Cybersecurity Governance. Introduction. By Prof. Rolf H. WEBER
The Internet as the most important global infrastructure is an ecosystem in which international law, with all its perplexities, should exercise a relevant function, particularly in view of the threats to which cybersecurity is exposed. Yet the current approach of politicians, scholars and practitioners shows a pertaining reluctance to embrace the challenges posed by cyberattacks to the most important international electronic network. An effective and coherent application of international legal concepts could support the efforts of realizing a higher level of Internet integrity.
The integrity of the Internet depends on its proper functioning without technical interference and (unjustified) governmental intervention. During the last few years, different terms have been coined to describe such kind of integrity of the Internet. At the beginning, cybersecurity was the most used word, followed by other terms such as the stability and the resilience of cyberspace; hereinafter, cybersecurity will remain the keyword of the international law considerations.
Cybersecurity refers to processes and measures protecting networks and data form cybercrimes. So far, no standard or universally accepted definition of the term cybersecurity exists. As the Internet Society remarked, as a catchword, cybersecurity is frighteningly inexact and can stand for an almost endless list of different security concerns, technical challenges and solutions’ ranging from the technical to the legislative. The International Telecommunications Union (ITU) defines cybersecurity as the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions trainings, best practices, assurance and technologies that can be used to protect the cyber environment and the organizations’ and users’ assets.
General security objectives include (i) confidentiality, (ii) integrity, and (iii) availability, also known as the CIA triad in the information security industry. Thereby, confidentiality means that information is not improperly disclosed to unauthorized individuals, processes or devices; integrity refers to information being protected against unauthorized modification or destruction; availability pertains to a timely and reliable access to data and information for authorized users. The International Organization for Standardisation (ISO) defines information security as the preservation of confidentiality and availability in its ISO/IEC (International Electrotechnical Commission) 27’000 Family of Information Security Management System Standards. Cybersecurity encompasses not only the protection of information and data but also the protection of assets that are non-information based and vulnerable to threats.
Usually, the cyberthreat landscape is described by using a linear approach that distinguishes either between (i) threat agents, (ii) threat tools, and (iii) threat types or between (i) computer network exploitations, (ii) computer network attacks, and (iii) information operations. While such categorizations are useful for certain legal qualifications, they do not paint a comprehensive picture of the very complex nature and characteristics of cyberthreats. The array of external and internal agents endangering cybersecurity is mostly very wide, going from nation States to hackers and insiders. Threat tools encompass malware and its variances as well as botnets. Threat types include information modification or misuse, information destruction, unauthorized access, data breach, data theft and distributed denial-of-service.
The term governance can be traced back to the Greek word kybernetes, the steersman, leading over the Latin word gubernator to the English notion governor addressing aspects of steering and governing behavior. Consequently, cybersecurity governance looks at the measures taken by the concerned players with the objective to protect information and data as well as the underlying assets and infrastructure.