Environ Syst Decis (2013) 33:536–543 DOI 10.1007/s10669-013-9470-5
Trends in cyberspace: can governments keep up? Patryk Pawlak • Ce´cile Wendling
Published online: 31 August 2013 Springer Science+Business Media New York 2013
Abstract Whether carried out by individuals or states, cyberattacks are both growing in number and becoming more sophisticated. Since the attack on Estonian cyber infrastructure in 2007, many other examples of massive attacks have been reported. The use of spyware and malware—such as with Stuxnet, DuQu or Flames—to disrupt critical infrastructure has made headlines, questioning the ability of governments and private actors to respond to cyber threats. A broad array of potential threats poses a substantial challenge to existing governance structures, which are often behind the curve in comparison with the dynamically evolving cyberspace. Using existing literature and recent foresight studies, the article analyses the trends in the governance of cyberspace and their implications for governments and global regulatory regimes. Keywords Cybersecurity Cybercrime International cooperation Government response Policy making
The views expressed here are those of the authors and should not be attributed to the EUISS. P. Pawlak European Union Institute for Security Studies (EUISS), 100, Avenue de Suffren, 75015 Paris, France e-mail:
[email protected] C. Wendling Centre de sociologies des organizations, CNRS-Sciences PO, Paris, France C. Wendling (&) 19 rue Ame´lie, 75007 Paris, France e-mail:
[email protected]
123
1 Introduction The growing number and increasingly multifaceted nature of cyberattacks on governmental and private sector networks have intensified the discussion about cybersecurity. There are many prominent examples: in 2007, the Estonian government and parliament, as well as the country’s banks and political parties, were all subject to a massive cyberattack in the form of a distributed denial of service; malware or spyware programmes such as Stuxnet, DuQu or Flames were used to disrupt the functioning of nuclear facilities in Iran; and the online services of the Polish government were attacked in protest against the adoption of the ACTA, resulting in the eventual rejection of the agreement. These new, more aggressive forms of cyber activity and the emergence of non-governmental actors as agents in both international and domestic policymaking processes raise numerous questions about the future of cybersecurity. A broad array of potential threats poses a substantial challenge to existing global governance structures, which are often behind the curve in comparison with the dynamically evolving cyberspace. At the same time, the development of policies targeting different threats in the cyberspace has more often than not occurred in isolation, resulting in the divergence and compartmentalisation of policies. Using existing literature and foresight studies as a point of departure, the purpose of this article is to identify trends in the governance of cyberspace and assess their implications for the capacity of any state in performing their main functions. It should be noted that the aim is not to present an exhaustive list of studies conducted by governments, research institutes or private sector bodies (for an extensive discussion of issues related to the governance of the cyber environment, see Lord and Sharp 2011), nor is it possible
Environ Syst Decis (2013) 33:536–543
to provide an in-depth analysis of these trends in a single article. Instead, the intention is to signal the main features and trends with regard to cyberspace. The importance of planning for cyber-incidents—and in particular the analysis of trends for that purpose—is made all the more vital in light of the current reductions in defence spending. Consequently, gaining a better understanding of the situation and the processes behind policy making is the first step for a more strategic allocation of limited resources. With the threats evolving at such a high speed, the questions which this article aims to answer are as follows: can governments keep up and if so, how is this to be achieved? This article begins by providing a short overview of existing studies and reports on the challenges in cyberspace. It is clear that this is a non-exhaustive list, which aims solely to set the scene for the analytical section of the article and is not meant to provide a detailed analysis of specific challenges and instruments for which numerous studies originating from the private sector are available (Depository Trust and Clearing Corp 2013; Symantec 2013; McAfee 2013). Later in the text, the analysis of governmental responses to cyber threats is organised according to typical state functions and the levels of responsibility. Ultimately, this article argues that, given the regulatory compartmentalisation, growing number of actors involved in cybersecurity, and the rapidly evolving nature of challenges, an uninterrupted provision of state functions in cyberspace is nigh on impossible within an international system based on traditionally defined statehood. The answer to the problems of cyber governance, therefore, will need to be designed around policy processes that go beyond hierarchically organised state structures.
