International Policy Framework for Protecting Critical Information Infrastructure

This 191-page discussion paper addresses emerging cyber-security-related risk factors, vulnerabilities, and challenges associated with the increasing dependence of governments and key sectors of the global economy on information and communication technology (ICT) and ICT-based services. Based on the premise that international and national policy issues surrounding cyber security are intertwined, the paper articulates a "network approach" that highlights the interdependencies and mutual responsibilities, and points out the need for collaborative actions. The authors hope to lay the groundwork for, and stimulate discussion about, a concrete policy framework for protecting ICT-based information infrastructures. The paper is designed to enable government and international entities to create "the right conditions to allow new e-economy and e-government services to contribute to significant economic growth and open, transparent, and vibrant societies". In short, this is meant to be a resource for countries seeking to begin or enhance information security at all levels: national, organisational, and individual.

The authors begin by stressing that cyber security is a collective concern - a shared responsibility among all who are connected with and use the ICT infrastructure. Among the major cyber issues they cite are email spam and denial-of service (DoS) attacks, problems that could be prevented if individual users with always-on broadband internet connections implemented sufficient cyber security measures. But, "because the internet has no natural political boundaries, national boundaries are not effective to partition cyber security policy responsibilities....Each stakeholder will need to take actions or communicate with other key actors in the private sector, semi-private sector, or the government, nationally or internationally."

This complex "network of conversations" is at the core of a risk management approach that draws on the insight that information about current and future vulnerabilities - and strategies for preventing or reducing them - must be communicated between and among stakeholders in other entities and at different levels. This approach is designed to encourage all stakeholders to act on the basis of a shared vision of cyber security challenges and responses. To illustrate what such an information flow would look like, the authors present a model that involves various "nodes" such as governmental bodies, computer emergency response teams (CERTs), service providers, and information sharing and analysis centres (ISACs). These nodes would share information related to specific functions, such as threat assessment and incident response; these communication relationships can be structured in various ways. According to the authors, both formal types of peer sharing and informal communication channels are important in this model.

The discussion paper lays out a complete set of national and international policy recommendations that draw on such strategies as these:

• Create awareness of and incentives for cyber risk management at all levels - One example of an educational effort is use of public-health-type messages such as "safe surfing" to reach the general public. The goal is to create market expectations, such that consumers begin to demand that cyber security be integral to products and services from the start. Regulatory agencies and ICT ministries can also help spur such action by enacting procurement policies that strengthen the influence of market-related drivers, as well as policies that promote information sharing regarding cyber security.
• Establish "a culture of security" - Develop and draw on such guidelines as the OECD Guidelines for the Security of Information Systems and Networks. Craft and share country case studies (such as those included in the CIIP Handbook, prepared by the Swiss Federal Institute of Technology) and undertake careful empirical documentation of cyber frameworks as an underpinning for future policy developments.
• Develop international relationships - The authors describe a need to promote the development of information flows between a wide network of countries through collaborative research and information gathering. Yet "many developing countries have yet to become part of the international dialogue about cyber security." Strategies suggested here for broadening the circle of dialogue include drawing on the Global Regulatory Exchange of the International Telecommunications Union, or undertaking a series of virtual roundtables (perhaps organised by the Global Distant Learning Network of the World Bank). International non-governmental organisations could also have a crucial role to play, perhaps by developing a "cyber-exercise-in-a-box" and maintaining a staff whose purpose would be to recruit countries to participate in such exercises.