Cybersecurity Strategy, Law, and Policy
Cybersecurity Strategy, Law, and Policy
In today’s world, cybersecurity is crucial to protect individuals, organizations, and governments from the various cyber threats they face. Cybersecurity has become more critical as the world becomes more reliant on technology. Cybersecurity strategy, law, and policy help governments and organizations to implement measures to protect their assets and information from cyber-attacks. In this article, we will discuss the essential elements of a cybersecurity strategy, law, and policy, along with the latest trends in the field.
A cybersecurity strategy is a set of actions and processes that an organization or government follows to protect its assets and information from cyber threats. A cybersecurity strategy involves identifying and mitigating risks, establishing security controls, and monitoring and assessing security performance. The strategy must be adaptable to changes in technology and the cyber threat landscape.
According to a recent report by Deloitte, organizations should consider the following elements when developing their cybersecurity strategy:
Risk assessment and management
Security awareness and training
Incident management and response
Continuous monitoring and improvement
Cybersecurity laws aim to regulate cyber activities and protect individuals, organizations, and governments from cyber threats. Cybersecurity laws can vary depending on the country or region. Cybersecurity laws cover various areas, including data protection, privacy, cybercrime, and national security.
In 2018, the European Union implemented the General Data Protection Regulation (GDPR), a data protection law that regulates how organizations handle personal data. The GDPR imposes heavy fines on organizations that fail to comply with its provisions. The GDPR has become a model for data protection laws in other countries.
In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) is responsible for managing cybersecurity-related matters. CISA works with other government agencies and the private sector to develop and implement cybersecurity policies and regulations.
A cybersecurity policy is a set of guidelines and procedures that an organization or government follows to protect its assets and information from cyber threats. A cybersecurity policy covers various areas, including access control, incident management, and security awareness.
The National Institute of Standards and Technology (NIST) has developed a cybersecurity framework that organizations can use to develop their cybersecurity policies. The NIST framework consists of five functions:
The field of cybersecurity is continually evolving, and new trends emerge regularly. Below are some of the latest trends in cybersecurity:
Artificial intelligence (AI) and machine learning (ML) are increasingly being used in cybersecurity to detect and respond to cyber threats. AI and ML can analyze vast amounts of data quickly and accurately, allowing organizations to respond to threats more efficiently.
The Internet of Things (IoT) is becoming more prevalent, and as a result, the number of devices connected to the internet is increasing. This poses a significant cybersecurity threat as these devices are often vulnerable to cyber-attacks.
Cloud computing is becoming more popular, and organizations are increasingly moving their data and applications to the cloud. This presents a new set of cybersecurity challenges as organizations must ensure that their cloud infrastructure is secure.
Cyber insurance is becoming more prevalent, with organizations purchasing insurance policies to protect themselves from financial losses resulting from cyber-attacks.
Cybersecurity strategy, law, and policy are essential components of protecting individuals, organizations, and governments from cyber threats. A robust cybersecurity strategy, coupled with effective cybersecurity laws and policies, can help mitigate the risk of cyber-attacks. As the field of cybersecurity continues to evolve, organizations and governments must stay up to date with the latest trends and adapt their cybersecurity measures accordingly.
Deloitte. (2019). Global Cybersecurity Survey. Retrieved from https://www2.deloitte.com
Cybersecurity Strategy, Law, and Policy
Part 3: Private Sector Organizations
The Implementation of an Equivalent Framework to the GDPR in the United States
The General Data Protection Regulation (GDPR) has been in operation since 2018, where it regulates the processing of personal data by organizations that have establishments in the European Union (E.U.) (Cusick, 2018). The processing covers the collection, utilization, storage, organization, disclosure, or other operations performed on personal data. Personal data is considered any information that has a relation to either an identified or an unidentified individual. Through the GDPR, several requirements have been put in place for the personal data controllers and processors. The controller is the party responsible for determining the purpose and means of personal data processing while the processor processes the data on behalf of the controller.
From a regional perspective, the GDPR applies to the establishments in the E.U. It is also applicable to the non–EU-established companies offering products or services to persons in the E.U. or those that monitor the behavior of individuals located in the E.U. (Cusick, 2018). Considering the small global business environment, there are many businesses offering goods and services to its consumers in the E.U. through online platforms. It is important to note that the GDPR does apply to these businesses even if they are not located within the E.U. region (Congressional Research Service, 2019).
