SITREP | Comparative Analysis of Cyber-Security Strategies : U.S., European Union and Japan
IndraStra Open Journal Systems
IndraStra Global

SITREP | Comparative Analysis of Cyber-Security Strategies : U.S., European Union and Japan

By Kyoung-Sik Min, Seung-Woan Chai and Mijeong Han

This article analyzes various countries' cyber security strategies by focusing on public-private partnership which is one of the common grounds of the strategies. Especially, it focuses on how each country establishes institutional framework of the partnership related to infra-protection. The subject of analysis is limited to U. S. A, European Union and Japan.

SITREP | Comparative Analysis of Cyber-Security Strategies : U.S., European Union and Japan

The Cyber Security Policy of the United States (U.S.)

The current cyber security policy of the US is based on Comprehensive National Cybersecurity Initiative (hereafter, CNCI) implemented by Bush administration on January 8th, 2008. Additionally, Obama administration which started in January 2009, put cyber security policy at the top of its agenda and presented (Cyberspace Policy Review (hereafter, CRP) in the same year. Currently, various cyber security policy of the US is based on the CRP. CRP suggests 10 short-term tasks and 14 mid-term tasks and also presents the establishment of effective information sharing and emergency response system as short-term projects. This project, followed by National Cyber Incident Response Plan (hereafter, NCIRP) presented by the Department of Homeland Security in September, 2010, paved way for the establishment of public-private information cooperation system. NCIRP, focusing on the development of response mechanism for 'critical cyber infringement accident', is aimed for the establishment of strategic framework such as the role and responsibility of organization, action plan, countermeasures and recovery plan to response cyber infringement accident. 

Taking 9.11 as a momentum, US government included major infrastructure as a target of cyber threat and started dealing with this issue as national security and implementing related executive order. In March 2003, US government integrated exiting multiple departments charged of the protecting of infrastructure into one organization, the Department of Homeland Security, which is exclusively responsible for the protection of national infrastructure under Homeland Security Act enacted in November, 2002. In addition, Obama administration controls and directs the implementation of national cyber security policy by the operation of National Security Council under immediate control of White House and appointment of Direct General for Cyber Security. Regarding public-private information cooperation, Executive Order 13636 for Improving Critical Infrastructure Cybersecurity signed by president Obama was presented in February, 2013. The executive order defines several things as follows. 

Firstly, it requests the Ministers of Homeland Security, Judiciary, National Information and Defense to voluntarily share information about cyber threat as a measure of information sharing in this field. Secondly, it requests the Department of Homeland Security to lead to form consultative group about the cyber security of critical infrastructure with stake-holders. Furthermore, under the leadership of National Institute of Standards and Technology (NIST), Baseline Framework to Reduce Cyber Risk to Critical Infrastructure was developed. However, the executive order has no right to establish and introduce framework, but only aims to support each organization to reinforce voluntary cyber security. The degree of US government intervention in regard to cyber security policy and related public-private partnership are now based on Voluntary Self-regulation, and US government also try to remove obstacles for the promotion of self-regulation. Additionally, various information cooperation system and support organization were established under the leadership of the Department of Homeland Security. 

However they are not enforceable but play role as a mediator for effective information sharing. It is also possible that US government intervention into cyber security policy can be strengthened as Assaf (2008) states that Enforced Self-regulation is implemented for chemical and energy industry. As an indication of changing to Enforced Self-regulation, the implementation of cyber security law, which Obama administration carry out with the introduction of executive order-13636, is highly possible to apply Enforced Self-regulation to various fields of industries other than chemistry and energy industries. Cyber security law has not still been specified because some parts of the law is overlapped with other laws, but US government still tries to change Voluntary Self-regulation to Enforced Self-regulation.

The Cyber Security Policy of European Union (EU)

An Open, Safe and Secure Cyberspace was presented by European Commission (EC) on February 7th, 2013. The strategy seems to be based on the action plan of ‘Digital Agenda for Europe (DAE)' presented as EU's comprehensive cyber security strategy in 2010. DAE consists of 101 actions plans of 7 fields. 13 action plans out of 101 are related to cyber security.

