Report: BSA International Cybersecurity Policy Framework

A national cybersecurity strategy sets out a nation’s overall approach to cybersecurity, and is a critical document for ensuring national-level strategic and policy coherence. An effective national cybersecurity strategy will outline the cybersecurity threat faced by the nation, identify and prioritize objectives, delineate roles and responsibilities among key government and industry stakeholders, and establish timeframes and metrics for implementation.

Furthermore, it will situate national cybersecurity activities in the context both of international cybersecurity activities and of other national activities that affect cybersecurity efforts. A national strategy is important not only for guiding government initiatives, but also for raising awareness of key issues among decision makers and informing the public about government policies and activities.

Such a strategy should be developed cooperatively through consultation with representatives of all relevant stakeholders, including government agencies, industry, academia, and citizens groups. It should be issued at the national level, ideally by the head of government, and should integrate central, sub-national, and local government approaches, as well as community-based best practices within a national context. Finally, it should include specific taskings, deadlines, and metrics to ensure it is effectively implemented.

Governments also should assess and establish clear priorities among the critical services and infrastructures that most need protection. For example, electricity grids, water supply systems, and transportation systems serve to meet basic human needs, and generally are prioritized for protection under national critical infrastructure strategies.

Within sectors, however, not all assets, systems, networks, data, and services are equally essential; it is important that the strategy avoid overreaching and imposing compliance burdens where they are not necessary. Treating non-critical systems in the same way as those that are truly critical will not only unnecessarily slow the pace of innovation and growth but also risk misallocating limited security resources.

Accordingly, it is important that decision makers assess the national infrastructure, based on objective criteria and the input of relevant stakeholders, and determine those that are providing critical services and functions, and whose compromise, damage, or destruction through a  significant cybersecurity incident could result in significant harm to the public.

As a government assesses and prioritizes critical infrastructures for protection, its results should feed into a critical infrastructure protection plan. Such a plan identifies priority critical infrastructures and outlines how government and private sector participants in the critical infrastructure community work together to manage risks and achieve security and resilience outcomes.

Although a critical infrastructure protection plan defines how government agencies and other stakeholders in a nation’s critical infrastructure community will manage risk and defend against threats, a national incident response plan defines how these stakeholders will respond to a significant cybersecurity incident. Informed by international best practices, such a plan should articulate the roles and responsibilities, capabilities, and coordinating structures that support how a nation will respond to and recover from significant cybersecurity incidents affecting critical infrastructure.

A national incident response plan provides guidance to enable a unified whole-of-government, whole-of-nation, and internationally coordinated approach to response and recovery during a significant cybersecurity incident affecting critical infrastructure. It articulates common doctrine and a strategic framework for national, sector, and individual organization cyber operational plans.

Although certain elements of cybersecurity protection apply across all areas and many recommendations are available from national and international organizations, there also is a need for guidance that is tailored to the business needs of particular entities or that provides methods to address unique risks or specific operations in certain sectors.

Effective cybersecurity requires collaboration and coordination among all stakeholders. Real partnership between public and private sectors is particularly important because non-government entities manage and operate many critical infrastructures, often including those that control transportation, health, banking, energy, and other vital sectors.

Governments should establish laws and structures to facilitate public-private partnerships on a voluntary basis. At minimum, such laws and structures should address:

1. structure, legal authority, and protections for voluntary sharing of threat and vulnerability information;
2. legal authority for voluntary public-private operational collaboration to disrupt cybersecurity threats;
3. mechanisms for awareness and outreach activities; and
4. intra-sector public-private collaboration

Government functions at the sub-national and local level can often be as or even more important in supporting the daily lives and activities of citizens and businesses as are those at the national level, yet sub-national and local governments generally cannot maintain the same level of capability in defending against cyber attacks that may disrupt these functions as would the national government.

Sub-national and local governments are themselves critical infrastructures, and national policies should establish mechanisms for defending them, including by providing technical and/or financial assistance to subnational and local governments to develop their own robust cyber defenses.

Incident-response capabilities should be established to manage the most critical and significant events that threaten the confidentiality, integrity, or availability of nationally significant information networks and systems, or that create widespread risk to individual citizens. Computer emergency response teams (CERTs) at the national and sub-national or local levels, as well as computer security incident response teams (CSIRTs), can play a crucial role in improving cyber resilience. These entities can (1) provide incident response services to victims of attacks; (2) share information concerning vulnerabilities and threats with key stakeholders in the government, private sector, and, in some instances, the broader public; and (3) offer other ways of helping improve computer and network security.