2 State of play: a more complex cyberworld In terms of the evolution of the risk and threat landscape, it is the number of attacks and changes in the nature and complexity of the threat that are the predominant themes in policy and academic debates (Lewis and Neuneck 2013). Depending on the identity of their agents, illegal cyber activities can yield significant benefits, including direct material gains, access to sensitive information about clients, competitors or even law enforcement agencies. In the realm of interstate relations, cyberattacks give smaller states and non-state actors the possibility to compensate for their military inferiority whilst at the same time equipping great powers with a means to coerce weaker actors (Tessier Stall 2011). A substantial part of the existing literature focuses on questions concerning the protection of the information, critical infrastructure and the use of cyber instruments to conduct warfare, i.e. attacks on computers and their data, computer networks and systems dependent
537
on computers. Since in the majority of cases, the resources needed to conduct a massive cyberattack are assumed to be in the hands of state, the term ‘cyber war’ is often utilised. Also commonly referenced is ‘network warfare’, a term which refers to the military application of cyber instruments with the objective of denying adversaries the use of their own computers and networks. Cyberattacks are also conducted by non-state actors, leading to a further focus of governmental activities in the realm of criminal law in order to fight cyber-espionage, cyberterrorism or broadly defined cybercrime. One principal problem in developing strategic approaches to cybersecurity is the dissonance between the easiness with which an attack can be conducted as opposed to growing challenges associated with their detection and prevention (Table 1). In particular, the speed with which threats are evolving (hundreds of millions of malware variations already exist) makes it increasingly difficult for signature-based anti-malware to keep up. The asymmetry between defence and offence is therefore identified as a major issue, and research is already underway to restore the balance. But despite this step, the existing situation nevertheless poses a serious challenge for the policymakers because their decision-making processes tend to adapt to technological advancements at a much slower pace (I3P 2003). A potential solution might be the development of capabilities that allow access to and analysis of information about individuals who may pose a threat to national security. The emergence of such capabilities would allow for a system that closely monitors cyberattacks whilst relying firmly on legislation and regulation to eradicate ethical or legal vulnerabilities. It should be acknowledged, however, that such a preventive approach does indeed limit the privacy of individuals or organisations. With the public authorities currently in possession of few ways to control the system, individuals and businesses are consequently either developing their own capabilities in order to protect themselves from cyberattacks or they retreat altogether from an overreliance on cyberspace (using paper again rather than computers). Another challenge for governments is posed by the limited resources available. Cybersecurity comes at a cost, and with national defence budgets currently under constant scrutiny, the pressure on monetary resources is growing. Justifying resources devoted to cybersecurity— which is perceived mostly as a hypothetical threat— therefore becomes more complicated given a limited availability of hard data on how the investments in field deliver concrete results. Whilst more and more data are becoming available, precise information and exact details remain limited, which in turn complicates the assessment of the impact that cyberattacks may have in the close future. This is mostly due to the lack of transparency:
123
538
Environ Syst Decis (2013) 33:536–543
Table 1 Offensive and defensive cyber capabilities Threat
Offensive capabilities
Defensive capabilities
Scanning
Deep web scanning
Clean metadata
Identifying vulnerabilities
Open source scanning
Encryption
Port and address scanning
Port relocation
Social media scanning
Proxies
Vulnerability scanning
Reduce information
Penetration/escalation
Brute force cracking
Antivirus/antimalware
Compromising and accessing systems
Malware/backdoors
Intrusion detection systems
Phishing/pharming
Intrusion prevention systems
Physical tempering
Least privilege policy
Public exploits
Penetration testing
Social engineering Zero day exploits
Regular software patching Strong password policies System hardening Vulnerability assessment
Surveillance
Key logging/screen grabbing
Encryption
Monitoring data and communications
