Redacted and replaced:
- “Ocaura” as an allied country.
- ██████ as Departments, Titles, and Names.
Dear Mr. ██████:
As the ██████ for Cyber Issues at the ██████ of ██████, I would like to advise you on the strategic implementations for Ocaura’s cybersecurity policy. Such a policy on a national level requires a very detailed and nuanced approach, tailored to the country at hand. I will go over in moderate detail the necessary laws, policies, and infrastructure required for Ocaura to roll out stage one of its initial cybersecurity strategy. I hope that you will go over this memo and pass along the recommendations to the foreign minister of Ocaura.
As a moderately sized democratic country with a strong ICT sector, rolling out the initial stages of this strategy should not be too cumbersome for Ocaura. The primary purpose of this memo then will be to focus on the laws and policies required to not only implement the strategy but also enforce the policies within. These laws and policies will revolve around three key areas:
- Targeting threats to the intellectual property of businesses and government within Ocaura.
- The critical infrastructure of Ocaura, including all ancillary infrastructure required to maintain the status quo.
- The safety and security of the citizens of Ocaura as it pertains to cybersecurity issues.
The first step in addressing said policies is to outline a general register of risks that new laws should address. Once drafted, we will establish a set of mitigation, contingency, and coping strategies to engage the risks at hand. As a broad level assessment, the risk categories for cyber-attack could fall into one or more of the following categories:
- Government espionage
- Economic espionage
- General cybercrime
- Cyberwar
I will go over each briefly below.
Government espionage involves actors, typically working on behalf of their respective governments, infiltrating the security systems of a nation-state with the intent of stealing sensitive political or intelligence information to give their government an upper hand.
Economic espionage involves actors stealing information from governments or private organizations (typically intellectual property) with the intent of using the information for commercial gain.
General cybercrime is a broader category, involving groups or individuals targeting other individuals, businesses, or governments for the sake of economic gain via fraud or theft (of intellectual property), general “fun and excitement” for the thrills, along with various other reasons.
Lastly, Cyberwar involves actors engaging in a quasi “war” with a said organization or nation-state, typically with the intent to cause harm to the target party. There is significant debate as to what constitutes cyberwar, or if it has ever happened even. For this memo, however, we will assume it is a threat that needs addressing.
Based on these initial risks, Ocaura should begin the outline of its policy, focusing on which threats are most significant to the country. The priority, in this case, should focus on government espionage. Because of its massive military, national intelligence strategies are a likely target for a cyber-attack. Ocaura should focus on securing government systems and establishing stringent protocols for the mitigation and contingency of a cyber-attack targeting military intelligence. Ocaura can begin this process by instituting a dedicated cyber intelligence team focused on monitoring government network systems, and creating security baselines which signal alerts when action is needed.
Since any written law can only be enforced within the country of Ocaura (theoretically), laws defining the repercussions of political espionage typically will not do much in terms of deterrence. While repercussions for crimes against the state could be bundled into this, it will primarily apply to those conducting crimes from within the country. Therefore, agreements between countries should also be established regarding extradition. For political espionage, however, the hand behind the actor is typically another nation-state; hence such laws will be met with significant resistance (and denial, on behalf of the actor’s country). The best response then is to ensure it does not happen in the first place, and that can be done by implementing the team mentioned above and having the security protocols and responses in place.
Due to its advanced ICT structure, Ocaura’s second-largest threat is economic espionage targeting its businesses within. Typically in such a case, a company should be responsible for securing its private information and intellectual property. However, in the event, an attack occurs, Ocaura needs to have laws in place which would protect the company and prosecute the attacker(s). This circumstance creates a gray area, particularly in the event the attacker is acting outside of Ocaura. We must establish that a detailed investigation will take place on behalf of all attacks on private businesses, and such attacks will be treated similarly to any theft or crime against a company or individual. Severe repercussions must be written into the policy to deter the economic benefit of IP theft, mainly in the form of significant fines against the actor or company behind the attack. We must also form a coalition which would include a board of individuals from law enforcement, private businesses, and legal experts, who would investigate possible sales of black market information, and establish appropriate punishments for entities caught purchasing such information.
To further deter the sale of stolen IP, we could set up dummy information to dissuade entities from purchasing openly on a black market. It is not the intention of such a law to entrap individuals or businesses but to inform them that dummy information is, in fact, out there, and to think twice before purchasing such information on the black market (as it could very well be a trap).
The critical infrastructure of Ocaura takes an alternate path in the policy realm. While the risks, as mentioned above, do not directly address the issue, it does fall broadly under general cyber-crimes, with the intent to harm a nation-state and its population. With the evolution of cyber networking, “internet of things” so to say, the threat of attack increases significantly as more and more systems are interconnected.
