Many communications networks and other critical infrastructures are privately owned
Cybersecurity is shared responsibility of gov't, service providers, software and hardware makers, and users (large and small).
Cybersecurity strategy has many components:
industry standards and sound technology design
information sharing about threats/vulnerabilities (CERTs)
awareness, education of all users
liability of computer/software makers under civil law?
OECD Guidelines for Security of Information Systems and Networks
APEC Strategy and Statement on the Security of Info and Communications Infrastructure
EU - Council Resolution 28
E-Japan Priority Policy Program (cybersecurity incorporated)
Australia E-Security National Agenda
US National Strategy to Secure Cyberspace & E-Government Act (cybersecurity included)
Common Themes in Int’l Guidelines
Guidelines, International Standards
Training and Education
Respect for Privacy
Vulnerability Assessment, Warning and Response
Gov’t Must Get Its Own House In Order
Government should not dictate security technologies to industry until it has solved its own problems (that is, probably never)
Elements of a National Cyber-Security Strategy.
Assessment of national vulnerabilities
Issuance of a public report that conceptualizes the issue and raises awareness of policymakers and the public
Creation of a leadership structure within the executive branch to oversee the development and implementation of policy
Drafting of a detailed national plan based on dialogue with the private sector
Structure and enforce responsibility
Adoption of legislation and guidelines addressing such questions as information sharing and accountability.
Gov’t Must Get Its Own House In Order
US E-Gov Act (2002) - Title III - limited to government systems - focuses on process, not technologies
Periodic assessment of risk
Adoption of policies and procedures
Chief Security Officer for every agency
Security awareness training
Detecting and responding to attacks
Annual reports to Congress on progress
Independent security evaluation
Office of Management and Budget (White House) authority
Similar requirements may be appropriate for private sector, especially financial sector, medical data
Protection of national security information
Definition: information generated by the government and its contractors, which, if publicly disclosed, will harm the national security.
Important question: Can the judiciary or some other independent official review and overturn the decision of the Executive Branch to keep information secret.
Other sensitive government information
Criminal investigative information
Private information about individuals in the hands of the gov’t
Gov’t secrets online and off are defined the same.
Many countries deal with these issues in Freedom of Information law:
Crimes against computers or communications
Interference with availability or integrity of data
destroying data, altering data
Interference with availability of service
Denial of service attacks
Interception of data in transit (unauthorized access to comms)
Unauthorized access to data (cyber trespass)
CIA - Confidentiality, Integrity, Availability
Crimes using computer
Fraud, dissemination of pornography, copyright infringement
Should not be treated as separate crimes
Crimes where evidence is in computer
COE Convention on Cybercrime - good model, approach with caution
Investigation of Cybercrime
To investigate cybercrime and crimes facilitated by computer, law enforcement agencies need access to
content of communications;
transactional (or traffic) data;
data identifying subscriber (e.g., name)
Phishing E-mail message
Message purporting to be from eBay
Threatens account termination
Asks user to update information
Uses eBay and Trust-e logos for legitimacy
Links to non-ebay site
Criminal Law Has Limited Effect
Under US law, such an email is absolutely illegal
Falsified header information - criminal and civil violation
Hijacking another computer to send spam - criminal and aggravated civil violation
Possible falsification of domain name registration information - criminal violation
No valid physical address - civil violation
No opt-out - civil violation
Deceptive subject heading - civil violation
Possible address harvesting - aggravated civil violation
The solution to the cybercrime problem requires:
Better technology design
Education of users.
Privacy is an Element of Cybersecurity
“ Protection of privacy is a key policy objective in the European Union. It was recognized as a basic right under Article 8 of the European Convention on human rights. Articles 7 and 8 of the Charter of Fundamental Rights of the EU also provide the right to respect for family and private life, home and communications and personal data.” Communication from the Commission on Network and Information Security (2001)
OECD Cybersecurity Guidelines
“ Security should be implemented in a manner consistent with the values recognised by democratic societies including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency.”
Network security is the shared responsibility of the gov’t and the private sector.
Gov't protects its own networks, contributes to awareness, info sharing, and R&D.
A lot of work has been done and more needs to be done by the private sector.
International consensus on strategy elements.
Cybercrime legislation is one key component of cybersecurity.
Privacy and security are two sides of the same coin.
Don’t forget the basics of law reform and the enabling environment.
Part II: Data Protection (Privacy)
Privacy in the Digital Age
Online Privacy Risks
Collection of information to an extent never before possible: click-stream data, location information.
Aggregation of data across time, space, applications, vendors - creating a detailed dossier of activity and thought.
Retention is cheap and easy.
Distribution is cheap and easy too.
Public opinion surveys and business experiences show that privacy is a major consumer concern and impediment to e-commerce and e-government.
What is privacy?
Information privacy - principles for use of data.
