This article analyzes various countries' cyber security strategies by focusing on public-private partnership which is one of the common grounds of the strategies. Especially, it focuses on how each country establishes institutional framework of the partnership related to infra-protection. The subject of analysis is limited to U. S. A, European Union and Japan.
By Kyoung-Sik Min, Seung-Woan Chai and Mijeong Han
This article
analyzes various countries' cyber security strategies by focusing on
public-private partnership which is one of the common grounds of the
strategies. Especially, it focuses on how each country establishes institutional
framework of the partnership related to infra-protection. The subject of
analysis is limited to U. S. A, European Union and Japan.
The Cyber
Security Policy of the United States (U.S.)
The current
cyber security policy of the US is based on Comprehensive National
Cybersecurity Initiative (hereafter, CNCI) implemented by Bush administration
on January 8th, 2008. Additionally, Obama administration which started in
January 2009, put cyber security policy at the top of its agenda and presented
(Cyberspace Policy Review (hereafter, CRP) in the same year. Currently, various
cyber security policy of the US is based on the CRP. CRP suggests 10 short-term
tasks and 14 mid-term tasks and also presents the establishment of effective
information sharing and emergency response system as short-term projects. This
project, followed by National Cyber Incident Response Plan (hereafter, NCIRP)
presented by the Department of Homeland Security in September, 2010, paved way
for the establishment of public-private information cooperation system. NCIRP,
focusing on the development of response mechanism for 'critical cyber
infringement accident', is aimed for the establishment of strategic framework
such as the role and responsibility of organization, action plan,
countermeasures and recovery plan to response cyber infringement accident.
Taking 9.11 as a momentum, US government included major infrastructure as a target of cyber threat and started dealing with this issue as national security and implementing related executive order. In March 2003, US government integrated exiting multiple departments charged of the protecting of infrastructure into one organization, the Department of Homeland Security, which is exclusively responsible for the protection of national infrastructure under Homeland Security Act enacted in November, 2002. In addition, Obama administration controls and directs the implementation of national cyber security policy by the operation of National Security Council under immediate control of White House and appointment of Direct General for Cyber Security. Regarding public-private information cooperation, Executive Order 13636 for Improving Critical Infrastructure Cybersecurity signed by president Obama was presented in February, 2013. The executive order defines several things as follows.
Firstly, it requests the Ministers of Homeland Security, Judiciary, National Information and Defense to voluntarily share information about cyber threat as a measure of information sharing in this field. Secondly, it requests the Department of Homeland Security to lead to form consultative group about the cyber security of critical infrastructure with stake-holders. Furthermore, under the leadership of National Institute of Standards and Technology (NIST), Baseline Framework to Reduce Cyber Risk to Critical Infrastructure was developed. However, the executive order has no right to establish and introduce framework, but only aims to support each organization to reinforce voluntary cyber security. The degree of US government intervention in regard to cyber security policy and related public-private partnership are now based on Voluntary Self-regulation, and US government also try to remove obstacles for the promotion of self-regulation. Additionally, various information cooperation system and support organization were established under the leadership of the Department of Homeland Security.
However they are not enforceable but play role as a mediator for effective information sharing. It is also possible that US government intervention into cyber security policy can be strengthened as Assaf (2008) states that Enforced Self-regulation is implemented for chemical and energy industry. As an indication of changing to Enforced Self-regulation, the implementation of cyber security law, which Obama administration carry out with the introduction of executive order-13636, is highly possible to apply Enforced Self-regulation to various fields of industries other than chemistry and energy industries. Cyber security law has not still been specified because some parts of the law is overlapped with other laws, but US government still tries to change Voluntary Self-regulation to Enforced Self-regulation.
Taking 9.11 as a momentum, US government included major infrastructure as a target of cyber threat and started dealing with this issue as national security and implementing related executive order. In March 2003, US government integrated exiting multiple departments charged of the protecting of infrastructure into one organization, the Department of Homeland Security, which is exclusively responsible for the protection of national infrastructure under Homeland Security Act enacted in November, 2002. In addition, Obama administration controls and directs the implementation of national cyber security policy by the operation of National Security Council under immediate control of White House and appointment of Direct General for Cyber Security. Regarding public-private information cooperation, Executive Order 13636 for Improving Critical Infrastructure Cybersecurity signed by president Obama was presented in February, 2013. The executive order defines several things as follows.
