Chapman Law Review

Volume 19 | Issue 2 Article 5

2016 Protecting Intellectual Property and Privacy in the Digital Age: The seU of National Cybersecurity Strategies to Mitigate Cyber Risk Scott .J Schackelford Indiana University

Follow this and additional works at: http://digitalcommons.chapman.edu/chapman-law-review Part of the Law Commons

Recommended Citation Scott .J Schackelford, Protecting Intellectual Property and Privacy in the Digital Age: The Use of National Cybersecurity Strategies to Mitigate Cyber Risk, 19 Chap. L. Rev. 445 (2016). Available at: http://digitalcommons.chapman.edu/chapman-law-review/vol19/iss2/5

This Article is brought to you for free and open access by the Fowler School of Law at Chapman University Digital Commons. It has been accepted for inclusion in Chapman Law Review by an authorized editor of Chapman University Digital Commons. For more information, please contact [email protected]. 37838-chp_19-2 Sheet No. 53 Side A 05/09/2016 12:16:02 UN EWS .S !N ATIONAL UARDIAN ALT N 22 Million 32332731 , B , G 4/23/16 9:50 AM AM 9:50 4/23/16 AHOO , Y Toward a State-Centric CONOMICS OF E in , * 895 (2015). Y ’ (July 9, 2015, 3:17 PM), http://abc OL EWS .P UB hackers claiming an affiliation 445 1 .&P as was German Chancellor Angela , ABC N rrent and former federal government 3 NTRODUCTION EGIS I Why the Latest Government Hack is Worse than the Why the Latest Government Hack is Worse J. L (NATO Cooperative Cyber Defence Centre of Excellence, (NATO Cooperative Cyber Defence Centre Scott J. Shackelford (June 17, 2015), http://www.washingtonpost.com/opinions/ (June 17, 2015), http://www.washingtonpost.com/opinions/ OST Mitigate Cyber Risk Cyber Risk Mitigate Cyberattack Affects 1.1 Million CareFirst Customers Scott J. Shackelford & Andraz Kastelic, Scott J. Shackelford & .P , 18 N.Y.U. See ASH TRATEGIES S Cybersecurity Strategies to Strategies Cybersecurity , Ryan Evans, , W Also in mid-2015, myriad firms Blue Cross including 2 Scott Dance, even sports teams seem to be entering the fray with the 4 ECURITY S in the Digital Age: The Use of National of National The Use Digital Age: in the Assistant Professor of Business Law and Ethics, Indiana University; Edward Assistant Professor of Business Law and See Canada Government Websites Taken Down in Cyber Attack See Canada Government Websites Taken Down See See Computer in Merkel’s Office Hit by Cyber Attack: Report See, e.g. * Days in U.S. of the largest data breaches after one 2 3 4 1 M K YBER Protecting Intellectual Property and Privacy and Property Intellectual Protecting with Anonymous governmentcrashed several Canadian websites. Teller National Fellow, Stanford University Hoover Institution; Senior Fellow, Center for Teller National Fellow, Stanford University version of this research was published as Applied Cybersecurity Research. An earlier Failure: The Use of National Cybersecurity Gauging a Global Cybersecurity Market of Cyber Attacks Strategies to Mitigate the Economic Impact Pascal Brangetto ed., 2015). The author recently published an article discussing critical Pascal Brangetto ed., 2015). The author cybersecurity governance practices across infrastructure protection, cybercrime, and thirty-four nations. Cyber Peace?: Analyzing the Role of National Cybersecurity Strategies in Enhancing Cyber Peace?: Analyzing the Role of National Global Cybersecurity Snowden Affair hitting-an-agency-where-it-hurts/2015/06/17/ffca6c6a-1512-11e5-9ddc- (“[T]he United States’ rivals and e3353542100c_story.html [http://perma.cc/3NSF-3GA8] to induce or coerce government employees and enemies may have the leverage they need Mike Levine & Jack Date, contractors into providing classified information.”); Affected by OPM Hack, Officials Say C Do Not Delete Not Delete Do FBI probing the St. Louis Cardinals baseball teamFBI probing the St. Louis about [http://perma.cc/ZXJ6-M738]. news.go.com/US/exclusive-25-million-affected-opm-hack-sources/story?id= (June 18, 2015), http://www.theguardian.com/technology/2015/jun/18/canada-government- (June websites-taken-down-in-cyber-attack [http://perma.cc/5QE3-6DD5]. (May 20, 2015, 10:03 PM), http://www.baltimoresun.com/health/bs-bz-carefirst-data- breach-20150520-story.html [http://perma.cc/DCV7-6AUQ]. 14, 2015, 4:16 AM), http://news.yahoo.com/computer-merkels-office-hit-cyberattack- (June report-034919582.html [http://perma.cc/Z4RJ-YRCJ]. Merkel; Blue Shield were targeted, employees was compromised, government history, in which the private information of more than twenty-two million cu C Y 37838-chp_19-2 Sheet No. 53 Side A 05/09/2016 12:16:02 A 05/09/2016 53 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 53 Side B 05/09/2016 12:16:02 M K 7 L in C Y , , A 4/23/16 9:50 AM AM 9:50 4/23/16 These events events These 5 A similar argument 6 [Vol. 19:2 [Vol. The vital role of the private 8 (Mar. 3, 2014), http://www.homeland An Economic Analysis of Cyber Attacks IRE W 147, 153 (Paul Ducheine et al. eds., 2012) 147, 153 (Paul Ducheine et al. eds., 2012) Article, or indeed in a stand-alone Article, or indeed EWS N ERSPECTIVES Chapman Law Review Law Chapman P ECURITY S RITICAL :C OMELAND Helen Stacy, Professor, Stanford Univ., International Humanitarian Law Robert Beeres & Myriame Bollen, , H ARFARE (June 16, 2015, 1:37 PM), http://america.aljazeera.com/articles/2015/6/16/fbi- W See See See Framework May Be Regarded as de Facto NIST’s Voluntary Cybersecurity Sin: FBI Probes St. Louis Cardinals over Alleged Cyberattack See Cardinals Ethical Implications of Offensive Information Warfare (Apr. 11, 2007). These are questions admittedlyThese are questions large and complex far too to 6 7 8 5 / YBER AZEERA (discussing cybersecurity as a public good and, thus, we could define it as “the goods, (discussing