Packet sniffing/interception
Hardware shielding
System fingerprinting
Traffic monitoring
Wiretapping/eavesdropping Exfiltration
Analogue exfiltration
Employee screening
Extracting and sending information
Network exfiltration
Restricting physical access
Physical exfiltration
System hardening
Obfuscation
File manipulation
Backup logging
Disguising and hiding an attack
IP address spoofing
File monitoring
Traffic monitoring
Log manipulation Proxy routing Access
Virtual private networks (VPN) Custom malware
Defence in depth
Opening a system to attack
Zero day exploits
Intrusion detection systems Intrusion prevention systems
Disrupt
Denial of service (DOS)
Disaster recovery planning
Degrading and disrupting systems
Network disconnection
Electronic countermeasures
Physical sabotage
Firewall/router/server rules
System degradation
Redundancy/over-provisioning
Damage
Control system failure
Air-grapping critical systems
Physical or logical damage to systems
Control system manipulation
Electronic countermeasures
Physical sabotage
Redundancy/over-provisioning
System/database damage
System hardening
Source: RAHS (2012), Future stake (Singapore: RAHS), pp. 20–21
states and businesses alike tend to disclose very little information about the attacks on their assets. In the USA, for instance, the credit card giant Visa imposed a $13 million fine on Genesco—a footwear company which suffered a data breach in 2010—for the failure to comply with the Payment Card Industry Data Security Standard, created by Visa, Master Card and American Express. The problem, of course, is finding the investment necessary to improve security standards. According to a 2012 survey
123
conducted by the Ponemon Institute and Bloomberg, achieving the highest possible level of IT security (i.e. capable of repelling 95 % of attacks) would mean nearly a ninefold increase in company spending from the current $5.3 billion (combined) to $46.6 billion (Ponemon Institute 2012). A more recent report by the Centre for Strategic and International Studies puts the cost of cybercrime in context of the global economy, pointing out that it represents a
Environ Syst Decis (2013) 33:536–543
mere 0.4–1.4 per cent of global GDP, compared with $600 billion in losses due to drug trafficking (around 5 per cent of global GDP). Even though the indirect costs (i.e. direct disruption of operations and payment transactions, theft of sensitive data such as trade secrets and credit card information, legal liability and long-lasting harm to a business’s brand) increase this percentage, advocating additional spending on cybersecurity may prove difficult in times of economic crisis. There is also the issue of potential costs that divergent new standards and regulatory tools might have on businesses. Overly stringent regulations, which impose additional burdens on online industries, may have adverse effects on the economy and the businesses, which are essential for the research and development of new technologies (Congressional Research Service 2012). In light of these challenges, the following sections discuss the response undertaken by governments at a national and international level.
3 Governmental responses and global regulatory regimes The governance of cyberspace increasingly challenges the post-Westphalian world order with sovereignty as an organising principle. With an increasing number of threats crossing traditionally defined physical borders, the ability of governments to perform their duties effectively is becoming ever more complicated. The vital task of territorial defence—traditionally performed by the military and under the sole, legitimate responsibility of a state— becomes more complex where the state’s military superiority is of limited use vis-a`-vis an asymmetric threat. Moreover, the enemy is no longer a physically identifiable state but also a more dispersed network of non-state actors operating in the virtual space. In addition to ensuring territorial defence and integrity, governments need to ensure a day-to-day functioning of the state, including administration and provision of basic services (i.e. health care, public order and safety). In performing some of those functions, governments often rely on other actors (i.e. companies, internet providers and citizens), which to varying degrees limits their capability to fully manage the cyber risks. To emphasise this point, Table 2 summarises these functions and the level of governmental control below. An additional complication comes from the fact that the debate about the future of cybersecurity is related to the ongoing discussions about the future of the internet in general and the need to balance security with civil liberties and democratic standards. States are no longer the only actors in these debates, with a number of international organisations positioning themselves on the governance of cyberspace and trying to exercise influence over the political