National governments should legally establish computer emergency response teams at the national level, and ensure sufficient resourcing to such teams to capably prepare for and address significant cybersecurity incidents and other large-scale national cyber events.

The ability to share information about cybersecurity threats, vulnerabilities, and incidents with affected parties as well as entities with capabilities to develop means to defend against attacks is indispensable. Because attacks are aimed at both private sector and government actors, and across national borders, information sharing policies should promote sharing between the government and the private sector, among private sector entities, and among government entities.

To that end, effective cybersecurity information sharing laws or policies should be crafted according to six tenets:

1. Safe Harbor from Liability. Policies should empower private entities to voluntarily share information regarding cybersecurity threat indicators with other private entities or with governments, domestically and internationally, by expressly limiting potential legal liability or regulatory consequences. This limitation should apply for both sharing and receiving this information. Moreover, consistent with the voluntary basis of such an approach, policies should ensure that companies are not held liable for choosing not to share information with other private entities or governments.
2. Privacy. Policies should protect the privacy of those affected by shared cybersecurity threat information without impeding the ability to share cybersecurity threat indicators in a timely fashion.
3. Multi-Directional Sharing. Policies should facilitate information sharing by private entities with both government and private parties, and from the government to private parties, while providing flexibility to affected parties to enter into appropriate transactional and sector-specific arrangements.
4. Timeliness. Policies should authorize and encourage government actors to share relevant cybersecurity threat information with private parties, and accelerate the time periods for sharing such information, including through automated mechanisms.
5. Civilian-Led. Policies should establish a civilian portal for private-to-government information sharing.
6. Cybersecurity Use. Policies should ensure shared cybersecurity threat information is used by the recipient only to promote cybersecurity and for no other purpose, and when information is shared with governments, that the information is used only to promote cybersecurity or for limited law enforcement activities.

Some governments have sought to improve their situational awareness of and response to the cybersecurity threat landscape by adopting measures to either encourage voluntary reporting, or require mandatory reporting, to government or regulatory entities of significant cybersecurity incidents. Voluntary incident reporting regimes can strengthen trust between government and industry and facilitate more robust two-way information-sharing; it is important such regimes, whether mandatory or voluntary, be targeted in a risk-based manner.

Frameworks with overbroad thresholds for reporting can unintentionally inhibit cybersecurity by causing companies to over-notify for any incident on their systems, leading to notification fatigue, increased costs, operational distractions, and difficulties identifying and addressing the most important incidents. Instead, governments seeking to establish a mechanism for cyber incident reporting should adopt the following principles:

• Establish a Clear Reporting Structure. Given that numerous government and regulatory agencies could be involved in a particular incident, an efficient, accessible reporting structure should be put in place, ideally coordinated through a national computer emergency response team. This structure must be supported with technical capabilities ensuring safe and agile transmission and use of the data.
• Calibrate Reporting Threshold According to Risk. Not every cyber incident is important, and overreporting can overwhelm entities on the receiving end, leaving them less responsive to significant threats. Instead, reporting should be limited to (1) critical infrastructure sectors most important to the nation; (2) incidents that substantially affect the confidentiality, availability, or integrity of the affected system; and (3) actionable information regarding the incident.
• Avoid Duplicative Requirements.Incident reporting policies should define roles and responsibilities, including those of both government actors and reporting entities, so as to avoid duplication of reporting requirements, even when reporting entities are accountable to multiple regulatory regimes. Governments should prevent duplicative requirements across individual government agencies, seeking to streamline processes for sharing information about significant incidents in order to promote effective and efficient responses.
• Maintain Consistency. Different reporting requirements for different industries or different situations drive confusion and contribute to undue regulatory burdens. Instead, incident reporting frameworks should be flexible, practical in the business environment, based on internationally recognized standards and other widely accepted approaches, and consistent across sectors.
• Avoid Mandatory Timelines. Artificially short timelines generate incomplete or inaccurate reporting, and often require affected entities to report information before they have a full picture or diagnosis of the incident. Incident reporting frameworks should create an expectation that incidents are reported in a reasonable timeframe without compromising the integrity of reporting or mandating specific deadlines.