Currently, the United States has no data protection law that is equivalent to the GDPR. The country has a mosaic of distinct state and federal laws, with some extremely different despite governing similar issues. There is also no central authority responsible for enforcing the variant data protection laws (Council on Foreign Relations, 2018). The U.S. federal government approaches privacy and security through the regulation of particular sectors and types of sensitive information, for instance, health and financial, which has created overlapping and contradictory protections. For example, health information in the U.S. is governed by the Health Insurance Portability Act (HIPAA). HIPAA is the primary health privacy and security law but applies to only “covered entities” that hold protected health information (Council on Foreign Relations, 2018). Federal regulators have indicated that most American citizens do not know where their health information has been preserved and the point it is not protected. They also do not understand which security standards apply in different instances.
Apart from the challenges raised from the distinct federal laws. State laws have added to the patchwork when it comes to data breaches. States attest to the fact that the extensive collection of personal information has put the privacy and security of this information at risk (Council on Foreign Relations, 2018). California was the first to implement the first data breach notification in 2003. Another 48 states would follow suit to have the individuals notified in case their individual information was compromised. These laws are entirely different and, at times, incompatible with the various categories and types of personal data that need protection, the entities to cover, and even defining what a breach is (Council on Foreign Relations, 2018).
Furthermore, the enforcement of various laws is also complicated with the Federal Trade Commission (FTC) attempting to formulate a data security baseline through over 60 different enforcement actions. Additionally, some companies have started to push themselves back against the FTC’s legal authority to monitor the data security practices, and the latter still has limited jurisdiction over financial institutions, insurance companies, non-profit organizations, and some internet service providers. These numerous challenges would easily be dorts by having a uniform data protection law like the GDPR governing law in the European Union.
Nonetheless, it is crucial to assess whether a law equivalent to the GDPR in the E.U. is required and should be implemented in the United States. The E.U. has taken a completely different mode not only in the application of specific regulations bur also elevating data privacy into the domain of individual rights. From the first paragraph of the GDPR, the rule indicates that protecting natural persons when it comes to personal processing data is a significant human right. It also has devoted a whole chapter to the “rights of these data subjects.” These rights include the right to data access, the right to correct any inaccurate data, the right to move data to a different provider or platform, and the right to erasure, also known as the right to be forgotten (Berman, 2018). While the rights are not absolute, they have no apparent relation to U.S. laws considering that some of them could conflict with the latter’s legal rights. The European Court of Justice “ECJ” has interpreted the right to be forgotten as requiring companies such as Google to remove certain but negative news pieces from its search engine results. The publishing was done a long time ago and is no longer considered relevant. In the United States, this would be going against the First Amendment free speech rights provided by the American constitution.
When individuals are referring to the “GDPR-like” protections, they are highlighting the data “rights,” which the United States had chosen not to elevate the protections into a status of fundamental rights (Berman, 2018). Additionally, the GDPR allows the processing of personal data that fits either one of the six legal bases. Any other forms of personal processing data will be considered illegal.one of the legal bases is consent, which uses a far more restrictive definition than the United States. For instance, it is challenging under E.U. law to prove that a worker gives free consent in case the consent is part of the job requirements. Some E.U. countries have even raised substantial doubt whether consent for processing data will remain a considerable basis to process data under GDPR.
Additionally, the GDPR has set up a whole regulatory framework that extends beyond any forms of rights and responsibilities. Companies are required to bring in a Data Protection Officer, undertake regular Privacy Impact Assessments, and incorporate particular clauses within contractual agreements with their third parties on having partial restrictions for the transfer of personal data outside the E.U. while providing a government enforcement mechanism and a private right of action for parties that believe their data privacy rights have been violated (Berman, 2018). The GDPR mandates companies to make reports in case of data breaches within a short window period of 72 hours. This mandate is similar to U.S. data breach notification laws. GDPR also has steep fines for failure to comply, which could reach 20000000 euros or 4% of the global revenues. In case the U.S. is to implement a regulatory framework similar to the GDPR with extensive fines, these penalties are more likely to dwarf the sizes of large settlements that have happened in the U.S. due to data breaches. Notably, even without the penalties, being compliant to a regulatory framework as the GDPR is very complicated. The rules will affect the companies financially due to the millions of dollars required.
In the United States, Congress is responsible for making federal laws that will apply across the country. However, getting legislation as complex as the GDPR approved will entail a considerable undertaking considering how gridlocked the congressman could end up being. For instance, privacy legislation that could be considered simple law compared to the GDPR has stalled for some time over the recent years. This privacy legislation would formulate federal standards of how companies and agencies are to report data breaches. Instances such as the hacking of the White House Office of Personnel Management in 2014 that led to the theft of personal information belonging to an estimated 22 million federal workers would have been handled by the legislation but have repeatedly ended up in a dead-end.
