Beyond the new "digital divide": analyzing the evolving role of national governments in Internet governance and enhancing cybersecurity.

Author:Shackelford, Scott J.
Position:II. Beyond WCIT: Comparative Studies in National and Regional Internet Regulations C. United Kingdom through Conclusion, with footnotes, p. 151-184
  1. United Kingdom

    Similar to the United States, the United Kingdom has identified terrorism and cyber attacks as the two greatest threats to national security in the twenty-first century. (219) Specifically, the British Foreign Secretary William Hague has called the epidemic of cybercrime "one of the greatest global and strategic challenges of our time." (220) British Military Intelligence, Section 5 (MI5) has called for urgent action to better manage the "'astonishing' levels of cyber attacks on U.K. industry" being perpetuated by criminals and states. (221) Yet it has been said that "there is no overarching regulation of cyber security in the U.K.," (222) and a doctrine of cyber power remains largely undefined, even as new revelations about U.K.-U.S. cyber espionage campaigns come to light. (223) However, the U.K. has created a Center for the Protection of National Infrastructure (CPNI), through which it engages in the protection of infrastructure by using a "criticality scale" to gauge priorities and tout the benefits of public-private partnerships to enhance cybersecurity. (224)

    In the United Kingdom, as in the United States, voluntary industry strategies and law enforcement regulations are intended to enhance CNI protection. The 2011 U.K. Cyber Security Strategy, which focuses on government contractors, states that the British government "will work with industry to develop rigorous cyber security ... standards." (225) However, it does not explain how the largely voluntary approach it envisions represents a change to the status quo sufficient to effectively meet this threat to British national security. (226) The Strategy does not spell out how the awareness of individuals and businesses about the cyber threat will be raised (227) or offer specifics about how the CPNI will help enhance cybersecurity for the "wider group of companies not currently deemed part of critical infrastructure," (228) but which are nevertheless essential to Britain's long-term economic competitiveness. On the regulatory side, the U.K. government has endorsed bills allowing police and security services to legally demand ISPs and Internet users to reveal passwords and privacy encryption codes. (229) Such initiatives are due at least in part to "the damage [cybercrime] does to the financial and social fabric of the country" (230)--and also may be in response to the growing capabilities of other antagonistic and allied cyber powers, including those of the European Union.

  2. European Union

    The European Union's approach to securing critical infrastructure (CI) was motivated by Madrid's terrorist bombings in March 2004. (231) In the aftermath, the EU Commission--the executive body of the European Union--adopted suggestions for how to enhance "prevention, preparedness and response to terrorist attacks involving [CI]." (232) CI in the European Union is defined broadly, referring to infrastructure that is "essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being, and the destruction or disruption of which would have a significant impact in a Member State as a result of the failure to maintain those functions." (233) Examples include sectors similar to those often cited in the United States, such as "telecommunication and energy networks, financial services and transport systems, health services, and the provision of safe drinking water and food." (234) But the interconnectedness of nations within the European Union dictates that all Member States must achieve a certain level of security and preparedness, lest other nations be negatively affected by cyber dysfunction or insecurity spilling across borders. (235) There has been a struggle to engage all of the relevant stakeholders, causing a state of affairs in which some Member States have excelled at enhancing cybersecurity while others have lagged behind--in part because of the difficulties of creating effective international public-private partnerships (iP3s). (236) This case study draws largely on official EU materials, focusing on recent Communications, (237) Resolutions, (238) and proposed Directives (239) to ascertain the current state and potential future direction of CI regulation in the European Union.