Creation of a breach notification system for personal data applicable to all businesses and organizations can provide incentives for entities to ensure robust protection for personal data, while enabling data subjects to act to protect themselves in the event their data is compromised. Any such system, however, must be carefully crafted to prevent the issuance of immaterial notices. Notice should only be required where there is a serious risk of harm to the user. Notice should not be required where the lost data in question has been rendered unusable, unreadable, or indecipherable to an unauthorized third party through practices or methods, which are widely accepted as effective industry practices or industry standards at the time of the breach.

If a breach notification is required, it should occur in a reasonable timeframe, considering the time required to evaluate the nature and scope of the breach and whether the breach is likely to cause significant harm to data subjects. Artificially short timelines can undermine completeness and accuracy of reporting, and interfere with incident response. Instead, notification standards should create an expectation that incidents are reported in a reasonable timeframe without compromising the integrity of reporting or mandating  specific deadlines.

Governments should establish clear, principle-based policies for handling product and service vulnerabilities that reflect a strong mandate to report them to vendors in line with Coordinated Vulnerability Disclosure principles rather than to stockpile, buy, sell, or exploit them. Coordinated Vulnerability Disclosure programs reduce the potential for damage by ensuring vendors can fix vulnerabilities before they are made public, incentivize responsible approaches to security research and vulnerability disclosure, and help both governments and technology vendors avoid surprises. Such policies should be transparent to the public.

Effective cybersecurity involves layered, multi-faceted approaches to defending networks; as such, innovative cybersecurity solutions can leverage many technical approaches to achieve common objectives. To ensure government agencies are able to obtain the most innovative, effective cybersecurity solutions, acquisition rules and regulations should be technology neutral. Procurement policies should specify security objectives, but leave the technical approaches regarding how to best meet those objectives to vendors to decide.

The use of unlicensed software exposes enterprises and government agencies to heightened risks of malware infections and other security vulnerabilities. In fact, a 2015 study by global research firm IDC identified a strong correlation between the presence of unlicensed software and the incidence of malware encounters. Because unlicensed software is less likely to receive critical security updates that would otherwise mitigate the risks associated with malware exposure, its use heightens the risk of harmful cybersecurity incidents.

Unlicensed technology from untrusted sources may also contain embedded malware inserted by malicious actors. Unfortunately, the use of software that is not properly licensed, including by government agencies and contractors, is still a significant problem globally. In many cases, the use of unlicensed software by governments may be simply a function of government agencies lacking awareness of the software assets resident on their systems. Most agencies do not have adequate policies for managing software licenses. Transparent and verifiable software asset management (SAM) practices identify situations where entities are using unlicensed software, as well as situations where the licenses they have far exceed the number of users.

As government agencies increasingly purchase and “consume” IT resources as online services, rather than as products, it becomes more imperative than ever that government agencies work with IT suppliers with a proven track record of offering robust and reliable support for their offerings. Government policies should therefore encourage government agencies to place a premium on selecting IT solutions for which the supplier (or some other commercial partner) offers reliable support, and should ensure that vendors are compensated for ongoing product support and updates, as appropriate.

This recommendation should apply equally to all IT solutions, regardless of licensing or development model. Commercial systems, hardened by ongoing testing and proven in the marketplace, may often prove more reliable and secure than untested custom-built approaches. Open-source technology can be integrated into government IT systems but, unless backed by vendor support to manage ongoing security patches and upgrades, such systems can introduce risk into government networks.

Cloud computing services are the backbone of the modern economy, empowering innovative business and government solutions and generating unprecedented connectivity, productivity, and competitiveness. In addition, cloud services often provide security benefits that can help governments improve their posture against cybersecurity threats. To leverage these benefits, governments should adopt policies that encourage migration to cloud services and ensure that procurement policies are modernized to enable cloud services to compete on a level playing field. Traditional purchasing practices and contract terms may hinder the scalable, cost-effective, and innovative nature of cloud computing. Quick and flexible procurement processes that are not hampered by burdensome terms and conditions will allow users to fully leverage the vast array of benefits offered by cloud computing technologies.

Many countries adopt regulations guiding acquisition of products for the government, including rules intended to ensure the government gets maximum value for its investments. In some cases, this legitimate intent has translated into mandates that products offering the lowest price should be preferred, regardless of other circumstances. Such rules, in the context of information technology procurements, often discourage government agencies from selecting products or services that offer the greatest value to the agency.