There was also a constant uproar on the use of millions of Facebook users’ data by the political consultancy, Cambridge Analytica, which caused the lawmakers to bring in a flurry to implement new privacy-related laws. An existent bill that would see an expansion of the FTC’s authority and enforce further restrictions on collecting data and another bill that would give individuals greater control of their information and what the companies get to do with them. Similar laws are also existent, but it takes lots of effort to rally the legislators to support the measures. Resistance not only arises from the legislative environment but the powerful tech lobby that critically scrutinizes the proposals to ensure they will not hurt their businesses. Therefore, the enforcement of the GDPR that focuses on protecting the European citizens from the extensive service provided in the United States, so\me policymakers may view such a regulation as a way of the E.U. to enforce a privacy tax on the country’s companies.
Congress is not hungry enough to penalize and tax the United States corporations, especially with the electoral mandate to regulate and tax less stipulated in 2016 (Hawkins, 2018). Furthermore, there are also different views and complications in finding these regulations. For instance, some legislators will want stronger data protection laws to handle scandals. In contrast, others will want to call for a mandate to have encrypted communication systems designed to offer data protection to those users. The conflicting demands will undermine each other, which points out the extensive and tiring process that will entail coming up with a GDPR framework for the United States. Furthermore, there is not enough public demand from the citizens demanding proper data protection laws (Hawkins, 2018). The country has been known to use emergency fixes to handle grievous events that have no adequate impact in the long haul.
Conversely, others would state that the ripple effects of the GDPR are already being felt in the United States and that Europe is already doing something for the former. This is because most companies with particular sizes are already adopting practices that are GDPR-friendly, which applies to every user regardless of their territory. Notably, a public appetite for data privacy regulations is required so that the legislators could listen and prioritize implementing one.
Considering the GDPR framework, if the United States plans to adopt one similar to it, it will be required to meet three requirements. The first is that its companies will need to augment or replace the impenetrable and unreadable terms of service agreements with a profound and simplified description of personal data (Berman, 2018). The second requirement is that the companies will have to provide particular information to the consumers whenever the latter make requests. The third requirement is that the country will need to formulate one national liability scheme focussed on data privacy and its breaches. Also, there will be a need to clarify the government’s ability to penalize companies for violations and allow individuals to sue in case they are victims of data breaches (Berman, 2018). The Facebook scandal illustrated several shortcomings present in the United States privacy laws, which would hinder proper data protection and allow a harmonized framework work, especially with the requirements. Most of these shortcomings will barely be handled through copying the GDPR.
While the equivalent of a GDPR could be implemented in the United States, numerous factors would hinder its proper formulation and implementation. Currently, the U.S. is focused on protecting data integrity as a commercial asset, while the GDPR has prioritized individual rights prior to business rights (Coos, 2018). Both of these objectives are important since none of the parties could do without each other. It may be difficult for the United States to adopt a framework similar to GDPR, but it is proper to have policies that will ensure a balance of both objectives.
Part 5: Cybersecurity Technologies
Incorporation of Blockchain Technologies for Cybersecurity Purposes
Cybersecurity crimes have become the latest challenges that individuals and entities have been forced to make top priority regardless of the industry one belongs to. Cybercrime has been seen to creep in any system, whether a business system, a healthcare system, or an educational institution (Parmar, 2019). The crimes primarily entail stealing, manipulating, or destroying data for malicious intent such as getting ransoms. It is proper to state that the web’s ecosystem is one place vulnerable to cyber attacks. Notably, the cost of handling the malware attacks is extensive, with companies expected to use an estimated $2.4 million to cover the damages suffered. To this effect, companies are now required to invest in technology to prevent and cush themselves from the losses incurred from cyber-attacks. I.T. analysts have predicted investments of about $1 trillion on cybersecurity between the years 2020 and 2025 to rule out any cyber threats.
One of the technologies that continue to prove significant in cybersecurity is blockchain technology. Companies such as IBM, General Motors, and NASA have made considerable investments into blockchain technology to protect their information and prevent floating. The technology entails the use of blockchains as distributed networks, which can contain millions of users (Horbenko, 2020. Each user is allowed to add information onto the blockchain, and all the information is protected through cryptography. Each member in a particular network will be required to verify that the data is added onto the blockchain is real. The verification process involves using a system that contains three keys: public, private, and receiver keys. These keys will permit the members to examine the data’s integrity and also the source of information. The formation of the blockchain entails having a verified piece of data to form a block then it is added onto a chain. The blockchain users utilize the respective keys and robust computer systems that run algorithms to get solutions for complex mathematical problems (Horbenko, 2020). The solving of a problem will allow the addition of a block to a chain. The information in this block that has been added to the chain will forever exist within that network without it being altered or deleted.
