Smart grids, electronic commerce, digital government and health services are but a few of the many possibilities offered by the advancement of technology and expansion of cyberspace.
We could only agree with the Indonesian legislator that activities in cyberspace are virtual activities that have actual impacts on our lives. Cybersecurity breaches cover – among others – denial of services, physical theft, crime ware, cyberespionage and web application attacks.
Hence, it is evident that jurisdictions need robust cybersecurity by guaranteeing that products and services offered, meet certain levels of safety and reliability. Moreover, appropriate surveillance is required – without compromising privacy and data protection standards.
This article aims at presenting national regulatory approaches to address the growing phenomenon of cybersecurity (Part II.), namely focusing on:
Cybersecurity requirements for IT products and services (A.)
Cybersecurity IT product admission to the market (B.)
Cybersecurity empowerments to act for authorities (C.)
International aspects (D.)
This is preceeded by a list of international standards and international or supra-national regulatory instruments (I.). Finally, the reader might find some useful links for further research at the end of the article (III.).
I. International or supra-national regulatory framework
At this point in time, there is no international framework on cybersecurity surveillance. This causes difficulties in implementation/enforcement due to the cross-border nature of the issue.
Nevertheless, certain regional or specialised organisations have adopted instruments that we present below.
1. International Standardization Organization (ISO)
ISO/IEC 27032:2012 provides guidance for improving the state of cybersecurity, and its dependencies on other security domains, in particular: information security,
internet security, and
critical information infrastructure protection (CIIP).
ISO/IEC 15408-1:2009 should be the basis for evaluating the security properties of IT products. The standard establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation.
2. Council of Europe (CoE)
The Budapest Convention is currently the only binding intergovernmental instrument in the domain of cybercrime. It serves as a guideline for any country developing comprehensive national legislation against cybercrime and as a framework for international cooperation between the signatories.
3. Organisation for Economic Co-operation and Development (OECD)
This OECD Report presents national cybersecurity strategies for internet economy of several OECD members. The report also served as the analytical basis for the adoption of OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security.
4. European Union (EU)
New Regulation on “EU Cybersecurity Agency”
The European Commission has recently proposed a text for a Regulation establishing the “EU Cybersecurity Agency”. This Regulation serves as a regulatory basis for the future EU-wide certification scheme for IT products and services in cyberspace (more in point B 2. of Part II. Of this Article).
The Directive on security of network and information systems (NIS Directive) aims at ensuring high levels of cybersecurity across the EU by introducing security requirements as legal obligations for the key economic actors. The EU Member States need to transpose the Directive into their national legal systems by 9 May 2018 – with the objective to improve the functioning of the internal market.
Directive on electronic commerce
The Directive on electronic commerce provides rules on transparency and information requirements for online service providers, commercial communications, electronic contracts and liability issues.
The General Data Protection Regulation (GDPR) governs – among others – the processing of personal data for the purposes of ensuring network and information security. The Regulation will become directly applicable across the EU on 25 May 2018.
II. National reference legislation
National regulators address the cybersecurity surveillance through several regulatory approaches. Jurisdictions that have not yet adopted specific laws, tackle the issue through criminal codes, or data protection legislation. Nevertheless, more and more regulators acknowledge the specificities of the issue. However, the majority of national regulatory texts focus on cybercrime. Less attention is given to the specific cybersecurity “preventive measures”, e.g. admission of IT products to the market, specific certification schemes for cyberspace, etc. We present different national legislation, while focusing on four aspects of cybersecurity, as referred to in the beginning of this article.
A. Cybersecurity requirements for IT products and services Cybersecurity aims at avoiding attacks on integrity (accuracy of data), confidentiality (identity and intellectual property theft) and availability (disruption and delay) of computer systems and data. We present diverse national regulatory examples to achieve the latter.
1. In the United States, a contractor offering an internet-connected device shall provide written third-party certification that the device complies with the security requirements of the industry certification method of the third party. To create a baseline, the Director of the Office of Management and Budget, in close coordination with the National Institute of Standards and Technology and relevant industry entities, defines conditions to mitigate cybersecurity risks. The Director may consider setting-up conditions including the following:
network segmentation or micro-segmentation;
the adoption of system level security controls, including operating system containers and micro services;
multi-factor authentication; and
intelligent network solutions and edge systems, such as gateways, that can isolate, disable, or remediate connected devices.