That additional value can manifest itself in many different ways — for instance, in the form of better security, additional functionality, superior product support, or greater ease of use. These rules may also restrict an agency’s consideration of past performance as a factor in the procurement process, thus forcing it to ignore information that may, as a practical matter, be highly relevant. Such rules create a substantial risk that government agencies are forced to select the “cheapest” solution, even if that solution does not provide the lowest overall cost of ownership and does not offer the best value for the government’s money. Instead, governments should adopt “best value” contracting policies, in which proposals are assessed according to cost, value, past performance, security, and other variables to ensure that governments maximize the return on their investments.

Ensuring cybersecurity in government IT systems extends beyond smart purchasing decisions; it requires smart management of systems throughout their life cycles. The changing threat landscape requires continual development of cybersecurity technologies, smart management, sustained planning, and adequate budgeting around IT systems with a focus on cybersecurity; specifically, policies governing government agency IT acquisitions should:

• Keep Software and Systems Up-to-Date. Many significant data breaches take advantage of outdated or unpatched software and systems; government agencies should plan and budget to maintain up-to-date software and systems.
• Plan for Ongoing Security. Too often, well-intentioned government agencies seek to implement custom software solutions to fix specific problems without plans for ensuring and sustaining security of those solutions. Government agencies should establish plans for ongoing security, including updating/patching, of software and IT systems before those solutions are integrated, and such plans should be maintained throughout the product life cycle. Governments should also lead the transformation of skills and job profiles required to meet future security demands by investing in cybersecurity capabilities of developers, engineers, and related work profiles.
• Incorporate SAM.Transparent and verifiable software asset management (SAM) practices, based on international recognized standards, help government agencies secure IT inventories by identifying uses of unlicensed software, which often remains unpatched and vulnerable, and taking action to remediate it.

Cutting-edge products and services are developed through global collaboration in research and design centers across many different countries. Countries should create incentives for cross-border collaboration to facilitate rapid and innovative solutions to shared security challenges, including through government acquisition policies.

However, some countries take the opposite approach, assuming that by preventing foreign competition they can protect domestic champions, develop an indigenous technology industry, and defend against perceived cybersecurity risks of foreign products. Indigenous technologies represent only a subset of global innovation. Preventing foreign competition in government procurements reduces cybersecurity by denying government agencies access to world-class products and services.

Furthermore, such policies deprive domestic technology firms of valuable opportunities to collaborate with global leaders and make them less competitive internationally, harming global innovation. Opening procurements to solutions from the global marketplace will increase efficiency, cut costs, and improve security.

Investing in research and development (R&D) provides a concrete means for governments to advance cybersecurity. Such R&D can help governments foster technological solutions to identified gaps and challenges, as well as to develop new approaches to building security into broader government systems. R&D investments help to support a domestic cybersecurity ecosystem in industry and academia.

Moreover, R&D can be targeted beyond individual technologies to develop tools for improving cybersecurity; such tools can range from examining new applications of existing technologies to supporting the development of  internationally recognized standards and best practice frameworks to guide organizational approaches to specific cybersecurity challenges.

Critical infrastructure sectors are often diverse in terms of technological infrastructure, involve different types of risk, and confront different threats and threat actors. Moreover, the technologies used in these infrastructures are diverse and constantly evolving. Overly directive regulation focusing on specific methods or strict compliance, or mandates that limit the use of security-enhancing technologies such as encryption, rather than improving security, can bog down adaptive security measures and stifle innovation of new security technologies. Instead, governments should focus critical infrastructure cybersecurity policies on driving desired security outcomes, providing private sector entities latitude to develop the most effective, innovative approaches to meet those security outcomes. Outcome-based approaches that integrate risk assessment tools, maturity models, and risk management processes enable organizations to prioritize cybersecurity activities and make informed decisions about cybersecurity resource allocation to align defenses against the most pressing risks.

Technology evolves rapidly and in unpredictable new directions; it is thus essential that any policy framework for critical infrastructure cybersecurity undertake security measures that are sufficiently adaptable to avoid stifling innovation and economic development. To achieve this balance, a critical infrastructure cybersecurity framework should be based on the following key principles:

