1 / 11

Bridging the Standardization Gap: Lessons from EU and US Cybersecurity Initiatives

This workshop focuses on the cybersecurity-related standardization initiatives in the European Union (EU) and the United States (US), examining their key concerns, effects on the private sector, privacy and security interests of consumers, and discussing the lessons for developing countries. It tackles the appropriateness of pan-European rules, compliance costs, obligations to report cyberattacks, misdirection of funds, voluntary standards turning into mandatory regulations, and the need for investment in cybersecurity and development of best practices.

tolson
Download Presentation

Bridging the Standardization Gap: Lessons from EU and US Cybersecurity Initiatives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITU Regional Workshop on Bridging the Standardization Gap (Yangon, Myanmar, 28-29 November 2013) Cybersecurity-Related Standardization Initiatives in the EU and the U.S.: Lessons for Developing Countries Nir Kshetri Professor, The University of North Carolina—Greensboro nbkshetr@uncg.edu

  2. The EU and US cybersecurity strategies (CSS) Kshetri & Murugesan (2013).

  3. Key Concerns EU CSS Appropriateness of pan-European rules Compliance costs : concerns of the private sector’s confidentiality, extra costs and possible damage to reputation. Obligation to report cyberattacks: “vague”/ little to protect EU citizens' data stored outside the EU Misdirection of funds away from the police into intelligence agencies US EO Voluntary standards may turn into mandatory regulations (de facto requirements). Too much focus on information sharing/ little to address problems related to insecure system. Firms outside of critical infrastructure: EO does little to enhance CS.

  4. Effects on the Private Sector EU CSS Further development of European PPP for resilience/ cooperation/ info. sharing with pub. authorities. Investment on CS/dev. of best practices- TDL/other initiatives. Robust/user-friendly security features in products/services. Cloud providers: reduce reliance on foreign suppliers. Members: compel firms (transport, telecoms, finance energy, health, online infra.) to disclose details of cyberattacks to the national CERT. US EO Defense and intelligence agencies would share classified cyberthreats data with companies. Incentives to follow security standards. Companies are not required to publically disclose breaches unless identifying information (e.g., credit card or Social Security numbers) is involved.

  5. Effects on Privacy and Security Interests of Consumers EU CSS Defensible and preferable in promoting privacy and security interests of consumers. US EO White House: shared information would be limited to cyberthreats and would not contain the contents of private emails. The flow of data is one-way: Private-sector firms not required to release information about clients. Better protect privacy than the CISPA (ACLU). “privacy-neutral way to distribute critical cyber information”

  6. Discussion of EU and US CSS • Both incomplete/lackteeth and legitimacy • Companies’ failure to spend sufficient resources/efforts to protect networks: • Bloomberg Government study: to prevent 95% of potential cyberattacks, 172 organizations need to spend $47b: 774% higher than current spending. • Absence of regulatory requirements: no incentive to spend on cybersecurity.

  7. Discussion of EU and US CSS • Fail to acknowledge: lack of CS professionals. • The U.K.’s National Audit Office: 20 years to bridge CS skills gap. • NIST: > 700,000 new CS professionals needed in the U.S. by 20 • Both inward-oriented • Huawei: importance of working globally • US-China Business Council: asked US and Chinese governments to work together

  8. Lessons for DevelopingCountries • Sound cybersecurity standard/ regulatory framework: participation of governments, business, IT industry, law enforcement agencies and the public • Common goal: cyberspace safe and secure, leaving their • Working with other national govts, political parties: • beyond vested national or political party interests

  9. Conclusions and Recommendations • Increasing importance of CSS for developing countries • National security, economic growth, trade and investment politics, international relations and other implications • Higher degree of vulnerability • Manpower challenges a higher concern

More Related