For the particular data pieces within the blockchain, the owners are required to add new blocks of updated data on the previous blocks to create a specific chain of code, regardless of how minute the changes are to be made on the information, the whole chain needs to change accordingly to illustrate the differences with the previous block. To this effect, all the changes to the pieces of data can be tracked, and none of them is lost or deleted. The users are allowed to go back to the previous versions of the lock and identify the latest versions’ differences. This also acts as a thorough form of record-keeping as the system is also enabled to detect the blocks with incorrect or false data. Through this technology, not only will one be assured of the security of their information, but they also get the assurance of not losing or any damage or corruption to the data.
Methods in which Blockchain Technology can Provide Revolutionary Cybersecurity
The application of blockchain technology for cybersecurity purposes will offer numerous cybersecurity benefits, but it does not mean that the systems are immune from cyberattacks. Through security provided by network ledgers, the networks get to have a robust security method. Still, it is not a guarantee that individual participants are entirely protected and should not follow the next cybersecurity (Butcher & Blakey, 2019). Entities must differentiate blockchain technology from its operational environment during the assessment of cyber risks. The risks and issues that a body should look into when considering the implementation of blockchain technology for cybersecurity purposes include: how the technology is to protect transaction data, the transaction validation risks and respective blockchain integrity threats, whether the technology relies on external data or other risky resources and other cyber vulnerabilities (Butcher & Blakey, 2019).
After understanding one’s cyber risks, then the entity could incorporate various ways of blockchain technology to protect oneself. One of these ways is the protection of edge computing through its authentication elements. The more the demand to access and distribute data in real-time, the higher the need for edge and fog computing devices and storage (Ocampos, 2020). This permits the processing and storage of data in close proximity to the source and the consumers; blockchain technologies provide a solution to secure IoT through its rigid authentication, better data attribution, and slow and the latest record management systems. The advanced confidentiality and data integrity achieved through the access controls and restrictions within this technology is another way it boosts cybersecurity. Currently, there are private blockchain systems that different industries use to ensure their information remains confidential, and only authorized parties gain access to it. The encryption process improvised by the technologies ensures external parties cannot access partially or entirely even during its transmission.
Blockchain technologies allow secure private messaging since communication platforms have been secured (Ocampos, 2020). Any cyber attackers will find it difficult to penetrate the systems for malicious attacks. Several applications have also been developed that have incorporated the blockchain private messaging, providing better security than encryption. An improved Public Key Infrastructure (PKI) provided by the blockchain technologies ensures that users can keep their computer systems, including the online credentials safe and secure. PKIs are known to rely on third-party certificate authorities to ensure the applications, emails, and websites remain secure (Ocampos, 2020). The certificate authorities are responsible for issuing, revoking, or storing key pairs. They are always targeted by hackers who use bogus identities to gain access to the communication that has been encrypted. Nonetheless, through blockchain technology, the keys get encoded, reducing the false key generation or identity theft of authorized accounts. Any activities that raise brows on their intent are quickly identified, allowing the prompt implementation of risk mitigation measures.
Another method that the technology ensures cybersecurity is through its Intact Domain Name System (Ocampos, 2020). The technology has an approach to store the DNS, which will comprehensively boost its security, considering its removal of compromisable targets. Any malicious activities by cyber attackers who could bring down the DNS service providers such as Paypal are impeded/ the technology also allows the decentralization of computer systems, which protects against the distributed denial of service attacks (DDoS) (Ocampos, 2020). The application of blockchain technology will provide numerous ways to protect computer systems and their information from cybersecurity risks and threats.
Some of the companies that have been utilizing blockchain technology include PolySwarm Marketplace that has decentralized the detection of threats allowing individuals across the universe to become participants (Networks, 2020). They also incorporate rewards to any submissions that have correct assertions, thus encouraging its experts to go on learning and innovating, which even leads to higher cybersecurity levels. The Agricultural Bank of China is currently implementing a decentralized network that will permit its e-commerce merchants to receive agricultural loans without any securities (Castillo, 2018). Certcoin is another company utilizing blockchain technology through its authentication approaches for the internet (Networks, 2020). The process includes certificate authorities and webs of trust. However, these two processes have their limits due to their reliance on third parties and the latter being a high entry barrier. Notably, the company has improvised a method to decentralize the process, thus eliminating any middleman authorities and achieving leverage on the distributed nature of the blockchain. This allows the creation of an auditable certification ledger, which is also available to the public without raising any limitations for failure.