cybersecurity as a public good in services, measures and techniques [that aim] to enhance the feeling of being secure cyberspace”). C Issues, Remarks at the Meeting of the Committee on Policy Consequences and Issues, Remarks at the Meeting of the Committee on Policy Consequences Legal Mandatory could be madeof national governments looking at an array that run the gambit in terms to enhance national of their efforts wecybersecurity. Are then a global cybersecurity market facing whatfailure? And if so, be done about it to better can realistically and liberties in the property and civil rights protect intellectual digital age? comprehensively tackle in this volume. However, a foundation for analysis it is possible to lay somethat helps to break new literature while ground in the fromassessing cybersecurity best practices the public and private to help promotesectors that can cross-pollinate a global culture this Article analyzes State of cybersecurity. In particular, involvement in cybersecurity, including those policies aimed at mitigatingthat fall cyberthreats targeting intellectual property below the armed attack threshold—namely cybercrime and espionage—by national cybersecurity analyzing thirty-four strategies across the dimensions of economic espionage, and civil rights and liberties. intellectual property theft, J 446 world. Some have gone so far to argue that we are facing a a facing Not Delete Do are we that argue to far so gone have both the tumultuoushighlight of diverse array nature and Some around the sectors public and private facing the cyberthreats world. market failure when it comes cybersecurity to effective, proactive management in which effectively internalized are not being costs actors or laggards. either bad to punish Although the focus is on national cybersecurity strategies, Although the focus is on related domestic follow-up initiatives are also considered, initiatives being pursued by including “voluntary” bottom-up United States and Germany,leading cyber powers like the such as the U.S. National for Standards and Technology Institute (“NIST”) Cybersecurity Framework. allegedly hacking into competitors’ hacking allegedly databases. securitynewswire.com/dr20140303-nist-s-voluntary-cybersecurity-framework-may-be- regarded-as-de-facto-mandatory [http://perma.cc/39DQ-DN4W] (reporting on the extent to which NIST Framework recommendations are becoming more mandatory). reportedly-probes-cardinals-over-cyberattack.html [http://perma.cc/5XV3-3KWP].reportedly-probes-cardinals-over-cyberattack.html 37838-chp_19-2 Sheet No. 53 Side B 05/09/2016 12:16:02 B 05/09/2016 53 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 54 Side A 05/09/2016 12:16:02 The , 13 OPIC YBER EACE , CIO P C :T 447 447 ://perma.cc/ still a YBER 4/23/16 9:50 AM AM 9:50 4/23/16 14 C CONOMICS OF E UIDANCE ANAGING G in ,M (Aug. 1, 2012, 11:12 , Joel Bronstein, Peter Maass & Megha EARCH OF S N UBLICA ANDSCAPE ISCLOSURE :I P L see also RO HACKELFORD see also , P ., CF D J. S legal liability, and costs legal liability, IN ELATIONS 11 R Managing Unplanned IT Outages .F COTT ORP Indeed, calculating the costs of Indeed, calculating AND C , 10 Even as more move jurisdictions YBERTHREAT 13 OF . C IV As a representative from TechAmerica, USINESS ,D 12 N ,B ’ AW Economics of IT Security Management L OMM .C 71, 74 (L. Jean Camp & Stephen Lewis eds., 2004). (Oct. 13, 2011), https://www.sec.gov/divisions/corpfin/guidance/ XCH SSESSING THE SSESSING A . 257, 271 (2012) (citing TSC Industries, Inc. v. Northway, Inc., 426 U.S. 9 .&E , Katherine O’Callaghan et al., ECURITY I. S EC Does Cybercrime Really Cost $1 Trillion? ECH NTERNATIONAL I YBERSECURITY Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age Sheldon Whitehouse, U.S. Senator for R.I., Cyber Threats (July 27, 2010) Sheldon Whitehouse, U.S. Senator for Huseyin Cavusoglu, TechAmerica, Comments on Cybersecurity, Innovation and the Internet Economy U.S. S topic, see generally S For more on this e.g. See, Analyzing the cost of cyberattacks globally or to any one or to any cyberattacks globally the cost of Analyzing 9 J.L. & T 12 13 14 10 11 .2C M K O TTACKS IN NFORMATION cfguidance-topic2.htm [http://perma.cc/MM2Y-MTLZ]; Balance Between Informing Investors and Protecting Companies: A Look at the Division of Balance Between Informing Investors and Protecting Companies: A Look at the Division Corporation Finance’s Recent Guidelines on Cybersecurity Disclosure Requirements N.C. attacks is also challenging for firmsattacks is also themselves, especially over the impactbecause of questions of a data breach on brand price of downtime,reputation, the particular nation is a difficult matter,particular nation made more the lack so by and a commonof verifiable data figure vocabulary. Consider the moreoften heard that lost to than $1 trillion has been cybercriminals, whichhas been attacked for, among other methodologicalreasons, the problems associated with global trends fromextrapolating limited (and sometimes survey data. unrepresentative) toward a more robust disclosure regime, problems continue; for example,U.S. even though the Securities and Exchange Commission has required that firms disclose “material” losses since 2011, cyberattacks leading to financial AM), http://www.propublica.org/article/does-cybercrime-really-cost-1-trillion [http AM), http://www.propublica.org/article/does-cybercrime-really-cost-1-trillion estimates on which the $1 trillion figure was 7BGN-QQSH] (critiquing McAfee and other based). associated with to confidential or access a “competitor’s proprietary information.” (transcript available at http://www.whitehouse.senate.gov/news/speeches/sheldon-speaks- in-senate-on-cyber-threats [http://perma.cc/32CA-R8Z9]); Rajagopalan, 3–4 (Sept. 20, 2010), http://www.nist.gov/itl/upload/TechAmerica_Cybersecurity-NOI- Comments_9-20-10.pdf [http://perma.cc/UW8Z-BT3K]. (Jan. 24, 2010, 10:00 PM), http://www.cio.co.nz/article/468694/managing_unplanned_it_ outages/ [http://perma.cc/4LEY-RNJ7]. an advocacy group for the U.S. technology industry, wrote in late 2010, such “calculations are incomplete estimates and at best, sorely understated at worst.” I N sector to help identify and instill cybersecurity best practices is is practices best cybersecurity instill and identify to help sector to fostering approach of a polycentric as part also considered cyber peace. A 2016] Do Not Delete Not Delete Do 438, 449 (1976), which defined “material” as “a substantial likelihood that the disclosure 438, 449 (1976), which defined “material” as “a substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having (2014). C Y 37838-chp_19-2 Sheet No. 54 Side A 05/09/2016 12:16:02 A 05/09/2016 54 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 54 Side B 05/09/2016 12:16:02 , M K C Y LOBAL Brian G (Mar. 16, OMPUTER . (Aug. 3, K 127 (2005), , C IRE 4/23/16 9:50 AM AM 9:50 4/23/16 W Yet, that CONOMICS OF W see also SEC Increases E 17 RAMEWORK AND ://perma.cc/NC6R- (July 14, 2014), EPORT HE EWS T R N :AF ECURITY in OARD STIMATING THE , , S RUG B Cyberattacks Abound Yet D :E HREAT T . (Apr. 3, 2013, 6:00 PM), ECURITY S US ORLD OSSES B [Vol. 19:2 [Vol. . Andrew Collins, L YBER cf ,W TANDARDS C ET .S OMELAND RIME ,N CCT , H A a significant financial impacta significant on us-cybercrime-losses-double [http://perma.cc/ &C / LOOMBERG TUDIES , B S larger than estimates the global for RUGS L ’ 265, 266 (Rainer Böhme ed., 2013), http://weis2012. 265, 266 (Rainer Böhme ed., 2013), http://weis2012. D ETHINKING THE NT That is a difficult startingis a difficult That point, I ,R 16 ON . though in truth, no one really knows for though in truth, Measuring the Cost of Cybercrime RIVACY 18 FF USTAINABILITY Chapman Law Review Law Chapman P O 2007 CSI Computer Crime and Security Survey 2007 CSI Computer Crime and Security , S HARNEY As a result, some As a result, so far as to argue have gone C TRATEGIC 2 (2014), http://www.mcafee.com/us/resources/reports/rp-economic- 15 U.N. .S TR COTT But motivations and targets abound in can overlap The Myth of That $1 Trillion Cybercrime Figure , C U.S. Cybercrime Losses Double , S 5 (2009), http://www.microsoft.com/downloads/en/details.aspx?displaylang=en http://www.microsoft.com/downloads/en/details.aspx?displaylang=en 5 (2009), ECURITY AND , (Feb. 20, 2014, 10:38 AM), http://www.techrepublic.com/article/cyberattacks- . 3, http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf [http://perma.cc/ . 3, http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf see also 20 S homelandsecuritynewswire.com www.securityweek.com/myth-1-trillion-cybercrime-figure [http Chris Strohm, Eric Engleman & David Michaels, // e.g. NST YBERCRIME , For example, are often broken down cyberattacks into I C 19 Cyberattacks Fallout Could Cost the Global Economy $3 Trillion by 2020 Cyberattacks Fallout Could Cost the Global ORWARD EPUBLIC See, e.g. See, See Robert Richardson, Robert Ross Anderson et al., e.g. See, See The true economic impact of cyberattacks is unknown, but F R 19 20 16 17 18 15 OST OF ECH ATH ECURITY NFORMATION Companies Tell SEC Losses Are Few Scrutiny on Cyberattacks four main categories: cyber terrorism, warfare, crime, and espionage. fallout-could-cost-the-global-economy-3-trillion-by-2020/ [http://perma.cc/4ULX-UWQD].fallout-could-cost-the-global-economy-3-trillion-by-2020/ that financial informationthat financial cybercrime about only reflects “approximate guesses.” &FamilyID=062754cc-be0e-4bab-a181-077447f66877. econinfosec.org/papers/Anderson_WEIS2012.pdf [http://perma.cc/45NS-92ZP]. http://www.unodc.org/pdf/WDR_2005/volume_1_web.pdf [http://perma.cc/H7XG-SYY3] http://www.unodc.org/pdf/WDR_2005/volume_1_web.pdf [http://perma.cc/H7XG-SYY3] (estimating more than $320 billion); the “[s]ize of the global illicit drug market in 2003” at Robert Vamosi, P S I C significantly altered the ‘total mix’ of information made available”). of information made available”). significantly altered the ‘total mix’ 448 Do Not Delete Not Delete Do impact-cybercrime2.pdf [http://perma.cc/4Z6H-G4G2] [hereinafter CSIS]; impact-cybercrime2.pdf [http://perma.cc/4Z6H-G4G2] Taylor, T T55H-N5UE]. http://www.bloomberg.com/news/articles/2013-04-04/cyberattacks-abound-yet-companies- tell-sec-losses-are-few [http://perma.cc/3D4E-GWJ8]; needless to say, for policymakersneedless and managers alike. http://www.sasb.org/sec-increases-scrutiny-cyberattack-disclosures/ [http://perma.cc/859R- http://www.sasb.org/sec-increases-scrutiny-cyberattack-disclosures/ of multiple companies, focusing on data BP98] (“[T]he SEC has opened investigations (or lack of) to investors.”). security processes and disclosure on breaches minority firms traded publicly of fewer even data and offering are has had that it are volunteering their operations. F2UP-7J7M]; 2010), http: sure how big of a problemsure how big of are for the reasons stated cyberattacks above. 2012), http:// is the state of play at present. Thus, with those caveats, this Part those caveats, Thus, with of play at present. is the state provides some global on the cyber threat facing the background economy cyber powers—the the lens of three leading through United States, Germany, and China. A. Global Losses to Cyberattacks contested estimates range from to more $400 billion than trillion (which is a figure $2 illegal drugs market), W2XM]. 