1. 1. Risk-Based and Prioritized. Cybersecurity threats come in many forms and magnitudes with varying degrees of severity. Establishing a hierarchy of priorities — based on an objective assessment of risk — with critical assets and/or critical sectors at the top is an effective starting point from which to ensure cyber protections are focused on those areas where the potential for harm is greatest.
   2. Technology-Neutral.A technology-neutral approach to cybersecurity protection is vital to ensure access to the most secure and effective solutions in the marketplace. Specific requirements
      or policies that mandate or prohibit the use of certain technology only undermine security by restricting evolving security controls and best practices, and by potentially creating single points of failure.
   3. Practicable. Overly burdensome government supervision of private operators or disproportionately intrusive regulatory intervention in their operational management of cybersecurity risk most often proves counterproductive, diverting resources from effective and scalable protection to fragmented administrative compliance. Instead, a framework should establish standards and security measures that are accessible and scalable across the range of covered entities.
   4. Flexible. Managing cyber risk is a cross-disciplinary function and no one-size-fits-all approach exists. Each industry, system, and business faces distinct challenges, and the range of responsible actors must have flexibility to address their unique needs.
   5. Respectful of Privacy and Due Process. Security requirements should be duly balanced with the need for protection of privacy and due process. Ensuring that requirements and obligations are proportionate, do not represent more intrusion in privacy rights than what is strictly necessary, follow due process, and are supported by adequate judicial oversight are all important considerations to address in any critical infrastructure cybersecurity framework.

Broad definitions cause uncertainty among business owners, their providers, and government agencies for compliance and during enforcement. Such definitions are likely to create costly regulatory burdens without actually improving cybersecurity, overwhelming infrastructure operators with obligations best reserved for those involved in supporting truly essential systems. Overly broad definitions can also lead to overwhelming regulatory authorities with unnecessary information and oversight/enforcement responsibilities. Instead, governments should adopt a definition of critical (information) infrastructure that focuses on truly essential systems, and apply a rigorous, proportionate, and risk-based analysis to determine what specifically should be designated critical (information) infrastructure.

Standards and best practices are most effective when developed in collaboration with the private sector, adopted on a voluntary basis, and recognized globally. Regulations, policies, and standards issued by a government to address critical infrastructure cybersecurity should be aligned with internationally recognized technical standards and internationally recognized approaches to risk management, such as the ISO/IEC 27000 and ISO/IEC 62443 series of information security management standards, the Common Criteria for Information Technology Security Evaluation, or the NIST Framework for Improving Critical Infrastructure Cybersecurity, as appropriate.

Governments should particularly emphasize alignment with those standards developed through voluntary, consensus-based processes. Allowing critical infrastructure operators to combat evolving cybersecurity threats with evolving best practices and standards permits a more flexible, current, and risk-based approach to cybersecurity. Moreover, use of internationally recognized standards ensures interoperability for both businesses and government agencies with international counterparts, facilitating both economic development and operational collaboration against cybersecurity threats.

Some governments are imposing country-specific standards for critical infrastructure cybersecurity, arguing that market-specific rules will lead to improved cybersecurity. The real effect, however, is the opposite. Government-imposed indigenous standards inconsistent with globally accepted best practices and standards, rather than bolstering security, tend to freeze innovation and force consumers and businesses into using products that might not suit their needs. Such an approach can prevent critical infrastructures from integrating security technologies that represent best-in-class solutions.

Certification regimes may be effective measures to drive stronger cybersecurity in the critical infrastructure community, but they must be structured in a way that both promotes security needs and addresses market demands for both continuing innovation and broad diversity of product types and configurations. Therefore, any certification regime should be based on internationally recognized standards or risk management approaches (for example, the ISO/IEC 27000 and ISO/IEC 62443 series of information security management standards or the NIST Framework for Improving Critical Infrastructure Cybersecurity, both of which are widely used to manage risk and improve cybersecurity for critical infrastructure operators globally). These international approaches feature the ongoing, iterative development of standards and risk management practices that allow certification frameworks to maintain currency as technology develops, and incorporate input and best practices from government and private sector stakeholders on a global basis. Certification regimes should emphasize software security-by-design principles by including process-based standards for software development that incorporate security considerations throughout the development process, such as the ISO/IEC 27034 series of standards. These process-based approaches recognize the importance of integrating security from inception, but also account for the agile and iterative nature of modern software development.

Moreover, certification regimes used in the critical infrastructure sector should be (1) transparent, ensuring that businesses operating critical infrastructure or providing products or services to critical infrastructure operators are provided with full visibility into certification standards, methodologies, processes, and outcomes; and (2) independent, allowing for use of internationally accredited certification bodies rather than requiring exclusive use of specific in-country entities.