Firstly, it requests the Ministers of Homeland Security, Judiciary, National Information and Defense to voluntarily share information about cyber threat as a measure of information sharing in this field. Secondly, it requests the Department of Homeland Security to lead to form consultative group about the cyber security of critical infrastructure with stake-holders. Furthermore, under the leadership of National Institute of Standards and Technology (NIST), Baseline Framework to Reduce Cyber Risk to Critical Infrastructure was developed. However, the executive order has no right to establish and introduce framework, but only aims to support each organization to reinforce voluntary cyber security. The degree of US government intervention in regard to cyber security policy and related public-private partnership are now based on Voluntary Self-regulation, and US government also try to remove obstacles for the promotion of self-regulation. Additionally, various information cooperation system and support organization were established under the leadership of the Department of Homeland Security.
However they are not enforceable but play role as a mediator for effective information sharing. It is also possible that US government intervention into cyber security policy can be strengthened as Assaf (2008) states that Enforced Self-regulation is implemented for chemical and energy industry. As an indication of changing to Enforced Self-regulation, the implementation of cyber security law, which Obama administration carry out with the introduction of executive order-13636, is highly possible to apply Enforced Self-regulation to various fields of industries other than chemistry and energy industries. Cyber security law has not still been specified because some parts of the law is overlapped with other laws, but US government still tries to change Voluntary Self-regulation to Enforced Self-regulation.
The Cyber
Security Policy of European Union (EU)
An Open, Safe
and Secure Cyberspace was presented by European Commission (EC) on February
7th, 2013. The strategy seems to be based on the action plan of ‘Digital Agenda
for Europe (DAE)' presented as EU's comprehensive cyber security strategy in
2010. DAE consists of 101 actions plans of 7 fields. 13 action plans out of 101
are related to cyber security.
Additionally,
the government placed 7 action plans on top priority tasks. The Cybercsecurity
Strategy of The European Union can be evaluated as one of the achievements of
the 7 action plans. The Cyber Security Strategy presents 5 specific action
plans and coordination scheme formation, consisting of stake-holders in related
public-private organizations such as EC, ENISA(European Union Agency for Network
and Information Security) and EC3(European Cybercrime Center) in oder to carry
out the 5 plans. Network and Information Security (NIS), which is enforceable
to successfully carry out the plans with Cyber Security Strategy, was
suggested. The NIS, aiming at the protection of information security by setting
up unified EU standard, regulates the monitoring of online stability and the
establishment of CERT. The fact that existing voluntary regulation system of EU
system had not responded to cyber infringement action and cyber threat enough
played a role as a momentum of the suggestion of the NIS.
Under this circumstance, EU suggests government guideline which allows more government intervention. Article 2 of NIS regulates minimum harmonization. Under provision 2, minimum unified cyber threat response measures are applied to EU member states and enterprises but a further implementation of security measures can be developed in accordance with each state's situation. In other words, the NIS regulates minimum responsibility that EU members have to comply with. Moreover, ENISA established to support EU members's information security measures in 2004 plays an important role in the enforcement and management of various measures based on the NIS. Recently, ENISA presented National Cyber Security Strategies: Setting the course for national efforts to strengthen in Cyberspace as a security strategy guideline for member states in May 2012. Also, National Cyber Security Strategies: Practical Guide on Development and Execution was introduced in December, the same year. Moreover, thanks to the foundation of the regulation of strengthening of function in June 2013, cyber security policy and legal institution related supports were expanded for ENISA.
As a result, its right of intervention into member states' policy and institution was expanded as well. For public-private cooperation of the EU, EP3R (the European Public-Private Partnership for Resilience), based on ENISA as an information sharing network, was established. E3R is a framework that encourages both of government and private sectors to participate in policy making and strategic decision making for critical infrastructure protection and resilience strengthening.
Essentially, E3R aims at the construction of environment for trusted collaboration. For this, so called Voluntary Self-regulation system, which allows only limited member' participation, is applied. However, it is expected that EU also change its way to Enforced Self-regulation after the authority of E3R becomes strengthening with the enforcement of cyber security strategy and NIS.