37838-chp_19-2 Sheet No. 54 Side B 05/09/2016 12:16:02 B 05/09/2016 54 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 55 Side A 05/09/2016 12:16:02 25 OWER The P 449 449 ECURITY 26 (Dec. 31, , S 4/23/16 9:50 AM AM 9:50 4/23/16 YBER ,C EWSWEEK , N China is ranked AMILTON 23 H , http://cybermap.kaspersky.com/ LLEN A AB organization to conduct to conduct organization L OOZ ng technical industries and be briefly discussed in turn to be briefly discussed in turn to ,B NIT ASPERSKY though it is also telling that a though it is U 4 (2015), http://www.boozallen.com/media/file/ a.cc/38MN-FUH9]. 21 , K 2014: The Year in Cyberattacks McAfee Report on the Global Cost of Cybercrime ETHODOLOGY NTELLIGENCE I M However, terms in the United of a “cyber footprint,” , Sharone Tobias, 24 The elite cyber powers, The elite cyber are not fairing much though, CONOMIST 22 Pierluigi Paganini, E INDINGS AND Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age See id. See See Id. Cyberthreat Real-Time Map See e.g. See, :F There is not yet a consensus on the identity of the leading There is not yet a consensus 1. The United States described as being the The United States is frequently 21 22 23 24 25 26 . (June 10, 2014), http://securityaffairs.co/wordpress/25635/cyber-crime/mcafee-report- M K FF NDEX better. B. Impact the Leading Cyber Powers on global cyber powers. According to Booz Allen—a consultancy—for example,contenders are the United Kingdom, the top three in that order. United States, and Australia, 2014, 12:28 PM), http://www.newsweek.com/2014-year-cyber-attacks-295876. global-cost-cybercrime.html [http://perm A I cyberspace; howcyberspace; state-sponsored a classify one should a criminal involving cyberattack economic for example? espionage, ambiguity Such means that some estimates as cybercrime, secrets losses count trade while legal the different given espionage, whichothers as meaningful is many ways, describing In each scenario. to pursue under avenues Needless then, is a cyberattack, to say, of the beholder. in the eye problem are a large and growing though, cyberattacks for nations, firms, and ultimately, the world. The individuals around G20 nations were estimatedlost $200 billion to to have 2014 alone, cyberattacks in 2016] Do Not Delete Not Delete Do Thus, each of these nations will provide some context for discussion. nation with to cyberattacks due to the greatest susceptibility networks and the presence both the high number of insufficient of valuable—in some cases world-leading—trade secrets. (last visited Mar. 26, 2016). Cyber_Power_Index_Findings_and_Methodology.pdf [http://perma.cc/T82L-Y25P]. States, Germany, and China are, in some of ways, in a league their leadi their own because of vulnerability to cyberattacks—the United States and Germany were the second and third most as of June 19, targeted nations firm2015, according to the cybersecurity Kaspersky Labs. thirteenth. cohesive strategy has yet to emergecohesive strategy from this forum—comprising some 85% the global economy—to of better handle on the get a problem. C Y 37838-chp_19-2 Sheet No. 55 Side A 05/09/2016 12:16:02 A 05/09/2016 55 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 55 Side B 05/09/2016 12:16:02 M K 1 C Y it is ECURITY L.J. 305, 30 S L ’ 4/23/16 9:50 AM AM 9:50 4/23/16 RAMEWORK Likewise, Likewise, NT F 27 NFRASTRUCTURE .I I ATIONAL EX YBERWARFARE AND N illion-annually/2014/ ]. S ’ 15–17 (2010)). , C , 50 T RITICAL C MERICA YBERSECURITY ABIGER A PPROACH C RAMEWORK A [Vol. 19:2 [Vol. F E. H Report: Cybercrime and Espionage MPROVING ., I OWER AND note 23, at 3. TRATEGIC Whether is enough to help it P UGENE RELIMINARY ECH Toward a Global Cybersecurity Standard of This Frameworkis important 31 T argue that it helps to solidify a argue that it helps 29 (June 9, 2014), http://www.washingtonpost.com/ U.S. S supra YBER YBERSECURITY , C OST S EW ’ 13636: P NIT N .P U HINA ASH RDER ,C Chapman Law Review Law Chapman O The impact on the German of cyberattacks TANDARDS AND NIST’s Finalized Cybersecurity Framework Receives Mixed NIST’s Finalized Cybersecurity Framework , W S 32 EED FOR A PADE note 18, at 3. N OF . NTELLIGENCE HE M. S I Yet, despite the amount Yet, despite current and potential of NST XECUTIVE I :T 28 E , supra L ’ , Scott J. Shackelford et al., AT AYSON Ellen Nakashima & Andrea Peterson, N Within Europe, Germany and the Netherlands J CSIS 33 CONOMIST , CSO (Jan. 31, 2014, 7:00 AM), http://www.csoonline.com/article/2134338/ Taylor Armerding, e.g. See, E See See See See 2. Germany2. According to Booz Allen, Germany five “is one of only 30 31 32 33 27 28 29 YBERTERRORISM YBERSECURITY countries (the others being the United Kingdom,countries (the others being the the United have a comprehensiveStates, France, and Japan) to national cyber plan and a comprehensive cybersecurity plan” which is “a key to its success.” spurring the development of cybersecurity care in of a standard the United and beyond. States economy as it has for the United has been severe, States and three nations comingChina, with a total loss for all in at $200 billion. 310 (2015). a report by the U.S.a report UnitCyber Consequences estimates losses frommajor a attack on U.S. at roughly critical infrastructure $700 billion. Costs $445 Billion Annually Reviews security-leadership/nist-s-finalized-cybersecurity-framework-receives-mixed-reviews.html [http://perma.cc/4MNM-V9E9]. since, even though its critics since, even though challenges, to the nation’s cybersecurity reactive stance protect the intellectual property of U.S.protect the intellectual property firms civil rights or the and liberties of U.S. citizens, though, remains to be seen. C C 450 Do Not Delete Not Delete Do (2013), http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf [http://per (2013), http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf ma.cc/QK8T-NY7U] [hereinafter NIST C 06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html [http://perma.cc/5XC3-3LFP]. 