Policies or Laws Needed for the Use of Blockchain Technologies in Certain Industries
The regulation of privacy and data protection is essential when it comes to blockchain technology. These two issues have always raised debate with many of its commentators, stating that blockchain technology is not compatible with privacy laws (Salmon & Myers, 2019). The initial objective of blockchain technology was to enable the peer to peer transactions without requiring middlemen. In a public blockchain system that operates without any permission, no party will take responsibility for its availability or the security offered by that particular network. The System users of the network will, however, gain access to the network’s data. These attributes will conflict with many of the privacy regulations that need the party having control over the personal information of an individual safeguarding the privacy and security of that information on behalf of the latter, who is the “data subject.” Those involved in the blockchain network must have their defined obligations such that all users get to respect the predetermined privacy laws.
The second issue is with the taxation frameworks on digitized economies for blockchain technologies. The taxation frameworks are supposed to aid in dealing with environmental and profit shifting concerns (Salmon & Myers, 2019). Some governments have decided to implement board-based virtual profit allocation regulations rather than implement the existing permanent regulations. Others continue to enforce pre-existing policies. However, there is still ongoing discussion on the implications of blockchain and distributed ledger technology platforms. For instance, cryptocurrencies are still debated whether to be taxed as assets listed on the capital gains basis with no VAT imposed. In terms of taxation of these technologies, it is evident that government authorities are facing complex matters to ensure that they bring in competitive tax practices that will ensure there is the balance between the implementation of the technologies and the government imposing the right taxes without impeding their application (Salmon & Myers, 2019).
Another issue is the regulators within the different industries and whether they understand the benefits and implications of the application of blockchain technologies. These authorities must have full comprehension of these technologies to bring in policies that ensure their players can gain maximally from the techniques. For instance, the financial industry regulators need to work with the technology industry to understand the blockchain systems and ensure they bring in policies that ensure that they are exploited to their maximum potential. The regulators are responsible for creating a proper business environment for the individuals or entities they are governing.
Berman, S. P. (2018, May 23). GDPR in the U.S.: Be careful what you wish for. Retrieved from https://www.govtech.com/analysis/GDPR-in-the-US-Be-Careful-What-You-Wish-For.html
Butcher, J.R., & Blakey, C.M. (2019). Cybersecurity Tech Basics: Blockchain Technology Cyber Risks and Issues: Overview. PRACTICAL LAW.
Castillo, M. D. (2018, July 3). Big blockchain: The 50 largest public companies exploring blockchain. Retrieved from https://www.forbes.com/sites/michaeldelcastillo/2018/07/03/big-blockchain-the-50-largest-public-companies-exploring-blockchain/#613e0e262b5b
Congressional Research Service. (2019). Data Protection Law: An Overview. Retrieved from https://fas.org/sgp/crs/misc/R45631.pdf
Coos, A. (2018, January 17). E.U. vs. the U.S.: How do their data privacy regulations Square off? Retrieved from https://www.endpointprotector.com/blog/eu-vs-us-how-do-their-data-protection-regulations-square-off/
Council on Foreign Relations. (2018). Reforming the U.S. approach to data protection and privacy. Retrieved from https://www.cfr.org/report/reforming-us-approach-data-protection
Cusick, James. (2018). The General Data Protection Regulation (GDPR): What Organizations Need to Know. C.T. Corporation Resource Center.
Hawkins, D. (2018, May 25). E.U. vs. the U.S.: How do their data privacy regulations Square off? Retrieved from https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/05/25/the-cybersecurity-202-why-a-privacy-law-like-gdpr-would-be-a-tough-sell-in-the-u-s/5b07038b1b326b492dd07e83/
Horbenko, Y. (2020, July 1). Using blockchain technology to boost cybersecurity. Retrieved from https://steelkiwi.com/blog/using-blockchain-technology-to-boost-cybersecurity/
Networks, T. (2020, June 29). Meet the four companies using blockchain in cybersecurity. Retrieved from https://www.turrito.com/meet-the-4-companies-using-blockchain-in-cybersecurity/
Ocampos, J. (2020, April 20). Contribution of blockchain to cybersecurity. Retrieved from https://theblockchainland.com/2020/03/23/contribution-blockchain-cybersecurity/
Parmar, H. (2019, October 18). How does blockchain technology impact cybersecurity? Retrieved from https://thenextscoop.com/blockchain-technology-impact-cyber-security/
Salmon, J., & Myers, G. (2019). Blockchain and associated legal issues for emerging markets.