539
processes involved. They are joining a landscape which is already very complex and densely populated with traditional actors such as the Internet Engineering Task Force (IETF), the Internet Corporation for Assigned Names and Numbers (ICANN) and the World Wide Web Consortium (W3C). In this context, developing governance structures that bring together old and new actors becomes a real challenge, especially in areas where they do not share the same interests, goals or possess differing levels of legitimacy. Despite these hurdles, the common objective for all stakeholders is to ensure the integrity of the system, i.e. no one voluntarily or involuntarily disrupts cyberspace in a manner that could be dangerous for economies, societies, and states. As a consequence, national cybersecurity programmes need to address numerous issues, including organisational structures, government oversight, public–private partnerships, awareness-raising and international cooperation (OECD 2012). The following sections discuss some of the efforts undertaken by states at the national and international level as well as the methods they use to counter the threat of cyberattacks. 3.1 Dealing with threats to a state’s survival Some authors argue that cyberattacks will become more frequent and more intrusive, leading to growing tensions— or even cyber wars—between states (Cornish et al. 2009; Brenner and Clarke 2010; Clarke and Knake 2010). Whereas there is no consensus on the occurrence of a major cyber war in near future, the risks to national security coming from the use of cyber-agents are on the rise. There is also no agreement on what types of actors or countries are more likely to conduct or fall victim to cyberattacks in the near future. Some studies suggest that China and the US experienced the most cyberattacks, whereas India, Pakistan, South and North Korea are reported to have engaged in most attacks in the period between 2001 and 2011 (Valeriano and Maness 2011). There is, however, no conclusive evidence suggesting that this trend will continue in the future. Given the level of uncertainty surrounding the military dimension of cybersecurity and the implications it has for a state’s survival, many states follow two parallel courses of action. On the one hand, they focus on developing military cyber capabilities, with the UK, for example, allocating some €580 million in 2010 to a four-year cybersecurity programme. Canada has also renewed investments in cybersecurity with $155 million spent on the issue in 2012, far more than the $90 million spent in 2010. As the outline for the 2013 budget requests have shown, the US would like to allocate $769 million to the Department of Homeland Security for starting and implementing a host of
123
540
Environ Syst Decis (2013) 33:536–543
Table 2 State functions and nature of cyber threats State functioning
Nature of cyber threat
The level of government control
Attack on military capabilities of a country
Full
Public administration, public order and safety
Attack on government websites or services provided by government (e.g. disabling the functioning of online services, etc.)
Full
Infrastructure services, health, social protection and environmental protection
Attacks on infrastructure that are only partly controlled by the government and are otherwise in hands of private actors or individuals (e.g. attack on energy plants or government services providing health care)
Partial
Broadcasting and publishing services, cultural services
Attack on individuals (e.g. personal websites, social networks, banking information)
Limited
State survival Defence of assets State day-to-day functions
information security initiatives. In 2012, the European Commission committed to a 14 per cent increase for cybersecurity programmes in its long-term budget. An additional €450 million was also assigned to the EU’s Secure Societies Research programme, which includes aspects of cybersecurity. Another course of action is engaging in confidencebuilding measures that aim to improve the coordination between states and reduce the possibilities of conflict. Some processes aiming at enhancing cybersecurity have been put in place between individual countries. For instance, China and the USA pursue a two track dialogue: official high level meetings between senior officials and rather informal dialogues between key unofficial groups (Liberthal and Singer 2012). The main role of the formal and informal meetings is to enhance trust, to develop a common vocabulary and to share views and opinions. The question of the appropriate model of diplomatic cooperation is still open though, with some parallels with arms control or public