Some countries have begun to impose laws requiring developers of certain products to make source code and related intellectual property available for inspection before such products can be used in critical infrastructure. Such requirements are inappropriate and ineffectual.  Requirements to disclose source code, enterprise standards, security testing results, and similar proprietary information pose significant inherent risks to intellectual property protection, while providing little added security value.

Because many of today’s technology products include hundreds of thousands or even millions of lines of code, inspectors simply are not capable of reliably identifying single code flaws. If governments store code disclosed by software developers, it can be targeted by hackers for theft, and can then potentially be used by an attacker to discover and refine attack methods. Governments should avoid any law requiring the transfer of, or access to, source code as a condition for the import, distribution, sale, or use of such software, or of products containing such software.

With technologies, security approaches, and consumer demands constantly changing, heavy-handed regulatory approaches cannot keep pace with the dynamism and diversity of the market. Instead, the most effective means of promoting cybersecurity in consumer markets will be to harness the power of the market to drive greater security. Market-driven solutions come in a range of forms, including industry-led internationally recognized standards development and adoption, industry consortiums, tax incentives, safe harbors, and voluntary certification and labeling schemes. When crafting policy frameworks to tackle consumer product cybersecurity, governments should adopt such market-driven solutions, tailored to their own distinct circumstances, and avoid mandatory regulatory
measures.

Technology standards play a vital role in enabling and enhancing cybersecurity. By supporting internationally recognized technical standards that are developed with industry participation and accepted across markets, companies can more quickly develop, distribute, and adopt newer and more secure products. Moreover, using internationally recognized standards ensures interoperability for both businesses and government agencies with international counterparts, facilitating both economic development and operational collaboration against cybersecurity threats. Therefore, governments should ensure that any regulations, laws, or policies regarding cybersecurity in consumer products should be aligned with internationally recognized technical standards and internationally recognized approaches to risk management.

The modern economy depends upon cloud computing services and other technologies that allow the storage, processing, and transfer of data across multiple locations and across international borders. By allowing data to flow freely among multiple markets, these technologies drive international trade, cross-border business collaboration, economies of scale, and increasingly, technological solutions to common governance challenges such as pandemic disease and disaster response.

Moreover, these technologies bring security benefits such as reliability, resiliency, and 24-hour security support. Laws that restrict the cross-border transfer of data for business purposes undermine both economic and security benefits, and should be avoided in national cybersecurity legal and policy frameworks.

• Promote Privacy, Security, and Cross-Border Data Flows. Some countries’ cybersecurity regimes have established restrictions on cross-border data flows with an objective of securing data, either for privacy or security purposes, or both. Yet, such restrictions are unnecessary, and often counterproductive, for achieving effective data security. Although an enforceable international consensus on cross-border data rules does not exist, responsible data stewardship should be based on internationally recognized principles of transparency and accountability, as articulated in the Organisation for Economic Co-operation and Development (OECD) “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” and embodied, for example, by the Asia Pacific Economic Cooperation (APEC) Privacy Framework.
• Distinguish Between Data Processors and Data Controllers. In any personal data protection regime, it is important to distinguish between data controllers and data processors in order to provide
  clarity on the responsibilities and liabilities vis-à-vis the data subject or owner, and also for facilitating compliance with legal requirements. The data controller should be the entity responsible for compliance with obligations relating to personal data. Data processors only act on behalf of data controllers. Data processors treat data based on a mandate given by the data controller so the data processor’s obligations should be mostly governed by contracts with clear limits to liability for data processors under the measures.

Based on the mistaken assumption that data is safer in a specific location, some countries are imposing rules that require data to be stored domestically. In fact, data localization requirements not only impede global commerce by undermining the benefits of cloud computing services and other technologies that underpin the modern economy; they also forgo many security benefits that such technologies can bring, such as redundancy, around-the-clock security monitoring, cloud-based network defense tools, and others. Data localization requirements are among the most counterproductive approaches to cybersecurity, and should be avoided in nearly all circumstances.

Emerging technologies are increasingly important cybersecurity tools. Artificial intelligence (AI)-enabled cyber tools, for instance, are used to help analysts parse through hundreds of thousands of security incidents per day to weed out false positives and identify threats that warrant further attention by network administrators. Because cybersecurity threats come from around the world, the data used to train AI-enabled cyber tools needs to be able to move across borders. Policies that inhibit data transfers or that limit the ability to analyze traffic data to identify threats will also impede the use of emerging technologies for cybersecurity.