While such networking makes controlling extensive infrastructure easier, it is necessary to establish security protocols for such infrastructure, along with having contingency plans in place in the event of a critical shutdown. We must label attacks against the critical infrastructure of Ocaura as attacks against the state and prosecute as such. I had mentioned the nuances of cyber-war earlier, and in such an attack, we must consider the damage to a country’s infrastructure an act of war if done by a foreign entity, or domestic terrorism if done by an insider.
For all government systems and infrastructure, Ocaura should implement a law similar to FISMA in the US. Under such a law, each agency within Ocaura (including the new ones to be established) would develop and implement information security protocols, and create an open channel for sharing information between agencies. Additionally, Ocaura should share information with the US government regarding attacks on critical infrastructure and government systems.
While others may perceive this as the US prying into another country’s affairs, the sharing of such information between governments of allies is critical to understanding such threats and establishing better protocols for the future. Because Ocaura is an ally of the US, and the US is assisting them in this process, we must create an information-sharing agreement between the two countries, specifically regarding the topic at hand. Additionally, this sharing of information would help find novel or zero-day vulnerabilities, which would prevent new threats from staying unnoticed for too long.
As with any democratic country, Ocaura must respect the civil liberties of its citizens at all costs. While Ocaura could write stringent laws to ensure the safety of the population and economic stability, it is essential to draw a line on the reach of such policies. While ideally, Ocaura would want to ensure the safety of its citizens and the IP of its corporations, if it has to violate fundamental civil liberties such as privacy, the policies should be looked at more closely.
If Ocaura can establish a monitoring program pragmatically, and in such a way that fundamental civil liberties can stay intact, Ocaura should implement the policy. If not, it should be revised to meet those standards. Beyond the privacy issue lies a monetary implementation issue. That is, Ocaura should implement policies and programs which provide the best coverage for a reasonable amount of money. To offset a blanket security policy, Ocaura should protect its citizens via education. Citizens should have some autonomy over the information they share and the activities they conduct online. The role of Ocaura then should be to educate citizens on possible threats to their private data and teach them the essential mitigation strategies to prevent the vast majority of attacks. While such a policy certainly will not deter all cyber-crimes against citizens, it will ensure an adequate balance between privacy, security, and autonomy.
With that said, Ocaura should implement a law tentatively titled the “██████ ██████ and ██████ ██████ Act” of Ocaura (██████). This law will address the points I have discussed earlier and go more into detail regarding the nuances of each situation. This law will be the stepping stone for Ocaura to roll out its full cyber-security strategy in the years to come.
With any new law, we must monitor the implementation and enforcement for a given amount of time, and amended it accordingly to account for situations and circumstances unforeseen. To go over some general outlines, the ISCCA will initially cover the following:
- Allocating an annual budget for outlining the crimes falling under ISCCA, and the enforcement of the laws.
- Establishing a military intelligence team, whose primary focus is to detect and prevent political espionage, and develop mitigation and contingency strategies in the event it does happen.
- Forming a coalition between the public, private, and legal sectors to investigate and deter the sale of black market IP, along with establishing the definitions of what constitutes a cyber-crime.
- Initially defining the activities under which a cyber-crime takes place. Some examples:
-
- Accessing systems without right
- Interception of non-public information for any reason
- Damage or alteration of data without right
- Production of software which allows such crimes to take place
- Sale of stolen IP to a third party
- Any relatable crime which would be determined by the coalition above
-
- Instituting punishments for each category of crime, ranging from a “misdemeanor like” cyber-crimes to crimes against the state (Cyber Terrorism).
- Engaging all agencies within Ocaura to cooperate and share collected information regarding crimes and threats to government systems and critical infrastructure.
- Establishing an open agreement between the government of Ocaura and the businesses within, to share information regarding cyber threats, attempts, and attacks to businesses within Ocaura.
- Establishing an information-sharing agreement between Ocaura and its allied countries to enhance the cyber-security of each respective nation further.
- Establishing an active monitoring program on a national level to deter common threats such as malicious websites and emails. However, we must take steps to ensure the privacy of citizens and businesses.
- Establishing government-sponsored PSA’s to educate the population on cyber threats, and steps they should take to ensure their safety online.
- Allowing for future addendums to this law, to account for situations and circumstances unforeseen.
Mr. ██████, I hope you find these recommendations useful, and explain to the foreign minister of Ocaura that these policies are just the beginning of a robust cybersecurity strategy. Much of my recommendations stem from policies we already have in place here in the US.
Because of the similarities between the US and Ocaura, these will serve as an initial practical framework for Ocaura’s strategy. As the country rolls out this policy and monitors its effects over the next few years, we should add addendums to account for the nuances specific to Ocaura, the political and economic relationships Ocaura has with its allies, and the corporations residing within Ocaura.
Sincerely,
Sherafgan Khan
██████ for Cyber Issues
██████ ██████ of ██████