health cooperation structures currently being explored. This is a particularly pertinent problem given the risk of bipolarisation at the international stage, with the coalition of China, Russia and the Group of 77 fighting for the control of information flaws and a strict control of cyberspace on the one side, and the coalition of developed countries led by the USA and European states on the other. Defining a red line—that is a cyber event that could damage diplomatic relationships or even a trigger military retaliation—is one of the biggest concerns. Some studies have identified the possibility of negative spillovers between ‘traditional’ threats and cyber activities. For instance, more stringent policies towards the security of physical spaces (i.e. border security, restrictions of travel, etc.) could result in the shift terrorist tactics from traditional attacks (i.e. with the use of explosives) towards
123
attacks in cyberspace, which are not subject to similar material constraints. Spillover effects of a minor cyberattack are also identified as a major risk in terms of escalation (Borg 2005). The whole issue gains importance in light of the fact that countries like North Korea or Iran view cyber war as a low-cost strategy to balance off against militarily superior countries like the USA (RAHS Programme Office 2012). In addition, a combination of events could provide an opportunity for a massive disturbance, e.g. conducting a cyberattack during a storm or a pandemic (OECD 2011). Another thorny issue is the lack of an overarching legal framework with regard to cyber defence and cyber offence (Schneider 2013). At the moment, there is no universal legal framework that could categorically resolve whether or not a cyberattack constitutes an act of war. The application of traditional legal concepts of warfare—like the Law of Armed Conflicts—is not that straightforward (Gorman and Bernes 2011). For instance, establishing responsibility for an attack might be difficult given that it is often non-state actors who commit such attacks. Even though since the 9/11 terrorist attacks, states are responsible for preventing attacks originating from their territory, and this principle might be difficult to apply in countries where cyber capabilities are seriously underdeveloped. In addition, attacks are usually operated through several jurisdictions which renders the process of tracing them more difficult and complicates determining responsibility for an attack. Given the interconnectedness of military and civilian networks, it is obvious that certain collateral damage will occur. In such a context, evaluating the costs and designing a proportionate response are complicated further. Nevertheless, some militaries have attempted to establish their own rules of conduct in case of cyberattacks. For instance, the US strategy against cybercrime, announced by the Pentagon in 2011, defined computer
Environ Syst Decis (2013) 33:536–543
sabotage coming from another country as an ‘act of war’ to which the US will respond using traditional military force. The US strategy also foresees coordinating the US cyber war doctrine with security policies of other actors, most notably NATO Cooperative Cyber Defence Centre of Excellence. Cybersecurity has long been on the agenda of NATO and gained particular importance since the 2007 attacks on Estonia. The Alliance has made great advances in the past years in the cybersecurity sector and created several bodies to deal with cyber defence. The NATO strategic framework outlines the organisation’s measures to enhance its resilience capabilities and to strengthen national cybersecurity standards by offering voluntary services to member states. Participants at the Prague Summit in 2002 decided to advance cybersecurity defence mechanisms and laid the ground for cyber initiatives within NATO: the Communication and Information Systems Services Agency (NCSA), described as the Alliance’s ‘first line of defence against cyber terrorism’, and the Information Security Technical Centre (NITC), responsible for communications and computer security. In addition, the Emerging Security Challenges Division coordinates the political and strategic overview of the defence measures of the organisation. The Cooperative Cyber Defence Centre of Excellence (CCDCOE) was established to act as a hub for expertise, scientific research and development. Following the Bucharest Summit in 2008, the NATO Cyber Defence Management Authority (CDMA) was created in order to unite the main bodies in NATO’s cyber defence activities. The multi-layered approach of the organisation indicates the adoption of a flexible approach to cybersecurity—close to the American one—rather than attempting to face the emerging challenges with a fixed set of norms and guidelines.