06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html [http://perma.cc/5XC3-3LFP]. world/national-security/report-cybercrime-and-espionage-costs-445-b impact U.S. on the attacks of these economylarge, some is say enormous—more 40 million than U.S. were citizens victims of McAfee to one in 2014 according cyberattacks survey. 26 (Jeffrey L. Caton ed., 2012) (citing E 26 (Jeffrey L. Caton ed., 2012) (citing loss, the U.S.loss, the government slow been relatively has at developing a comprehensivecongressional In the face of cybersecurity policy. Obamainaction, President an executive order that, among issued public-privateother things, expanded information sharing and NISTestablished the Framework comprised partly of practices that companiesprivate-sector best better could adopt to infrastructure. secure critical Care?: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Care?: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices 37838-chp_19-2 Sheet No. 55 Side B 05/09/2016 12:16:02 B 05/09/2016 55 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 56 Side A 05/09/2016 12:16:02 INISTRY ) in 451 451 In sum, .M 4/23/16 9:50 AM AM 9:50 4/23/16 34 ED F (Chi. J. Int’l L. 38 , , http://www.internet TATS S Unpacking the International IVE L This set of BSI standards This set of BSI 37 note 23, at 5. NTERNET Yet the German Yet the to response ,I 35 supra , (1997), http://www.ieee-security.org/Cipher/ Germany also been active in has 36 NIT U ) in 1994. Bundesamtin der für Sicherheit ECURITY S BSI Offers Free IT Baseline Protection Manual, Solicits , or “BSI”) first released its IT Baseline NTELLIGENCE Yet, as with the United States, China’s note 18, at 9. I 39 OMPUTER Cyber-Sicherheitsstrategie für DeutschlandCyber-Sicherheitsstrategie , supra see also Cyber-Sicherheitsstrategie für Deutschland IT-Grundschutz CONOMIST Carsten Schulz, E CSIS , IEEE C (2015), http://www.bmi.bund.de/DE/Themen/IT-Netzpolitik/IT-Cybersicherheit/ Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age Scott J. Shackelford, Scott Russell & Andreas Kuehn, See See See Internet Users by Country (2014) See id. See 3. China 3. Although much especially in the Western of the attention, 36 37 38 39 34 35 M K NTERIOR press, has been paid to Chinese cyberattackers targeting the cyberattackers press, has been paid to Chinese trade secrets of advanced firms, including those based in the United States and Germany, China is also a leading victim of largest economycyberattacks; it is the second in the world with the most of any nation on Earth—some Internet users 640 million as of June 2015—more than double the number of U.S. citizens online. Newsbriefs/1997/971004.bsiITmanual.html [http://perma.cc/CJG4-R6EN]. by some estimates Germany approximately is losing 1.6%its of annually. cyberattacks GDP to contains recommendations been for cybersecurity and has adopted by German and international stakeholders; corporations some are now available of the standards in English, Swedish, and Estonian. In summary, Germany’s comprehensive approach to cybersecurity policymaking stands in contrast to both the United top marksStates and China and has earned for being the most robust cybersecurity legal environment in the world. livestats.com/internet-users-by-country/ [http://perma.cc/8Q7WG-CVCL]. I particularly stand out for their losses to cybercriminals. losses for their stand out particularly 2016] Do Not Delete Not Delete Do Cybersicherheitsstrategie/cybersicherheitsstrategie_node.html [http://perma.cc/8AWD- JME5]. cybersecurity strategy remains fragmented, even as its such cyber insecurity has been impressive. insecurity such cyber particular, the In governmentfederal German approved the Cybersecurity ( Strategy February 2011. The “[s]trategy recognizes cyberspace as an cyberspace “[s]trategy recognizes 2011. The February essential domain for the German state, economy, society, and and emphasizes a core of critical infrastructure as the protection priority.” cybersecurity policy Informationstechnik Protection ( identifying and spreading cybersecurity best practices in a spreading cybersecurity best identifying and similar vein as the NIST Framework. for The Federal Office Information( Security Law on Cybersecurity Due Diligence: Lessons from the Private Sector Law on Cybersecurity Due Diligence: Lessons the first publication of portions of these Research Paper No. 15-64, 2015) (representing case studies); Comments C Y 37838-chp_19-2 Sheet No. 56 Side A 05/09/2016 12:16:02 A 05/09/2016 56 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 56 Side B 05/09/2016 12:16:02 , , M K 43 C Y HINA Beyond , C 4/23/16 9:50 AM AM 9:50 4/23/16 Among the which may which 40 44 Hauke Johannes Karen Kornbluh, , Dec. 9, 2014, at 1, 2, see also Beyond the New “Digital See ONITOR [Vol. 19:2 [Vol. M J. (2014), http://democracyjournal.org/ HINA note 36, at 20; .: C L. 119 (2014). government officials. EMOCRACY L TUD ’ Civil liberties and, until relatively China Defends Censorship After Google Threat Indeed, China’s official government official Indeed, China’s supra The ‘Chilling Effect’ of China’s New Cybersecurity S 41 42 NT 45 , 34 D .J.I HINA TAN .C How to Enhance Cybersecurity and Create American Jobs How to Enhance Cybersecurity and Create Chapman Law Review Law Chapman NST I (July 10, 2015), http://foreignpolicy.com/2015/07/10/china-new- , 50 S Y ’ OL (Feb. 27, 2014, 8:43 PM), http://news.xinhuanet.com/politics/2014- (July 16, 2012, 2:09 PM), http://www.huffingtonpost.com/scott-j- P OST ERCATOR P Bethany Allen-Ebrahimian, OREIGN INHUANET (Mar. 26, 2013), http://www.china-briefing.com/news/2013/03/26/china-to-further- (Jan. 14, 2010, 9:02 AM), http://www.reuters.com/article/2010/01/14/us-china- Cyber