Skip to main content

At the Nexus of Cybersecurity and Public Policy Some Basic Concepts and Issues (2014) / Chapter Skim
Currently Skimming:

5 Tensions Between Cybersecurity and Other Public Policy Concerns
Pages 93-115

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 93...
... This chapter elaborates on some of the most significant tensions. 5.1 ECONOMICS Economics and cybersecurity are intimately intertwined in the public policy debate in two ways -- the scale of economic losses due to adversary operations for cyber exploitation and the effects of economics on the scope and nature of vendor and end-user investments in cybersecurity.
Read the entire page →
From page 94...
...  -- A second type of information is information about an individual organization's cybersecurity posture. For example, individual organi zations in particular sectors of the economy can determine and adopt appropriate best-practice cybersecurity measures for those sectors.
Read the entire page →
From page 95...
... • Direct regulation. Regulation would be based on enforceable mandates for various cybersecurity measures.
Read the entire page →
From page 96...
... Under development as this report is being written, the framework is a set of core practices to develop capabilities to manage cybersecurity.3 To encourage critical infrastructure companies to adopt this framework, the administration has identified a number of possible incentives that it is currently exploring, including:4 • Special consideration in the awards process for federal critical infrastructure grants; • Priority in receiving certain government services, such as technical assistance in non-emergency situations; • Reduced tort liability, limited indemnity, higher burdens of proof to establish liability, or the creation of a federal legal privilege that preempts state disclosure requirements; and • Public recognition for adopters of the framework. 5.1.2  Economic Impact of Compromises in Cybersecurity Regarding the negative economic impact of compromises in cybersecurity, numbers as high as $1 trillion annually have been heard in the public debate, and in 2012, the commander of U.S.
Read the entire page →
From page 97...
... Uncertainties also apply to valuing the loss of sensitive business information (such as negotiating strategies and company inside information)
Read the entire page →
From page 98...
... Policy actions that detract from the ability of the private sector to innovate are inherently suspect from this perspective, and in particular policy actions to promote greater attention to cybersecurity in the private sector often run up against concerns that these actions will reduce innovation. The logic of reducing time to market for information technology products or services runs counter to enhancing security, which adds complexity, time, and cost in design and testing while being hard to value by customers.
Read the entire page →
From page 99...
... In some cases, closing down access paths and introducing cybersecurity to a system's design slows it down or makes it harder to use. Other security measures may make it difficult to get work done or cumbersome to respond quickly in an emergency situation.
Read the entire page →
From page 100...
... Privacy interests attach to the gathering, control, protection, and use of information about individuals. Privacy and cybersecurity intersect in a number of ways, although the security of information against unauthorized access is different than privacy.8 In one basic sense, cybersecurity measures can protect privacy -- an intruder seeking ostensibly private information (e.g., personal e-mails or photographs, financial or medical records, phone calling records)
Read the entire page →
From page 101...
... If the entities with whom the information is shared are law enforcement or national security authorities, privacy concerns are likely to be even stronger. 5.3.2  Free Expression Freedom of expression, which includes freedom of religion, freedom of speech, freedom of the press, freedom of assembly, and freedom to petition the government, encompasses civil liberties that are often infringed
Read the entire page →
From page 102...
... 5.3.3  Due Process An important element of protecting civil liberties is due process -- the state cannot deprive individuals of civil liberties in the absence of due process. Some cybersecurity measures can put pressure on due process.
Read the entire page →
From page 103...
... There is broad agreement that Internet governance includes management and coordination of the technical underpinnings of the Internet such as the Domain Name System, and development of the standards and protocols that enable the Internet to function.10 A more expansive definition of Internet governance, for which there is not broad international agreement, would include matters such as controlling spam; dealing with use of the Internet for illegal purposes; resolving the "digital divide" between developed and developing countries; protecting intellectual property other than domain names; protecting privacy and freedom of expression; and facilitating and regulating e-commerce.11 International debates over what should constitute the proper scope of Internet governance are quite contentious, with the United States generally arguing for a very restricted definition and other nations arguing for a more expansive one, and in particular for a definition that includes security from threats in cyberspace. But different nations have different conceptions of what constitutes a threat from cyberspace.
Read the entire page →
From page 104...
... For example, the United States is on record as promoting cybersecurity internationally, as illustrated in the 2011 White House International Strategy for Cyberspace, a document stating that "assuring the free flow of information, the security and privacy of data [emphasis added] , and the integrity of the interconnected networks themselves are all essential to American and global economic prosperity, security, and the promotion of universal rights."12 The United States also collects information around the world for intelligence purposes, and much of such collection depends on the penetration of information technology systems and networks to access the information transiting through them.
Read the entire page →
From page 105...