The vast majority of cyber breaches and attacks are attributable to poor individual cyber hygiene. Governments that invest in increasing public awareness of the shared role of governments and citizens in protecting computers and networks can drive society-wide cybersecurity and cyber resilience. There are many ways governments can invest in public awareness; successful efforts have included national awareness events (such as dedicating a national cybersecurity awareness week or month), public service advertising campaigns, dedicated websites and online guidance, social media campaigns, and school events. Another important way the government can promote cybersecurity awareness is by making available aggregate and publicly disclosed data about cybersecurity incidents to enable researchers, policymakers, and average citizens better understand the scope and contours of cybersecurity challenges.

A critical — and often ignored — element of improving cybersecurity is promoting the adoption of secure products and security services by both individual and enterprise consumers. Too often, consumers lack the ability to make informed decisions that differentiate between products based on security, or to understand the comparative value of security products or services. Governments can help improve cybersecurity by emphasizing cybersecurity awareness and developing tools to enable consumers to obtain and compare critical product security information in the marketplace, empowering them to contribute to enhancing cybersecurity across the information technology ecosystem.

Building a cybersecurity workforce to meet current and future needs begins with educating a broader generation of future practitioners. Governments should invest in programs to ensure that cybersecurity education at every level of the education system is available, accessible, and aligned both to the needs of the cybersecurity workforce and to emerging cybersecurity challenges.

Governments should consider programs to (1) expose young people to cybersecurity concepts, including basic cyber hygiene, through primary school curricula; (2) increase interest in and access to cybersecurity education among youth through scholarships and research competitions; and (3) incentivize the development, accreditation, and promotion of cybersecurity-focused education programs through universities, community colleges, and other educational venues.

Around the world, women and ethnic minorities tend to be significantly underrepresented in the cybersecurity workforce, representing a damaging inability to leverage the talents and perspectives of huge segments of the labor pool. As governments invest in wider efforts to provide education to future cybersecurity professionals, they should leverage such programs to incentivize more female and minority students to pursue cybersecurity education.

Moreover, government investments should aim to make cybersecurity education and career opportunities available broadly, beyond urban capitals and industrial centers. As the cybersecurity jobs gap — the gap between available positions and qualified individuals available to fill them — continues to grow, there are vibrant communities of talented young female and minority students, from both urban and rural areas, who can help meet the demand, provided governments adopt smart policies to engage and attract them to this vital field.

Cybersecurity expertise can be developed through alternative pathways that do not require university or graduate degrees, including through apprenticeship programs, community colleges, cybersecurity “boot camps” or short-term intensive training academies, and relevant government or military service. Governments should invest in fostering these alternative pathways. In addition, although investing in educating young people to fill the cybersecurity jobs of tomorrow is critical, the growth of digital commerce is proceeding at a pace that requires an influx of new cybersecurity professionals in the near-term. Investing in re-training opportunities to enable mid-career professionals to transition into cybersecurity careers can help bridge the cybersecurity workforce shortfall in the near-term, while also helping communities evolve to support the changing workforce demands of the 21st-century economy.

Nations should establish comprehensive legislation addressing criminal liability, investigations, and prosecutions in the cyber domain. Such legislation should be crafted in accordance with the Budapest Convention on Cybercrime, which serves a guideline for developing comprehensive national legislation against cyber crime and as a framework for international cooperation between State Parties to this treaty. The Convention includes requirements for substantive laws (minimum standards for what is criminalized); procedural mechanisms (investigative methods); and international legal assistance (such as cross-border access to digital evidence or extradition). The legal framework should provide support for cross-border investigations.

Malicious actors often carry out cyber crimes by taking advantage of vulnerabilities in privately owned cyber assets, ranging from individual computers to major networks. Among the more significant cybersecurity threats, for example, are botnets, which commandeer thousands of individual computers and direct them to take actions to degrade another system or network. When cyber vulnerabilities in privately owned assets are exploited by malicious actors as part of a cyber attack, owners of such assets are victims of the attack just as are the attack’s targets; the criminal offender is the malicious cyber actor who exploits such vulnerabilities. Criminal prosecution should be reserved for those seeking to disrupt, degrade, or destabilize cyberspace, and not those who are the victims of such malicious activity. Moreover, criminal codes should distinguish between the illegitimate activities of malicious actors and the legitimate research and testing of security professionals designed to strengthen cybersecurity, who may use related tools and techniques.