In addition, it must be possible to update or to replace internet-connected device software or firmware components. Any future security vulnerability or defect in any part of the software or firmware shall be patched in a properly authenticated and secure manner in order to fix or remove the vulnerability or defect in the software or firmware component (timely repair).
2. The Accreditation Authority of Saint Vincent and the Grenadines takes into account the following criteria prior to accrediting authentication products or services:
its financial and human resources including its assets;
the quality of its hardware and software systems;
its procedures for processing of products and services;
the availability of information to third parties relying on the authentication product or service;
the regularity and extent of audits by an independent body;
any other relevant factor that may be prescribed.
Additionally, the law prescribes that hardware and software systems and procedures must at least:
be reasonably secure from intrusion and misuse;
provide a reasonable level of availability, reliability and correct operation;
be reasonably suited to performing their intended functions; and
adhere to generally accepted security procedures.
Interestingly, Saint Vincent and Grenadines requires products or services to be covered by an electronic signature. This electronic signature shall fulfil the requirement that it:
is uniquely linked to the user;
is capable of identifying the user;
is created using means that can be maintained under the sole control of the user;
will be linked to the information to which it relates in such a manner that any subsequent change of the information is detectable; and
is based on the face-to-face identification of the user.
3. In China, IT products and services shall comply with the relevant national and mandatory requirements. Providers of network products and services shall not install malicious programs; when discovering that their products and services have security flaws or vulnerabilities, they shall immediately adopt remedial measures, inform users and report to the competent departments.
Moreover, “critical network equipment and specialised network security products” shall be safety certified by a qualified establishment or meet the requirements of a safety inspection, before being sold or provided.
Furthermore, “critical information infrastructure operators” purchasing network products and services shall follow relevant provisions and sign a security and confidentiality agreement with the provider. This agreement shall clarify duties and responsibilities of both sides regarding security and confidentiality. In addition, the “operators” shall annually conduct an inspection and assessment of their networks’ security and risks, and submit a network security report.
B. Cybersecurity IT product admission to the market
1. Admission based on authorisation
To our knowledge, currently no state regulates the admission of IT products by way of authorisation. We believe that this regulatory option is however viable. The state accreditation mechanism applicable to electronic signatures established by Saint Vincent and Grenadines goes into this direction.
2. Admission based on third party certification The most common regulatory approach of admitting IT products in the cyberspace – however for the time being mainly for electronic signatures – remains within the framework of certification schemes.
Among the more encompassing regulations is the Proposal for a Bill in United States on cybersecurity standards for internet-connected devices purchased by Federal agencies and the Proposal for the new EU Certification scheme for IT products.
In the US, the National Institute of Standards and Technology and the competent Director will determine accreditation standards for third-party certifiers; and whether the standards described provide appropriate security with the industry certification method of the third party.
The Proposal for an EU Regulation suggests a two-level system. Products and services shall be assessed and certified by private conformity assessment bodies. To ensure that these private conformity assessments bodies are competent, they shall fulfill certain requirements and shall be accredited by an accreditation body. According to the proposal, the monitoring, supervisory and enforcement tasks lie with the EU Member States. The EU Member States will have to provide for one certification supervisory authority. This authority will be tasked with supervising the compliance of conformity assessment bodies, as well as of certificates issued by conformity assessment bodies established in their territory.
But there are alternative systems in place to determine who is empowered to certify products and services. In South Korea, the Minister has the authority to designate any institution as the certifying body if they conform to the criteria set by the Minister. India confers licence to certifying bodies of digital signatures if requirements of qualification, expertise, manpower, financial resources and other infrastructure facilities are respected. In Tunisia even individuals can become the accredited certification bodies. However, it is necessary that such a person is a resident and a Tunisian national for at least 5 years without a criminal record, is enjoying civic and political rights, is in possession of a diploma while not exercising any another professional activity.
After some time, reviews and updates to technical progress both of the certification schemes and the certification is necessary. In China, critical information infrastructure operators shall conduct an inspection and assessment of their networks security and risks that might exist; their findings shall be submitted and a network security report.
When it comes to the suspension of certificates, China envisages a cancellation of operations’ permits or business licenses in case of a violation of provisions governing the “network security certification, testing, risk assessment”.
