Any individual or business that chooses to enjoy the benefits of the Internet is also choosing to take on risk exposure that comes with operating in an international environment. This article describes that risk and frames up a discussion about how to manage that exposure.
Speaking of governance makes some privacy advocates uneasy, but it is simply a negotiation by various stakeholders to shape their environment. Over the past three decades, since the passage of the International Telecom Regulations, the Information and Communications Technology (ICT) sector has exploded. This law allowed data communications to escape the heavy regulations imposed on circuit switch voice communications and opened the door for the creation of the Internet.
For better or worse, this resulted in an Internet environment that spans territorial boundaries. Connecting to it, therefore, means you are operating in an international legal environment.
Who Governs the Internet?
The Internet is a collection of networks we often refer to as autonomous systems. While some networks are regulated by governments, there are nearly 200 different world governments, many of whom differ in what they view as a crime, and how they control that crime. Even where governments exert some control over a piece of the Internet, there are usually workarounds that were not anticipated. Internet governance is, therefore, distributed at best, and probably more accurately described as a complete anarchy.
Law Enforcement is Difficult or Impossible
Although US companies are becoming no stranger to cyberattacks, the US is also one of the top sources of cybercrime. It is home to many of the world’s most famous hackers. The inability of governments to control their citizens has been compounded by state sponsored attacks, such when the US National Security Agency (NSA) was found to have been intercepting packages destined for foreign nations and installing monitoring beacons in the communications equipment.
The US is not the only ‘bad actor’, but this type of activity is contributing to distrust among governments and is interfering with commerce.
Within the US, technology companies have been struggling to comply with requests for information from foreign governments because they may breach US Privacy Laws. The Cloud Act was motivated in part, by Microsoft President Brad Smith’s plea to Congress to update the outdated Stored Communication Act (SCA). It brings some clarity to how the US government will manage certain requests should a foreign government demonstrate probable cause that a crime has occurred. That said, US law does not reign supreme in cyberspace.
Bringing Order to the Chaos is also Complex
Even with coordinated agreements with international partners, enforcement is expensive. There is a complex chain of intermediaries between the attacker and the victim. Each link increases the victim’s vulnerability. This is what has forced the FBI to prioritize crime. They are now facing off with nearly 200 countries’ cybercriminals. They are, understandably, overwhelmed. Until this is brought under control the FBI must prioritize a potential murder over an ongoing theft.
Each individual or organization must take proactive measures to make it unprofitable for criminals to target them. That is where cybersecurity governance can help manage, what is, otherwise complete chaos in cyberspace.
Setting an Organization’s Cybersecurity Policy
I have often said that cybercrime is not a technological issue, it is an economic one. Cybercrime can disrupt an organization from achieving its objectives, including in many cases, its survival. Of what benefit is accumulating wealth if one has no means of protecting it?
A well-funded church is just as attractive to a criminal as a well-funded drug dealing ring. Probably more attractive. Many may cringe reading that statement, but if you do not face the reality, you cannot manage the risk. There is little purpose in setting up an organization to accomplish a mission, if it has no ability to protect the people and assets that it relies on.
If you are just getting started the first task is to establish your organization’s Information Security Policy. This should be developed alongside your overall business strategy. It should be updated and reviewed along with the annual budgeting process to ensure resources are allocated to address the risks.
This document dictates how management will prioritize and address cyber risk at the organizational level. It is complimented by other policies that address specific risks, such as the organization’s electronic messaging policy, or the organization’s anti-malware policy. These polices are living documents that drive the formation of procedures that address the different risks and ensure that appropriate resources are deployed to address those risks.
With appropriate protocols in place, an organization can deter criminals from targeting them and mitigate the damage an incident can cause. With a solid foundation in place, an organization is positioned to innovate with confidence.