Why Privacy Matters
Three Examples of How Privacy Concerns Arise in E-Government Projects
Japan - Juki Net - national ID and information system - concerns about identity theft
Australia - PKI and Health Records
US - Social Security Records Online
Personal Data Protection
Data Subject - the individual to whom the data pertains
Data Controller - a governmental or private sector entity who is responsible for controlling the purposes and ways of personal data processing
Processing - any use, recording, storing or publishing of data
Data Handler or Processor - anyone who processes (uses) data on behalf of the controller
User - anyone to whom data is disclosed for a permitted purpose
Personal Data Principles - 1
Consumer privacy protection in the US and Europe, under the guidelines of the OECD and APEC, and in the law of the Republic of Macedonia, is based on ten principles:
Purpose Specification. Personal data shall be collected only for purposes that are concrete, clear and legally determined. The subsequent use of data should be limited to those purposes. Article 5, para. 1, item 2.
Notice. The data subject shall be informed of the identity of the data controller and the purpose for which data are collected, as well as the rights of access and correction. Articles 10 and 11.
Personal Data Principles - 2
Collection Limitation. Personal data should be collected only if it is appropriate, relevant and not excessive in relation to the purpose for which it is collected (no more data should be collected than is necessary to accomplish the stated purpose). Article 5, paragraph 1, item 3.
Data Quality. Data should be accurate, complete, and up to date, taking into account the purposes for which they were collected. Article 5, paragraph 1, item 4. Upon request of the data subject, and upon its own initiative, the data controller is obliged to supplement, amend, or delete incorrect, incomplete or out-of-date information. Article 14.
Retention Limit. Data should be stored in a form that allows identification of the data subject for no longer than is necessary to fulfill the purposes for which the data were collected. Article 5, paragraph 1, item 5.
Personal Data Principles - 3
Use Limitation . Data should not be disclosed or processed except for purposes specified when it was collected unless the data subject consents, subject to specified exceptions. Article 6.
Access . The data subject has the right to access data about himself. Article 12. This right is crucial to exercise of the right to data quality.
Security . Any person having access to a personal data collection on behalf of a controller or handler of the collection is obliged to maintain the secrecy and protection of the data. Article 23. In order to ensure secrecy and protection of personal data, the controller must apply adequate technical and organization measures. Article 24.
Data Protection Principles - 4
Openness . A data controller shall keep records of each personal data collection indicating its practices regarding that data collection and shall submit those records to the Data Protection Directorate, which shall compile and publish them. Articles 27-30.
Accountability and Enforcement . The data “controller” should be accountable for complying with the protections and a process is created for data subjects to enforce their rights under the law. Articles 18-22; Articles 37-47 (creation and competencies of the Directorate); Articles 49-50 (penal provisions).
EU Electronic Communications Privacy Directive
Spam - opt-in (prior relationship - opt-out)
Traffic data marketing - opt-in
Cookies - opt-out
clear and precise information on their purposes and the opportunity to refuse them.
Directories - opt-out
Data retention - permitted but not required for law enforcement or national security - disclosure requires independent approval
Article 28 of the EU Directive, Articles 37-48 of Macedonian law
Eight inter-related roles (Article 41):
Chief Privacy Officers
Ministries and other governmental bodies
Privacy Impact Assessments
“ An assessment of any actual or potential effects that an activity or proposal may have on individual privacy and the ways in which any adverse effects may be mitigated.”
Hong Kong, Canada, New Zealand, and Australia, and US
Privacy Impact Assessments
A description of the proposed project, the types of personal data that will be collected or used and how they will be disseminated or retained;
An explanation of who will have access to the data.
A Privacy Analysis that identifies how the new project or practice will impact individual privacy.
A Risk Assessment that lists the privacy risks that have been identified and an analysis of how those risks may affect individuals and the success of the project.
A discussion of appropriate technical, procedural or other or safeguards that can be adopted to protect privacy.
Recommendations for how the project’s privacy risks should be managed.
Privacy Impact Assessments
Examples of when a PIA is appropriate:
creation of public health databases;
proposals to add new biometrics to national ID cards;
proposals to create new law enforcement computer systems;
any proposed law that would require private businesses to collect information on their customers;
creation of new databases or modifying the scope or use of databases that contain personal information;
establishment of electronic toll systems on highways;
the installation of closed circuit cameras in public places.
PIA usually does not result in recommendation against system - it shows how to implement the system in a manner consistent with fair information practices.
Example: Court Records Online
Retain the traditional policy that court records are presumptively open to public access.
As a general rule, access should not change depending upon whether the court record is in paper or electronic form. Whether there should be access should be the same regardless of the form of the record, although the manner of access may vary.
Example: Court Records Online
The nature of certain information in some court records, however, is such that remote public access to the information in electronic form may be inappropriate, even though public access at the courthouse is maintained;
The nature of the information in some records is such that all public access to the information should be precluded, unless authorized by a judge;
Access policies should be clear, consistently applied, and not subject to interpretation by individual court or clerk personnel.
Enforcing Data Protection
Central Register of Data Collections
Success of e-commerce depends on legal system recognizing and promptly enforcing electronic contracts (business to business and business to consumer)
Consumer protection includes
Prohibition on misleading advertising
Regulation of consumer financial services and credit
Rules against fraudulent billing
Right to refund if goods are not delivered or defective
Before closing contract, consumer should be provided
Identity and address of supplier
Description of goods and their price
Procedure for payment, delivery and performance (if buying a service)
Notice of “right of withdrawal”
European Parliament & Council Directive 97/7/EC (17 February 1997) on the protection of consumers in respect of distance contracts