By using a cross-regulatory mechanism, one could be inspired by the South Korean law on energy efficiency, which serves as a reference when it comes to the revocation of a certificate from the certification body:
“1. When it acquires designation by fraud or other improper means;
2. When it administers a test during the period of business suspension;
3. When it refuses or delays a test without any justifiable ground;
4. When it administers a test, failing to comply with methods for measurement determined and publicly announced by the Minister of Trade, Industry and Energy;
5. When it fails to meet standards for designation as a testing institution.”
Cybersecurity legislation shall also include a provision on the cooperation of certification bodies. An example could be the Commission Implementing Regulation (EU) No 392/2013 of 29 April 2013 amending Regulation (EC) No 889/2008 regarding the control system for organic production, which contains a detailed program for enforcement with the help of entrusted private verification bodies, supervision of entrusted private verification bodies, exchange of information between these verification bodies and authorities, risk management, and percentage of verifications and of unannounced verifications.
3. Admission based on self-certification
The new cybersecurity rules of NYC governing the financial sector services contain the obligation to issue a statement of compliance, signed by the Board of Directors.
Self-certification is a good complementary tool for those elements of conformity that are not subject to an in-advance verification (e.g. by the Conformity Assessment Body). If self-certification has been chosen, it should be checked that the economic operator consciously assesses the legal conformity of its product or service. In addition, it shall check that the assessment is occasionally or systematically scrutinised, be it by Conformity Assessment Bodies, state agencies, or accredited test laboratories. The stronger the ex-post verification, the higher the likelihood that self-certification will be sufficient. Strong ex-post verification deters from cheating at the level of self-certification.
C. Cybersecurity empowerments for authorities
1. Against distribution / dissemination of unsafe products Empowerment for authorities to ban products are needed, regardless of whether they have been authorised, certified or are admitted to the market without any extant process. The empowerments shall permit action all along the distribution/dissemination chain and to also act against selling platforms, hosting services and other assisting service providers, publicity partners etc. Empowerments are even needed to cover non-commercial dissemination.
National regulators have adopted different regulatory measures. Saint Vincent and Grenadines has introduced cyber inspectors with the authority to monitor any activity or information system in the public domain, and to control whether the authentication of service providers is compliant.
The Indian competent authority may issue directions for monitoring of the following purposes related to cyber security:
forecasting of imminent cyber incidents;
monitoring network application with traffic data or information on computer resource;
identification and determination of viruses or computer contaminant;
tracking cyber security breaches or cyber security incidents;
tracking computer resource breaching cyber security or spreading virus or computer contaminants;
identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security;
undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resources;
accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;
any other matter relating to cyber security.
China calls on network operators to establish security complaint and reporting systems and raise public awareness of the issue.
Massachusetts has proposed a legislation on public procurement, which would provide preference to cyber vendors that carry cybersecurity insurance. This is one of the numerous possibilities to enhance compliance above the usual level. Some other examples can be found in Section 7.12. of the Handbook “How to regulate?”.
To enforce cybersecurity surveillance, a regulation shall envisage administrative and penal law sanctions, as well as liability provisions for the following categories of persons:
a) Persons involved in the development or dissemination of unsafe or illegal products
The Chinese competent authorities can order to stop the usage of products or services that had no safety inspections or did not pass them, and give a fine in the amount of 1 to 10 times of the purchase price. In addition, the directly responsible persons are fined up to EUR 100.000 for any unsafe service / product.
Antigua and Barbuda severely sanctions persons who are putting “illegal devices” on the market. Anyone who intentionally or recklessly, without lawful excuse or justification, produces, sells, procures for use, imports, exports, distributes or otherwise makes available:
a device, including a computer program, that is designed or adapted for the purpose of committing an offence…; or
a computer password, access code or similar data by which the whole or any part of a computer system is capable of being accessed.
Equally, Antigua and Barbuda governs the offence of denial of services, which can be fined with the imprisonment up to 10 years. The offence is qualified as “any act, which causes / intends to cause, directly or indirectly, a degradation, failure, or other impairment of function of a computer, program, computer system, computer network”.
b) Persons involved in the development or dissemination of malware
The law of Kenya contains a provision on fabrication of e-tools that provides: “A person who unlawfully produces, supplies, adapts, manipulates or procures for use, imports, exports, distributes, offers for sale or otherwise makes available any device, including a computer program, a computer password, access code or similar data by which the whole or any part of a computer system may be accessed without authorization is liable…” .