Security in China: New Political Leadership Focuses on Boosting National Cyber Security in China: New Political Leadership , 20 M , F , X Further Strengthen Intellectual Property Rights Protection See China to Chris Buckley & Lucy Hornby, See For more background on the comparative regulation of critical infrastructure, see See China Must Evolve from a Large Internet Nation to a Powerful Internet a Large Internet Nation See China Must Evolve from Shackelford, Russell & Kuehn, Although the onus is on the cyber powersAlthough the onus is on the cyber in many ways to be 42 43 44 45 40 41 UFFINGTON EUTERS RIEFING recently, intellectual property protectionrecently, intellectual not been priorities have government.for the Chinese Gierow, Security cybersecurity-law-internet-security/ [http://perma.cc/TJD7-3TZX]. shackelford/how-to-enhance-cybersecurity_b_1673860.html [http://perma.cc/WUB3-C6E4]. [http://perma.cc/WUB3-C6E4]. shackelford/how-to-enhance-cybersecurity_b_1673860.html R Regime generally Scott J. Shackelford & Amanda N. Craig, Analyzing the Evolving Role of National Governments in Internet Governance and Divide”: Enhancing Cybersecurity Nation B 452 Do Not Delete Not Delete Do http://www.merics.org/fileadmin/templates/download/china-monitor/China_Monitor_No_2 is far from alone in seeking to protect its 0_eng.pdf [http://perma.cc/Z2LX-7V24]. China cybersecurity. domestic industry in the name of enhancing help explain China’s lowerhelp explain China’s power cyber to the rating relative States or Germany. United Yet even with regulation, as broad scope of state-centric this compared to the moreNIST bottom-up Framework and BSI been criticized as lacking efforts have Standards, China’s effective enforcement or being otherwise misguided, C. Summary norm enhance global cybersecurity, there is entrepreneurs and no island in cyberspace. Nations around the world have a role to play in combating this global collective action problem. Yet as we developmentimplementation and political garnered recently has senior of high-ranking support strengthen-intellectual-property-rights-protection.html [http://perma.cc/G2F2-PLJE]. strengthen-intellectual-property-rights-protection.html magazine/34/beyond-borders-fighting-data-protectionism/?page=all [http://perma.cc/GW49- magazine/34/beyond-borders-fighting-data-protectionism/?page=all 59RD]; Scott J. Shackelford, H usa-google-idUSTRE60C1TR20100114 [http://perma.cc/2G8E-7VUD]. 02/27/c_119538788.htm [http://perma.cc/4DZ8-TEYQ]. 02/27/c_119538788.htm [http://perma.cc/4DZ8-TEYQ]. actions taken in China’s current cybersecurity strategy are are strategy current cybersecurity taken in China’s actions China’s “addressing protections critical infrastructure enhanced issue, the as a security technology on foreign dependency promotion build-up of standards, the cryptography of Chinese mobile next-generation infrastructure, broadband technology, and e-government services.” position remains opinion is a that “[p]roperly guiding Internet major measure for protecting Internet information security.” Borders: Fighting Data Protectionism 37838-chp_19-2 Sheet No. 56 Side B 05/09/2016 12:16:02 B 05/09/2016 56 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 57 Side A 05/09/2016 12:16:02 . 47 UB NLINE O 453 453 .&P J. 39, 82 4/23/16 9:50 AM AM 9:50 4/23/16 EGIS J. L ECURITY S First, though, L 48 ’ ONTROL IN THE AT ATIONAL :C .N N , 18 N.Y.U. Loving the Cyber Bomb? The ARV ,3 H ,3 YBERSPACE C TRATEGIES S VOLUTION OF VOLUTION (George Mason Univ. Mercatus Ctr., Working E EGULATION OF R HE However, some room regulatory is left even ,T YBERSECURITY Jerry Brito & Tate Watkins, IRTH AND IRTH AND 46 C B URRAY HE But see Toward A State-Centric Cyber Peace?: Analyzing the Role of National T D. M II. 165–66 (2007) (internal quotation marks omitted). 165–66 (2007) (internal quotation marks omitted). at 166. NDREW Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age Id. For more background on methodology and other related issues, such as A The affirmative choice was made to conduct this targeted Those, such as Judge Frank Easterbrook, who advocate “that Judge Frank Easterbrook, who Those, such as 895 (2015) (representing a comparative study of national cybersecurity strategies 895 (2015) (representing a comparative study of national cybersecurity strategies 47 48 46 Y ’ M K NVIRONMENT OL among free-market market proponents to correct imperfections. a few as well notes are offered on methodology, as on the birth to provide a strategies, and evolution of national cybersecurity framework for discussion. A. A Note on Methodology (“G34”) published national survey so as to analyze the thirty-four those nations withcybersecurity strategies representing and available in English as of cybersecurity strategies in place cybercrime, critical infrastructure protection, and governance, see Scott J. Shackelford cybercrime, critical infrastructure protection, and governance, see Scott J. Shackelford & Andraz Kastelic, Cybersecurity Strategies in Enhancing Global Cybersecurity Dangers of Threat Inflation in Cybersecurity Policy Dangers of Threat Inflation in Cybersecurity (2011) (making the case against there being a cybersecurity market failure); Eli Dourado, (2011) (making the case against there being a cybersecurity market failure); Eli Dourado, Is There a Cybersecurity Market Failure? the Paper No. 12–05, 2012) (arguing that market failures are not so common in cybersecurity realm). P E will which to the extent Part II, see in developing and developed alike are meetingnations gambit, burden runs the this opening more for other potentially the door stakeholders, innovative the private sector. including 2016] Do Not Delete Not Delete Do The question then is which,The question then