    1. Evolution of EU Cybersecurity Policymaking

      Most attempts to enhance cybersecurity at the EU level have been relatively weak, relying on either voluntary mechanisms for Member States or binding principles while allowing States some leeway in deciding how to achieve prescribed outcomes in their own national legislation. These efforts largely began in 2004, when the European Council--a body composed of the heads of state of each EU Member State--asked for the preparation of a strategy to protect CI. (240) During that same year, the European Union established the European Network and Information Security Agency (ENISA), intending that the new agency encourage and develop a culture of EU network and information security. (241) ENISA serves the European Union at large, including Member States as well as the private sector and private citizens, but from its beginning suffered from turf battles similar to those seen in the United States and China, as is discussed below. (242) Most recently, though, ENISA was given a new mandate that ensures its continued operation into 2020. (243)

      Also stemming from the European Union's 2004 efforts, the Commission established a 2008 Communication to create the European Programme for Critical Infrastructure Protection (EPCIP), which described the EU's overall approach to securing CI. (244) The EPCIP's framework included procedures for identifying and designating European CI and supports Member States in their respective activities concerning the protection of national CI. (245) It did not, however, require operators within Member States to report significant breaches of security or facilitate cooperation between Member States, though more recent proposals do, as is noted below. (246) As a subpart of EPCIP, in October 2008, the Commission proposed creating a Critical Infrastructure Warning Information Network that would focus specifically on enhancing the information-sharing process between Member States and developing an IT system in support of that goal. (247) In March 2009, the Commission's efforts expanded into adopting a Communication on Critical Information Infrastructure Protection (CUP), (248) which involved an action plan to support Member State's efforts in preventing and responding to CI threats. (249) Then, in May 2010, the Commission proposed the Digital Agenda for Europe (DAE), which focused heavily on the interaction between cybersecurity and economic development. (250) DAE also emphasized involving all stakeholders in ensuring the security and resilience of infrastructure; focusing on prevention, preparedness, and awareness; as well as improving security mechanisms to respond to new forms of cyber attacks and cybercrime. (251)

      By March 2011, CUP concluded that a purely national approach to tackling security and resilience challenges would not be sufficiently effective; rather, the European Union should continue trying to build a more cooperative approach across the EU region. (252) Most of the proposals in this Communication were scheduled to be implemented by 2012 but have not yet been realized as of this publication. (253) The stage was thus set for a new chapter in EU cybersecurity policymaking to unfold.

    2. 2013 EU Cybersecurity Strategy

      In February 2013, the Committee issued a new Communication that set out a proposal for dramatically boosting cybersecurity in the European Union. (254) Cecilia Malmstrom, EU Commissioner for Home Affairs, has said that the latest Communication "provides a basis for greater cooperation between the different actors" and "shows the direction for future work." (255) First, as in the DAE, the Communication is concerned with the long-term viability of e-commerce and incentivizes the creation of an EU culture of cybersecurity. (256) Second, it highlights the unique structure of the European Union, providing a strong incentive for EU-wide action. Due to the "borderless nature of the risks" and the interconnectedness of Member States' economies, simply leaving the protection of CI and cybersecurity up to each individual nation could incentivize free rider Member States to benefit from the security investments of others. (257) The Communication does not centralize supervision and instead suggests that national governments are in the best position to organize the nuances of prevention and response to attacks, as well as to manage the interactions between the public and private sectors, using established policy and legal frameworks. (258) Nonetheless, the Communication states that national responses will likely require direct EU involvement. (259)

      In essence, the EU cybersecurity proposal contains five strategic priorities: (1) achieving cyber resilience; (2) reducing cybercrime; (3) creating a new cyber defense policy; (4) developing industrial and technological resources for cybersecurity; and (5) establishing an international cyberspace policy for the European Union that promotes core EU values. (260) To achieve the first goal, the Communication emphasizes cooperation between the public and private sectors, (261) though this has been much less difficult to prescribe than to accomplish, as has been shown in the U.S. context. (262) In addition, despite noting that "voluntary commitments" have been responsible for some progress, the Communication proposes legislation that would establish common minimum requirements for cybersecurity that would apply to each Member State. (263) This initiative is reminiscent of the binding cybersecurity performance requirements originally called for under the Cybersecurity Act of 2012 (264) and may be informed by the cybersecurity framework being developed as a result of President Obama's 2013 Executive Order...

To continue reading

Request your trial