541
denial of service, which means the computer or the network is made unavailable or put out of service. This aspect is particularly pertinent for countries where so-called e-government functions are quite advanced and an attack prevents the state from properly functioning (i.e. as was the case of cyberattacks on Estonia). In addition to traditional critical infrastructure (bridges, electricity plants, etc.), the focus of the policy discussions shifts towards the protection of other physical assets like deep-sea cables, satellites and other lines of communication. In that context, the security of supply chains and minimising the threat of inbuilt cyber vulnerabilities is a major issue. Intentional hooking or compromising of software or microchips is made possible thanks to a global supply chain, which does not allow for accurately tracing the full origin of the products’ components (Georgia Institute of Technology 2013). Furthermore, an increasing reliance on new technologies in healthcare systems offers not only opportunities for more efficient system management but also exposes patients and medical facilities to new vulnerabilities (National Cybersecurity and Communications Integration Center 2012). Network-based energy and water management infrastructures are exposed to similar risks (FEMA 2011). Governments and the international community have responded to these emerging challenges in several ways, with the focus of their efforts on capacity building and the fight against cybercrime. •
3.2 Dealing with threats to state functions Another dimension is the capacity of states to deal with cyber threats with a potential to paralyse or even render impossible the delivery of basic services, thereby undermining the functioning of a state. One of the recent studies on the future of cybersecurity identified eight key innovations which will shape the future risks and threats landscape: the cloud, big data, the internet of things, mobile internet, the neuronal interface, contactless payments, mobile robots, quantum computing and the militarisation of cyberspace (Dupont 2012). The cloud and big data are mentioned in particular as two major sources of risk. The extensive usage of mobile device and wireless technology adds complexities and offers new potential vulnerabilities for cyber attackers to exploit (UK Cabinet Office 2008). Typical cybersecurity issues rely on the installation of malware or on the so-called distributed
•
Cybercrime and cyberterrorism: The most overarching cybersecurity scheme is offered by the United Nations which focuses on two key aspects: cybersecurity and terrorism (mainly dealt within the UN Security Council’s Counter-Terrorism Committee) and cybersecurity as a socio-cultural issue. The OECD plays the role of a facilitator in developing guidelines, identifying best practices and assisting in devising cybersecurity policies. On the law enforcement side, Interpol is playing an increasing role in the promotion of information exchange, the provision of training courses and the coordination of international operations. It also assists member countries in the event of cyberattacks, provides investigatory support, develops strategic partnerships with other international organisations and the private sector and aims at identifying emerging threats. In the European Union, the operational responsibility mainly lies with Europol and the recently established European Cybercrime Centre (EC3). Capacity building in less developed countries: Several regional bodies established working groups on cybersecurity with the aim of strengthening their cyber capacities, although the efforts are unequal. The SubGroup on High-Tech Crime in the G8 has as an
123
542
Environ Syst Decis (2013) 33:536–543
objective to prevent, investigate and prosecute cyber and technology-related crimes. More recently, their responsibility is also to cover the field of terrorism. The group has established a Network of Contacts for HighTech Crime as well as a Critical Information Infrastructure Protection (CIIP) Directory facilitating emergency response and support (Bendiek 2012). The African Union’s framework on cybersecurity is still in its early stages. However, there are increasing efforts— especially under UN guidance—to develop a framework on cybersecurity. The Extra-Ordinary Conference of African Union Ministers in charge of Communication and Information Technology recognised in 2009 the need for enhancing cybersecurity. Given the limited resources of some of the member states, the conference requested the African Union Commission to develop jointly with the United Nations Economic Commission for Africa (UNECA) a convention on cyber legislation. Hence, UNECA is addressing the issue of cybersecurity within the framework of the African Information Society Initiative (AISI) and in cooperation with the African Union. The aim of the joint effort is to create a standard legal framework in particular in the area of cybercrime, define key terminologies and developed general principles on international cooperation. Moreover, standards on personal data protection, electronic transactions and certification are to be established. Consequently, a draft for a convention of cybersecurity has been proposed. Despite those numerous efforts, several issues still need to be resolved. Often silo approaches prevail, which means that different government services at national level do not share information concerning a particular threat. To ensure the protection of critical infrastructure and cybersecurity, cross-governmental organisations are needed to share knowledge, to develop synergies and obtain comprehensive overviews of existing risks and how best to address them. Local and regional levels of government must also not be neglected. Different structures have been established to bring together different parts of government managing cybersecurity issues and as some examples demonstrate, this task is more easily achieved if there is a clear mandate from the highest authority. In the USA, President Obama issued a presidential directive which gave legitimacy to the actors in charge of cross-institutional cooperation on cybersecurity, most notably the national cybersecurity division based at the Department for Homeland Security. In France, a government agency ANSSI in charge of coordinating various actors responsible for cyberspace suffered problems in integrating all components of cybersecurity due to their differing missions and objectives. For this reason, the white book on security stressed the key