cyber powers, if any, of the or other this cybersecurity nations, have gotten developed and developing analysis of right? Although a global regulatory balance of this Article, the is beyond the scope cybersecurity regulation strategies as a guide for focus here is on national cybersecurity focus of these nations strategic better understanding the national to guide the development of twenty-first century cyberspace. In particularly as their all, thirty-four nations are investigated policies relate to the economic impact of cyberattacks—including espionage mitigation intellectual property protection—along and liberties issues. with associated privacy and civil efficiency is the desired outcome” of the lawefficiency is the and that the free “market is the most believe desirable route to such efficiency,” displaces competitionthat regulation “defeat the and can even market altogether.” focusing on critical infrastructure protection, cybercrime, and governance). focusing on critical infrastructure protection, cybercrime, and governance). C Y 37838-chp_19-2 Sheet No. 57 Side A 05/09/2016 12:16:02 A 05/09/2016 57 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 57 Side B 05/09/2016 12:16:02 , M K 50 C Y 4/23/16 9:50 AM AM 9:50 4/23/16 Strategies and Policies , ENISA, http://www.enisa. [Vol. 19:2 [Vol. difficulties in attribution, difficulties in included in Appendices A and in Appendices included that simplistic institutional n of National Cybersecurity Strategies Strategies n of National Cybersecurity Chapman Law Review Law Chapman These data were amassed data These from European the 49 Strategies in the World See National Cyber Security It should be noted that three additional nations—Belgium, Luxembourg, and Luxembourg, It should be noted that three additional nations—Belgium, In general, it could be said that national cybersecurity could be said that national In general, it 50 49 NATO CCDCOE, https://www.ccdcoe.org/strategies-policies.html [http://perma.cc/527M- R94W]. europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national- europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national- cyber-security-strategies-in-the-world [http://perma.cc/2FGK-T7CG]; Romania—also had strategies in place at this time, but they were not available in English Romania—also had strategies in place at this to help identify some of the relevant as of this writing. We used Google Translate those data out of our primary analysis to help passages for other researchers, but kept ensure consistency. The countries analyzed are: Armenia, Australia, Austria, Canada, Italy, Colombia, Czech Republic, Estonia, Finland, France, Germany, Hungary, India, Japan, Latvia, Lithuania, Macedonia, Malaysia,Netherlands, New Zealand, Nigeria, Norway, Poland, Qatar, Romania, Russia, Slovakia, South Africa, Spain, Sweden, Switzerland, Turkey, the United Kingdom, and the United States. 454 Do Not Delete Not Delete Do Documentation of key findings is of key Documentation among mean other challenges, models on one-sided liability schemes, based the arbitrary interests, or a focus solely on separation of public and private malevolentrisk, are likely to do more actors as the source of harm selection and moral than good due to adverse hazard. is a political act; it creates Second, a cybersecurity strategy expectations and raises awareness among and civil businesses cybersecurity, governments However,society. addressing when need to answer the question of whether the competitive market withoutcan effectively enhance cybersecurity regulatory interference, or whether policymakers must address intervene to marketstructured in layers with failures. Cybersecurity is incidents ranging from “people may die” to “people may lose trust in e-commerce” and the that require adapted answers involvement of many actors, thus rendering governance of cybersecurity difficult, as shown by the ambiguity in many of the Third, trust and “fair” cybersecurity strategies surveyed. governance must such as by promoting be strengthened impartiality, reflexivity, and proximity; cybersecurity may be B. It should also be noted that the following study only analyzes only analyzes that the following also be noted B. It should study in whichthe instances key phrases were certain in the used More a “trade secrets.” strategies, such cybersecurity national and methodologicallynuanced work sophisticated to is needed unpack and comparegreater detail. these findings in B. and Evolutio Birth strategies stem from needs. First, cybersecurity at least three security theory adaptations beyond traditional requires flexible cyberspace. Volumestransposed to data, of unstructured inhumanly short time scales, and September 2014. Union and NATO;the information all of available. is publicly 37838-chp_19-2 Sheet No. 57 Side B 05/09/2016 12:16:02 B 05/09/2016 57 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 58 Side A 05/09/2016 12:16:02 455 455 4/23/16 9:50 AM AM 9:50 4/23/16 note 9, at 3. However, However, 51 Still,while , https://www.us- supra 52 , EAM T However, eleven 53 HACKELFORD EADINESS S R see also or norm development to help secret.” This is surprising given secret.” This is surprising given MERGENCY E while four nations (12%) referenced 54 Diplomacy Is Failing to Protect the United States’ Trade OMPUTER note 48, at 926. supra U.S. C National Cybersecurity Strategies National Cybersecurity (May 11, 2015, 1:51 PM), http://fortune.com/2015/05/11/diplomacy-is- Appendix A (these nations include: Armenia, Australia, Canada, , Robert Hackett, ORTUNE Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age See infra , F See About Us, For more information on how this timeline breaks down, see Figure 5 in e.g. See, Despite for comprehensive, the need and