements it is truly necessary to provide it [data] outside the mainland, they shall (…)

conduct a security assessment’

D A TA L O C A L I S A T I O N ( I I )

Source: Digital Trade Estimates Database - ECIPE

O U T L I N E

1. G E T T I N G T H E T E R M I N O L O G Y R I G H T

2. D O N ’ T S

3. D O S

- Focus on systems that are truly critical in nature

- Improve public agencies

- Improve coordination intra-EU and globally

- Develop national cybersecurity plans

- Involve the private sector in the development of

cybersecurity strategy

- Invest in R&D

- Increase PPP

- Participate in international fora and consortia

D O S

- Preserve interoperability and openness to the

global market

- Balance cybersecurity concerns with:

- civil liberties

- innovation

- trade

- other policy priorities

D O S

"It's no longer OK not to understand how the Internet works.”

Aaron Swartz

R E F E R E N C E S

- Directive (EU) 2016/1148 of the European Parliament and of the Council of 6

July 2016 concerning measures for a high common level of security of network

and information systems across the Union: http://eur-lex.europa.eu/legal-

content/EN/TXT/?uri=CELEX%3A32016L1148

- English Sina (2017). China Internet regulator says cyber security law not a trade

barrier: http://english.sina.com/news/2017-05-31/detail-ifyfuvpm6886418.shtml

- FT (2017). Special Report on Cyber Security: https://www.ft.com/reports/cyber-

security

- Independent (2017). Theresa May says the internet must now be regulated

following London Bridge terror attack: http://www.independent.co.uk/news/

uk/politics/theresa-may-internet-regulated-london-bridge-terror-attack-

google-facebook-whatsapp-borough-security-a7771896.html

R E F E R E N C E S

- ITIC (2013). ITI Position Paper on the Proposed “Directive of the European

Parliament and of the Council Concerning Measures to Ensure a High

Common Level of Network and Information Security Across the Union”:

https://www.itic.org/dotAsset/a748f2f7-7d73-4d62-8ea0-b5ad35e3af27.pdf

- ITIC (2015). The IT Industry’s Cybersecurity Principles for Industry and

Government: https://www.it ic.org/dotAsset/0e3b41c2-587a-48a8-

b376-9cb493be36ec.pdf

- NIST (2014): Framework for Improving Critical Infrastructure Cybersecurity:

https://www.nist.gov/sites/default/files/documents/cyberframework/

cybersecurity-framework-021214.pdf

- QUARTZ (2016). How countries like China and Russia are able to control the

internet: https://qz.com/780675/how-do-internet-censorship-and-surveillance-

actually-work/

R E F E R E N C E S

Websites:

- www.ecipe.org/dte

- http://whatis.techtarget.com

- http://lexicon.ft.com/

M A R T I N A F R A N C E S C A F E R R A C A N E E M A I L : M A R T I N A . F E R R A C A N E @ E C I P E . O R G

THANK YOU!