123
coordination role given to ANSSI and helped this new institution gain credit and recognition inside the French administration. Second, public–private partnerships are important to align the concerns and interests of public and private actors at least in two domains: strategic R&D and global supply chain management. These partnerships will help integrate the strategic level of policy making and the tactical or individual level of technology management. However, a proliferation of public–private partnerships in the field of cybersecurity could also lead to unnecessary duplication of efforts and confusion in the sharing of cybersecurity information. An open question is hence the model of public–private partnership that should be favoured in the future (Shore et al. 2011). There are also numerous implications for societies at large which gave rise to the discussion about cyber-resilience (World Economic Forum 2012). The objective is to combine a culture of cyber awareness, a culture of cyber responsibility and a culture of flexible networks. The first one concerns the localisation of highly skilled ICT experts and the countries which can attract them might be better prepared to defend cyber interests and critical infrastructure. In addition, there is a need for an extensive cyber education and training (Kay et al. 2012) for state and local authorities as well as major private companies. Therefore, a key requirement is to strengthen the cyber educational capacity at school and universities but also through lifelong training. Human resources departments should add to their recruitment schemes the cyber capacity of the individual and provide training schemes that address the cybersecurity dimension. In addition, senior levels of leadership must be able to demonstrate the importance of cybersecurity both in the public and in the private sector. Most of the time, they rely on information technology, which was primarily developed for efficient purposes more than for security purposes. 4 Conclusions A quick look at the existing studies and policy responses to cyber threats points to a clear fragmentation of approaches, which are driven by policy, legal or technological considerations and as such rarely include all stakeholders: public administration, businesses, citizens, the research community or relevant international players. As a consequence, the knowledge about cybersecurity and the future of cyberspace remain scattered. In addition, the priority assigned to cybersecurity depends partly on the level of a country’s development. Any discussion about the future of cybersecurity, therefore, needs to reflect these differences and focus not only on advanced mechanisms but also on
Environ Syst Decis (2013) 33:536–543
basic capacity building. These also reflect different priorities assigned to various stages of the policy planning: some favour prevention to response and other focus more on hard law approaches rather than soft law mechanisms. As this article demonstrates, there is a clear need for a more comprehensive approach to cybersecurity that will move beyond the existing institutional or conceptual dividing lines. It is only such an approach that can be of use in the development of more strategic policy-making processes and allow governments to keep up with the rapidly evolving nature of cyber threats.
References Bendiek A (2012) European cybersecurity policy. SWP website www. swp-berlin.org/fileadmin/contents/products/research_papers/ 2012_RP13_bdk.pdf. Accessed 15 June 2013 Borg S (2005) Economically complex cyberattacks. Secur Priv 3(6):64–67 Brenner SW, Clarke LL (2010) Civilians in cyberwarfare: casualties. SMU science & technology law review 13.3. http://works. bepress.com/susan_brenner/3. Accessed 15 June 2013 Clarke RS, Knake RK (2010) Cyber war. HarperCollins, New York Congressional Research Service (2012) Cybersecurity, selected legal issues. April 2012. http://www.fas.org/sgp/crs/misc/R42409.pdf. Accessed 15 June 2013 Cornish P, Hughes R, Livingstone D (2009) Cyberspace and the national security of the united kingdom, threats and responses. Chatham house report, March 2009 Depository Trust & Clearing Corp (2013) Beyond the horizon. A white paper to the industry on systemic risk. August 2013. http:// www.dtcc.com/downloads/leadership/whitepapers/Beyond_the_ Horizon_White_Paper_Systemic_Risk.pdf. Accessed 10 Aug 2013 Dupont B (2012) L’environnement de la cyberse´curite´ a` l’horizon tendances, moteurs et implications.Note de recherche 14 Centre International de Criminology Compare. Universite´ de Montre´al, Montreal FEMA (2011) Critical infrastructure. Strategic foresight initiative. June 2011. http://www.fema.gov/pdf/about/programs/oppa/ critical_infrastructure_paper.pdf. Accessed 15 June 2013 Georgia Institute of Technology (2013) Emergening cyberthreat report 2013. http://www.gtcybersecuritysummit.com/pdf/ 2013ThreatsReport.pdf. Accessed 15 June 2013 Gorman S, Bernes JE (2011) Cyber combat: act of war. Wall Str J. 31 May 2011 Institute for Information Infrastructure Protection (2003) Cybersecurity, research and development agenda. http://www.cyber.st.dhs.