Kenyan law also introduced the offence of cyber-squatting, I.e. intentionally making use of – without authority or right – a name, business name, trademark, domain name or other word or phrase registered owned or in use by another person on the internet or any other computer network. However, Kenya foresees relatively low fines.
c) Persons involved in fraud / ransom
Pakistan sanctions the offence of electronic fraud by 2 years imprisonment and / or a EUR 130.000.- fine. Additionally, Pakistani law contains penal provisions on cyber stalking, spamming and spoofing, I.e. sending counterfeit sources with dishonest intention. However, the bill received a lot of criticism from the civil society, as it remains very vague in its wording.
The draft bill of Singapore envisages full liability of the management for situations, where a corporation commits an offence under the Cyber Security Act. The management shall thus perform due care and take all reasonable steps to prevent or stop the offence. Commendably, the Singapore foresees whistle-blowers’ protection mechanism. This voluntary surveillance mechanism was thoroughly discussed in one of the previous analysis on our blog.
Chinese law fines the persons who are directly in charge of: Installing malicious programs;
Failure to immediately take remedial measures for security flaws or vulnerabilities that exist in products or services, or not informing users and reporting this to the competent departments in accordance with provisions;
Unauthorized ending of the provision of security maintenance for their products or services.
Furthermore, China envisages a temporary suspension of operations, a suspension of business for corrections, closing down of websites and cancellation of relevant operations permits. Equally, civil liability is envisaged where violations of the provisions of cybersecurity law cause harm to others.
India has set up a Cyber Appellate Tribunal, which shall not follow the civil code but the principles of natural justice and the rules adopted in the cybersecurity law.
Finally, empowerments for authorities, ideally at cross-border level, against operators infringing foreign law are equally important. This also increases likelihood that jurisdictions are more inclined to enforce domestic law against operators on their territory.
Chinese authorities in charge of network information security supervision may block the transmission of information that infringe the domestic law. In addition, foreign institutions, organizations or individuals may be held legally responsible or may be submitted to the freeze of assets or other punitive measures.
D. International aspects
The foreign certificates can be recognised by the domestic authorities in a passive manner, or alternatively, regulation can make the issuing of domestic certificates or approvals easier, if certain conditions are fulfilled. India recognises the certificates of foreign certifying authorities if mandatory requirements are satisfied – as determined in the more detailed Regulations. Tunisia affixes the same legal value to foreign certificates (with digital signature), if the issuing foreign certification body has concluded an agreement of mutual cooperation with a domestic certification body.
At more general level, Japanese law promotes the country’s active participation to international norm setting and confidence building. The law also favours information sharing with foreign countries and international technical cooperation such as active support for Cybersecurity capacity building in developing countries and international cooperation such as coordinated crackdowns on cybercrime.
III. Particular aspects
NYC specifically governs cybersecurity requirements for the sector of financial services. The regulations give authority to the “Chief Information Security Officer” for overseeing and implementing the cybersecurity program of the entity. Additionally, periodic risk assessments are envisaged as well as training for personnel and the incident response plan.
In August 2017, a Medical Device Cybersecurity Act was proposed in the US. The Act suggests introducing a “report card” that will indicate the cybersecurity functions of a medical device and – among others – the cybersecurity risk assessment conducted by the manufacturer, or a third party, explaining the risk of the device to patient safety and clinical hazards. Moreover, a specific cyber risk-assessment platform MDRAP was created to audit and generate a “Cyber Security Framework profile” of medical devices.
Hawaii have set up a blockchain technology and digital currency working group, which will determine best practices and develop education methods in the domain.
Similarly to the law of Saint Vincent and Grenadines, the Tunisian law is extremely consumer-friendly when it comes to electronic commercial transactions. Such provisions allow the required informed consent of the consumer in cyber space.
Indonesian law on electronic transaction prescribes that the economic operators that have successfully passed the assessment by the authorised certified body shall use a specific the Trustmark certification logo on their website. This logo shall serve as a proof of eligibility to conduct their business electronically.
Finally, the recent US-Israel agreement aims at facilitating cybersecurity research cooperation among the two countries.
IV. Further links
The Global Cyber Law Database (GCLD) is a good source of cyber legislation around the world. Find furthermore here a report of the IOSCO (International Organization of Securities Commissions) that presents an overview of the regulatory approaches related to cyber security on financial markets.
Links to national reference legislation on cybersecurity: Japan
This article has been written by Ajda Mihelčič, M.A.S., on behalf of the Regulatory Institute, Brussels and Lisbon.