... But measures taken to facilitate CALEA-like access by authorized parties sometimes have the effect of reducing the security of the systems affected by those measures.13 Efforts continue today to introduce means of government access to the infrastructure of electronic communications,14 and some of these efforts are surreptitious. Regardless of the legality and/or policy wisdom of these efforts, a fundamental tradeoff faces national policy makers -- whether reduced security for the communications infrastructure is worth the benefits of gaining and/or continuing access to adversary communications.
Read the entire page →
From page 106...
... Distinguishing Between Cyber Operations Conducted for Different Purposes In the cybersecurity domain, norms of behavior are contentious as well. For example, the United States draws a sharp line between collecting information related to national security and foreign policy and collecting information related to economic and business interests, arguing that the first constitutes espionage (an activity that is not illegal under international law)
Read the entire page →
From page 107...
... Revising this policy would call for relaxation of the current restraints on U.S. policy regarding intelligence collection for the benefit of private firms, thus allowing such firms to obtain competitively useful and proprietary information from the U.S.
Read the entire page →
From page 108...
... During such periods, military action may be more likely, and it is entirely plausible that both sides would increase the intensity of the security scans each conducts on its critical systems and networks. More intense security scans often reveal offensive software agents implanted long before the onset of a crisis and that may have been overlooked in ordinary scans, and yet discovery of these agents may well prompt fears that an attack may be impending.16 Technical difficulties in distinguishing between exploitations and attack (or preparations for attack)
Read the entire page →
From page 109...
... One issue is that nonstate actors may have access to some of the same cyber capabilities as do national signatories, and nonstate actors are unlikely to adhere to any agreement that restricts their use of such capabilities. Another issue is the difficulty of tracing cyber intrusions to their 17 Much of the discussion in this section is based on Herbert Lin, "A Virtual Necessity: Some Modest Steps Toward Greater Cybersecurity," Bulletin of the Atomic Scientists, September 1, 2012, available at http://www.thebulletin.org/2012/september/virtual-necessitysome-modest-steps-toward-greater-cybersecurity.
Read the entire page →
From page 110...
... Last, ambiguities between cyber exploitation and cyberattack complicate arms control agreements in cyberspace. A detected act of cyber exploitation may well be assessed by the target as a damaging or destructive act, or at least the prelude to such an act, yet forbidding cyber exploitation would go far beyond the current bounds of international law and fly in the face of what amounts to standard operating procedure today for essentially all nations.
Read the entire page →
From page 111...
... Whether the challenges described above convincingly and definitively refute, even in principle, the possibility of meaningful arms control agreements in cyberspace is open to question today. What is clear is that progress in cyber arms control, if it is feasible at all, is likely to be slow.
Read the entire page →
From page 112...
... To manage the risks associated with a globalized supply chain, users of the components it provides employ a number of strategies, sometimes in concert with each other:18 • Using trusted suppliers. Such parties must be able to show that they have taken adequate measures to ensure the dependability of the components they supply or ship.
Read the entire page →
From page 113...
... As a matter of logic, it is clear that offensive operations can be conducted for cyber defensive purposes and also for other purposes.19 Furthermore, according to a variety of public sources, policy regarding offensive operations in cyberspace includes the following points: • The United States would respond to hostile acts in cyberspace as it would to any other threat to the nation, and reserves the right to use all necessary means -- diplomatic, informational, military, and economic -- as appropriate and consistent with applicable international law, in order to defend the nation, its allies, its partners, and its interests.20 • The laws of war apply to cyberspace,21 and because the United States has made a commitment to behaving in accordance with these laws, cyber operations conducted by the United States are expected to conform to the laws of war. • Offensive operations in cyberspace offer "unique and unconventional capabilities to advance U.S.
Read the entire page →
From page 114...
... Some of the significant differences include the fact that attribution is much more uncertain, the ability of nonstate actors to interfere in the management of a conflict, and the existence of a multitude of states that have nontrivial capabilities to conduct cyber operations. Last, the fact that the Department of Defense is willing to consider undertaking offensive operations in cyberspace as part of defending its own systems and networks raises the question of whether offensive operations might be useful to defend non-DOD systems, and in particular to defend entities in the private sector.
Read the entire page →
From page 115...
... Alternatively, it might encourage a free-for-all environment in which any aggrieved party anywhere in the world would feel justified in conducting offensive operations against the alleged offender. This debate is not likely to be settled soon.
Read the entire page →

Key Terms

  • offensive operations
  • civil liberties
  • cyber operations
  • cybersecurity measures
  • information related

  • arms control
  • due process
  • supply chain
  • international strategy
  • internet governance

  • law enforcement
  • cyber exploitation
  • strong authentication
  • cyber intrusion
  • cyber weapons

  • cyber intrusions
  • international law
  • internet traffic
  • economic losses
  • losses due

  • government access
  • critical infrastructure
  • intelligence collection
  • domain name
  • control agreements

  • nonstate actors
  • free expression
  • adversarial cyber
  • cyber directive
  • cyber capabilities


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.