543 gov/docs/I3P%20Research%20Agenda%202003.pdf. Accessed 15 June 2013 Kay DJ, Pudas TJ, Young B (2012) Preparing the pipeline: the US cyber workforce for the future. Defense horizons. National Defense University, August 2012 Lewis AJ, Neuneck G (2013) The Cyber Index. International security trends and realities. New York and Geneva, United Nations Institute for Disarmament Research Liberthal K, Singer PW (2012) Cybersecurity and US-China relations. Brookings Institution. February 2012 Lord KM, Sharp T (2011) America’s cyber future. Security and prosperity in the information age. Center for a New American Security. June 2011 McAfee (2013) 2013 Threat predictions. http://www.mcafee.com/us/ resources/reports/rp-threat-predictions-2013.pdf. Accessed 10 Aug 2013 National Cybersecurity and Communications Integration Center (2012) Attack surface: healthcare and public health Sector. http://info.publicintelligence.net/NCCIC-MedicalDevices.pdf. Accessed 15 June 2013 OECD (2011) Future global shocks, improving risk governance. OECD Review of Risk Management Policy. http://www.oecd. org/governance/48256382.pdf. Accessed 15 June 2013 OECD (2012) Cybersecurity policy making at a turning point: analysing new generation of national cybersecurity strategies for the internet economy. OECD digital economy papers 21. OECD Publishing. http://dx.doi.org/10.1787/5k8zq92vdgtl-en. Accessed 15 June 2013 Ponemon Institute (2012) 2012 Cost of Cyber Crime Study: United States. http://www.ponemon.org/local/upload/file/2012_US_ Cost_of_Cyber_Crime_Study_FINAL6%20.pdf. Accessed 15 June 2013 RAHS (2012) Future stake. RAHS, Singapore Schneider B (2013) Cyberconflicts and national security. UN Chronicle. 18 July 2013 Shore M, Du Y, Zeadally S (2011) A public-private partnership model for national cybersecurity. Policy Internet 3:1–23 Symantec (2013) 2013 Internet Security Threat Report, Volume 18. http://www.symantec.com/security_response/publications/threat report.jsp. Accessed 10 Aug 2013 Tessier Stall S (2011) The future of cybersecurity. The Hague Centre for Strategic Studies and TNO. Paper No 2001–04. http://www. inteltimes.net/wp-content/uploads/2012/09/The-Future-ofCyber-Security.pdf. Accessed 15 June 2013 UK Cabinet Office (2008) Data handling procedures in government: final report. June 2008. http://webarchive.nationalarchives.gov. uk/?/http://www.cabinetoffice.gov.uk/media/65948/dhr080625. pdf. Accessed 15 June 2013 Valeriano B, Maness R (2011) Cyberwar and rivalry: the dynamics of cyber conflict between antagonists. University of Illinois, Chicago World Economic Forum (2012) Risk and responsibility in a hyperconnected world. Pathways to global cyber resilience. June 2012
123