1. Yangon, Myanmar, 28-29 November 2013 Cybersecurity-Related Standardization Initiatives in the EU and the U.S.: Lessons for Developing Countries Nir Kshetri Professor, The University of North Carolina—Greensboro nbkshetr@uncg.edu ITU Regional Workshop on Bridging the Standardization Gap (Yangon, Myanmar, 28-29 November 2013)

2. 2 Yangon, Myanmar, 28-29 November 2013

3. 3 Strategy Document EC’s CSS and a proposed directive on network/ information security US EO Released/ signed February 7, 2013February 12, 2013 Key agencies to implement / roles ENISA: Assist the Member States in developing cyber resilience capabilities  Examine the feasibility ICS- CSIRTs Support in Cyber incident exercises to test preparedness/ cope with cyber-disruptions. NIST: develop a CS framework: finalizing voluntary standards and procedures to help companies address CS risks. Pentagon: recommend whether CS standards should be considered in contracting decisions. The EU and US cybersecurity strategies (CSS) Kshetri & Murugesan (2013).

4. 4 Yangon, Myanmar, 28-29 November 2013 Constraints / next steps The European Parliament needs to approve Member States have to write it into national legislation. Weak legal footing It cannot compel firms to comply – only legislation can do that. Vision/pri orities Achieving cyber resilience Reducing cybercrime, Developing cyber defense policy and capabilities related to the Common Security and Defense Policy (CSDP) Developing industrial and technological resources for CS Establishing a coherent international cyberspace policy/promoting core EU values Combat cyberattacks and cyber-espionage on government agencies and critical sectors such as banking, power and transportation industries and U.S. companies. EU CSSUS EO

5. 5 Key Concerns EU CSS  Appropriateness of pan-European rules  Compliance costs : concerns of the private sector’s confidentiality, extra costs and possible damage to reputation.  Obligation to report cyberattacks: “vague”/ little to protect EU citizens' data stored outside the EU  Misdirection of funds away from the police into intelligence agencies US EO  Voluntary standards may turn into mandatory regulations (de facto requirements).  Too much focus on information sharing/ little to address problems related to insecure system.  Firms outside of critical infrastructure: EO does little to enhance CS. Yangon, Myanmar, 28-29 November 2013

6. 6 Effects on the Private Sector EU CSS  Further development of European PPP for resilience/ cooperation/ info. sharing with pub. authorities.  Investment on CS/dev. of best practices- TDL/other initiatives.  Robust/user-friendly security features in products/services.  Cloud providers: reduce reliance on foreign suppliers.  Members: compel firms (transport, telecoms, finance energy, health, online infra.) to disclose details of cyberattacks to the national CERT. US EO  Defense and intelligence agencies would share classified cyberthreats data with companies.  Incentives to follow security standards.  Companies are not required to publically disclose breaches unless identifying information (e.g., credit card or Social Security numbers) is involved. Yangon, Myanmar, 28-29 November 2013

7. 7 Effects on Privacy and Security Interests of Consumers EU CSS  Defensible and preferable in promoting privacy and security interests of consumers. US EO  White House: shared information would be limited to cyberthreats and would not contain the contents of private emails.  The flow of data is one-way: Private-sector firms not required to release information about clients.  Better protect privacy than the CISPA (ACLU).  “privacy-neutral way to distribute critical cyber information” Yangon, Myanmar, 28-29 November 2013

8. 8 Discussion of EU and US CSS Both incomplete/lack teeth and legitimacy Companies’ failure to spend sufficient resources/efforts to protect networks: Bloomberg Government study: to prevent 95% of potential cyberattacks, 172 organizations need to spend $47b: 774% higher than current spending. Absence of regulatory requirements: no incentive to spend on cybersecurity. Yangon, Myanmar, 28-29 November 2013

9. 9 Discussion of EU and US CSS Fail to acknowledge: lack of CS professionals. The U.K.’s National Audit Office: 20 years to bridge CS skills gap. NIST: > 700,000 new CS professionals needed in the U.S. by 20 Both inward-oriented Huawei: importance of working globally US-China Business Council: asked US and Chinese governments to work together Yangon, Myanmar, 28-29 November 2013

10. 10 Lessons for Developing Countries Sound cybersecurity standard/ regulatory framework: participation of governments, business, IT industry, law enforcement agencies and the public Common goal: cyberspace safe and secure, leaving their Working with other national govts, political parties: beyond vested national or political party interests Yangon, Myanmar, 28-29 November 2013

11. 11 Conclusions and Recommendations Increasing importance of CSS for developing countries National security, economic growth, trade and investment politics, international relations and other implications Higher degree of vulnerability Manpower challenges a higher concern Yangon, Myanmar, 28-29 November 2013