Additionally, the government placed 7 action plans on top priority tasks. The Cybercsecurity Strategy of The European Union can be evaluated as one of the achievements of the 7 action plans. The Cyber Security Strategy presents 5 specific action plans and coordination scheme formation, consisting of stake-holders in related public-private organizations such as EC, ENISA(European Union Agency for Network and Information Security) and EC3(European Cybercrime Center) in oder to carry out the 5 plans. Network and Information Security (NIS), which is enforceable to successfully carry out the plans with Cyber Security Strategy, was suggested. The NIS, aiming at the protection of information security by setting up unified EU standard, regulates the monitoring of online stability and the establishment of CERT. The fact that existing voluntary regulation system of EU system had not responded to cyber infringement action and cyber threat enough played a role as a momentum of the suggestion of the NIS. 

Under this circumstance, EU suggests government guideline which allows more government intervention. Article 2 of NIS regulates minimum harmonization. Under provision 2, minimum unified cyber threat response measures are applied to EU member states and enterprises but a further implementation of security measures can be developed in accordance with each state's situation. In other words, the NIS regulates minimum responsibility that EU members have to comply with. Moreover, ENISA established to support EU members's information security measures in 2004 plays an important role in the enforcement and management of various measures based on the NIS. Recently, ENISA presented National Cyber Security Strategies: Setting the course for national efforts to strengthen in Cyberspace as a security strategy guideline for member states in May 2012. Also, National Cyber Security Strategies: Practical Guide on Development and Execution was introduced in December, the same year. Moreover, thanks to the foundation of the regulation of strengthening of function in June 2013, cyber security policy and legal institution related supports were expanded for ENISA. 

As a result, its right of intervention into member states' policy and institution was expanded as well. For public-private cooperation of the EU, EP3R (the European Public-Private Partnership for Resilience), based on ENISA as an information sharing network, was established. E3R is a framework that encourages both of government and private sectors to participate in policy making and strategic decision making for critical infrastructure protection and resilience strengthening. 

Essentially, E3R aims at the construction of environment for trusted collaboration. For this, so called Voluntary Self-regulation system, which allows only limited member' participation, is applied. However, it is expected that EU also change its way to Enforced Self-regulation after the authority of E3R becomes strengthening with the enforcement of cyber security strategy and NIS.

Cyber Security Policy of Japan

Japan started to organize functions and system related to information security issues in order to strengthen government-centered system by re-examining government roles and functions regarding the issue in December, 2004. Furthermore, in April 2005, Japan also established National Information Security Center (hereafter, NISC) as the control tower of information security under the authority of government. NISC is responsible for forming national information security strategy and plays a role as all-source situation room under an emergency situation. Moreover, it also establishes safety standard which set up the level of protection measures for critical infrastructure and manages CEPTOAR-Council aiming at public-private cooperation as well. Japan suggested the basic idea and policy direction of information security by establishing

The First National Strategy on Information Security: Toward the creation of a trustworthy society in 2006. After this, Japan has been continuously establishing and modifying information security strategies, and finally founded cyber security strategies in 2013. In this strategy, the target area of protection was expanded to cyber security strategy recognizing the importance of cyberspace from information security centered strategy. Also, Japanese cyber security strategies have a lot in common with those of the US such as the establishment of public-private cyber security standard and the formation of information sharing system among stake-holders. Besides this, Japan also tries to exercise global leadership by presenting j-initiative for Cybersecurity. 

Especially, Japan also makes an effort to contribute to the formation of international cyber security standard. In case of Japan, the degree of government intervention is defined by Voluntary Self-regulation and each government department manages public-private cooperation system. For instance, the Ministry of Internal Affairs and Communications organizes public-private council, so-called Telecom-ISAC Japan with communicative enterprises and the Ministry of Economy, Trade and Industry also manages information cooperation system with people engaged in manufacturing industry through Initiative for Cyber Security Information sharing Partnership of Japan(J-CSIP). In this case, each government department promotes its own cooperation with private sectors case-by-case. However, Japan expresses its willingness to implement government-driven strategies by forming cyber security governance council encouraging public-private partnership as a measure of overcoming difficulties in interdepartmental cooperation.

About The Authors:

Kyoung-Sik Min, Seung-Woan Chai and Mijeong Han of Korea Internet and Security Agency

Publication Details

This article is an extract from a technical paper titled - "An International Comparative Study of Cyber Security Strategy" published at International Journal of Security and Its Applications
Vol.9, No.2 (2015), pp.13-20 , Download The Paper - LINK

Copyright © 20xx Author 1 and Author 2. This is an open access article distributed under the
Creative Commons Attribution License by the original publisher