Under this circumstance, EU suggests government guideline which allows more government intervention. Article 2 of NIS regulates minimum harmonization. Under provision 2, minimum unified cyber threat response measures are applied to EU member states and enterprises but a further implementation of security measures can be developed in accordance with each state's situation. In other words, the NIS regulates minimum responsibility that EU members have to comply with. Moreover, ENISA established to support EU members's information security measures in 2004 plays an important role in the enforcement and management of various measures based on the NIS. Recently, ENISA presented National Cyber Security Strategies: Setting the course for national efforts to strengthen in Cyberspace as a security strategy guideline for member states in May 2012. Also, National Cyber Security Strategies: Practical Guide on Development and Execution was introduced in December, the same year. Moreover, thanks to the foundation of the regulation of strengthening of function in June 2013, cyber security policy and legal institution related supports were expanded for ENISA.
As a result, its right of intervention into member states' policy and institution was expanded as well. For public-private cooperation of the EU, EP3R (the European Public-Private Partnership for Resilience), based on ENISA as an information sharing network, was established. E3R is a framework that encourages both of government and private sectors to participate in policy making and strategic decision making for critical infrastructure protection and resilience strengthening.
Essentially, E3R aims at the construction of environment for trusted collaboration. For this, so called Voluntary Self-regulation system, which allows only limited member' participation, is applied. However, it is expected that EU also change its way to Enforced Self-regulation after the authority of E3R becomes strengthening with the enforcement of cyber security strategy and NIS.
Cyber Security
Policy of Japan
Japan started to
organize functions and system related to information security issues in order
to strengthen government-centered system by re-examining government roles and
functions regarding the issue in December, 2004. Furthermore, in April 2005,
Japan also established National Information Security Center (hereafter, NISC)
as the control tower of information security under the authority of government.
NISC is responsible for forming national information security strategy and
plays a role as all-source situation room under an emergency situation.
Moreover, it also establishes safety standard which set up the level of
protection measures for critical infrastructure and manages CEPTOAR-Council
aiming at public-private cooperation as well. Japan suggested the basic idea
and policy direction of information security by establishing
The First
National Strategy on Information Security: Toward the creation of a trustworthy
society in 2006. After this, Japan has been continuously establishing and
modifying information security strategies, and finally founded cyber security
strategies in 2013. In this strategy, the target area of protection was
expanded to cyber security strategy recognizing the importance of cyberspace
from information security centered strategy. Also, Japanese cyber security
strategies have a lot in common with those of the US such as the establishment
of public-private cyber security standard and the formation of information
sharing system among stake-holders. Besides this, Japan also tries to exercise
global leadership by presenting j-initiative for Cybersecurity.
Especially,
Japan also makes an effort to contribute to the formation of international
cyber security standard. In case of Japan, the degree of government
intervention is defined by Voluntary Self-regulation and each government
department manages public-private cooperation system. For instance, the
Ministry of Internal Affairs and Communications organizes public-private
council, so-called Telecom-ISAC Japan with communicative enterprises and the
Ministry of Economy, Trade and Industry also manages information cooperation
system with people engaged in manufacturing industry through Initiative for
Cyber Security Information sharing Partnership of Japan(J-CSIP). In this case,
each government department promotes its own cooperation with private sectors
case-by-case. However, Japan expresses its willingness to implement
government-driven strategies by forming cyber security governance council encouraging
public-private partnership as a measure of overcoming difficulties in
interdepartmental cooperation.
About The Authors:
Kyoung-Sik Min, Seung-Woan Chai and Mijeong Han of Korea Internet and Security Agency
Publication Details
This article is an extract from a technical paper titled - "An International Comparative Study of Cyber Security Strategy" published at International
Journal of Security and Its Applications
Vol.9, No.2
(2015), pp.13-20 http://dx.doi.org/10.14257/ijsia.2015.9.2.02 , Download The Paper - LINK
Copyright © 20xx Author 1 and Author 2. This is an open access article
distributed under the
Creative Commons
Attribution License by the original publisher