As digital technologies continue to evolve, law enforcement organizations around the world must continue to adapt investigative techniques to technological innovations, particularly in order to be able to investigate and prosecute cyber crimes effectively. Governments should consider mechanisms to provide adequate technical training and technical support, potentially including the establishment of specialized cyber units, to ensure that law enforcement organizations maintain sufficient investigative capabilities as technology changes. Governments should avoid policies that mandate technical specifications to enable law enforcement access, as such technical specifications can weaken cybersecurity.

Cybersecurity is a transnational challenge that demands international cooperative solutions; such cooperation depends upon effective, proactive diplomacy. Governments should express a commitment to international cooperation on cybersecurity and recognize it as a key priority for their foreign policy. In strategy documents, organization, and budgets, governments should emphasize strong, collaborative cybersecurity as a critical element of national security and should develop and articulate clear areas of focus to promote cooperation. These areas of focus might include participating in multi-national operational collaboration to confront specific cybersecurity threats, supporting the establishment of international cybersecurity norms or confidence building measures, building the cybersecurity capacity of foreign partners, participating in international cybersecurity standards development, or participating in multilateral governance mechanisms. Establishing a lead cybersecurity diplomat may help some governments focus and synchronize diplomatic efforts across these areas.

International cybersecurity cooperation is taking root in two important areas: multilateral governance efforts and operational collaboration. Multilateral governance enables national governments to develop common policies and standards that serve as a shared foundation to enhance security and deepen economic linkages. International fora and cooperation mechanisms, including international policy and standards bodies, centers of excellence, regional and global events, intergovernmental discussions, public and private alliances, and other collaboration mechanisms help nations  develop common rules of the road, protocols for cooperation and incident response, shared standards, and common infrastructure to enable operational collaboration.

Operational collaboration — real-time, practical cooperation to address specific incidents or threats, such as collaboration on law enforcement investigations or response to cybersecurity incidents with transnational effect — helps national governments receive timely information on potential threats and vulnerabilities and be able to respond quickly to any incidents as a result. Governments should participate in both types of collaboration to ensure that their needs and priorities are addressed within the context of these multilateral frameworks, and to uphold the shared responsibility of defending global networks against malicious cyber activity.

Securing critical networks and infrastructure against malicious intrusions, exploits, vulnerabilities, and other emerging cybersecurity threats requires real-time testing and remediation efforts. To combat the rapidly evolving
threat landscape, cybersecurity professionals must be able to freely share information about emerging threats and solutions with large communities of experts around the world. Network defenders require access to technologies that share many of the technical attributes of the very threats they are attempting to defend against.

For instance, cybersecurity professionals make use of “penetration testing” tools to evaluate whether a network is vulnerable to known and emerging software exploits and hacking techniques. To effectively mitigate those network vulnerabilities, companies must be able to share information about vulnerabilities and exploits freely and in real time. Export controls that inhibit the real-time sharing of the vulnerabilities and exploits that the penetration testing tools rely on would severely affect the ability to create safe products and ensure a secure network and IT environment. Efforts to regulate the spread of malicious software through use of export controls must therefore be narrowly tailored so that they do not inadvertently impose restrictions on cybersecurity professionals, incident responders, or the independent research community.

Beyond defending their own systems and networks against cyber attacks, governments have a responsibility to prevent malicious cyber actors from using their territory to launch or support cyber attacks against other nations. Legal frameworks criminalizing malicious cyber activity should cover such activity even when victims are beyond a nation’s borders. Moreover, sufficient enforcement mechanisms should be put in place to identify and disrupt those involved in international cyber attacks.

Governments should pass laws to implement UN resolutions protecting human rights and privacy on the Internet, including laws to promote access to the Internet, protect the right to expression on the Internet, protect privacy in digital communications, and ensure adequate legal remedies are available to individuals whose privacy or human rights have been violated. Furthermore, governments should avoid policies that undermine the development and use of privacy-enhancing technologies.

Although espionage and other state-sponsored cyber activities are conducted by many governments, attempts by governments to force technology providers to support or be complicit in such activities can create tremendous negative consequences for international commerce. As such, governments should avoid any laws that serve as mandates for technology providers to support state-sponsored cyber activities, including mandating government access features (often called “backdoors”), requiring disclosure of encryption keys or source code, requiring cooperation with intelligence agencies, or requiring surveillance of citizens outside the context of lawfully authorized surveillance of criminal suspects.