robust transparent, 1. Economic and Intellectual Property Protection Espionage Despiteeconomic the attention paid to the dangers of This section briefly reviews cybersecurity the G34 national 51 52 53 54 M K nations (32%) did discuss the importance of intellectual property protections more generally, cert.gov/about-us [http://perma.cc/Q96X-L3LL]; Shackelford & Kastelic, seen as a factor impairingfactor as a seen if Internet of the the openness are not aligned. incentives werestrategies, they cybersecurity national slow relatively to get example,going. For the United in many States ways pioneered beginning with cybersecurity, national of the first the creation in 1988. Response Team (“CERT”) Cyber Emergency 2016] Do Not Delete Not Delete Do many these new of have a great deal in common, strategies they myriadstill diverge in in the related areas of aspects including economicand civil property protection, espionage, intellectual next. rights, as is discussed of C. Analysis dimensionsstrategies analyzed across the of economic espionage, andintellectual property protection, civil rights, with the goal of determining those areas in which practices may be converging, f giving rise to opportunities promote cyber peace. manyespionage and trade secrets theft, if any nations pay little multifaceted attention to this aspect of the cyberthreat in their Onlynational cybersecurity strategies. for example, Russia’s, explicitly uses the term “trade both the importance of trade secrets, comprising much of the value of many leading firms, as well (and as the substantial well-publicized) risk of cyberattackers poaching this invaluable and often hard-won intellectual property. it was not the United States, but Russia that enacted among States, but Russia that it was not the United the first of what could be considered cybersecurity strategies national though, the in 2000. Since then, pace has picked up considerably date. the busiest year studied to with 2013 being failing-to-protect-the-united-states-trade-secrets/ [http://perma.cc/9JHF-M2DQ]. Secrets Estonia, Japan, Malaysia, New Zealand, Qatar, Russia, the United Kingdom, and the Estonia, Japan, Malaysia, New Zealand, Qatar, Russia, the United Kingdom, and United States). C Y 37838-chp_19-2 Sheet No. 58 Side A 05/09/2016 12:16:02 A 05/09/2016 58 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 58 Side B 05/09/2016 12:16:02 M K C Y 4/23/16 9:50 AM AM 9:50 4/23/16 58 note 48, at 916–19. supra [Vol. 19:2 [Vol. Only (12%) four nations 56 That is one reason why cybersecurity 59 It’s Privacy Versus Cybersecurity as CISPA Bill Arrives 57 Chapman Law Review Law Chapman (Apr. 25, 2013, 3:00 AM), http://www.pcworld.com/article/2036328/it- Protection Dimension Summary Chart Protection Dimension Appendix A (these nations include: Japan, Spain, Switzerland, and the ORLD , Melissa Riofrio, (these nations include: Australia, Italy, New Zealand, and Russia). Austria, Canada, France, (these nations include: Armenia, Australia, All mentioned at least the strategies of economic the 55 Figure 1: Economic Espionage and Intellectual Property Espionage and Intellectual Property Figure 1: Economic , PCW See id. See id. See infra See id. See, e.g. See, 2. Civil Rights and Civil Liberties 2. Civil Rights and Civil Liberties The difficulty of managing oftentimes cyberattacks is 55 56 57 58 59 s-privacy-versus-cybersecurity-as-cispa-bill-arrives-in-senate.html [http://perma.cc/5YGA- 9E9Z]. in Senate Germany, Italy, Japan, Netherlands, New Zealand, Norway, Russia, Spain, Switzerland, Germany, Italy, Japan, Netherlands, New Zealand, is the United Kingdom, and the United States). For more information on how cybercrime treated across these strategies, see Shackelford & Kastelic, United Kingdom). 456 Do Not Delete Not Delete Do explicitly used the phrase “economic used the phrase explicitly national in their espionage” cybersecurity strategies. patents. impact intellectual property for the causes of As of cyberattacks. nations (47%)theft, sixteen espionage the threat that referenced economies of their national the well-being poses to (as compared to 68% discuss cybercrime that perhaps owing to the sometimes more of espionage). opaque nature discussed as a balancing act between ensuring privacy and discussed as a balancing act promoting cybersecurity. reform legislation has been so contentious in the U.S. Congress, 37838-chp_19-2 Sheet No. 58 Side B 05/09/2016 12:16:02 B 05/09/2016 58 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 59 Side A 05/09/2016 12:16:02 , 61 . 1087 457 457 EV G.A. Res. . (Dec. 19, Part of Part of TR 60 4/23/16 9:50 AM AM 9:50 4/23/16 C .L.R Such a high Such a high see also EWS ALIF 63 , 90 C , U.N. N U.N. , including the 1948 Universal NewsID=46780&Cr=privacy&Cr1=#.UtKxr S. context is that privacy itself is is that privacy S. context and a 2013 U.N. General Assembly and a 2013 U.N. Conceptualizing Privacy 64 telligence Sharing and Protection Act and Protection Sharing telligence Other areas of agreement between the 65 The Struggle of a Democracy Against Terrorism—Protection of Daniel J. Solove, L.J.(2004) (recognizing that national tragedies can cause 27, 28–30 L ’ Appendix B (these nations include: Australia, Austria, Estonia, Czech Australia, Austria, Estonia, Appendix B (these nations include: Appendix B (these nations include: Armenia, Australia, Austria, Canada, Appendix B (these nations include: Armenia, NT (these nations include: Armenia, Australia, Hungary, Italy, Romania, the (these nations include: Armenia, Australia, I This may actions be because “civil rights” create “legal while seven nations (21%) discuss “civil liberties” Emanuel Gross, 67 66 Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age This is seen in the national cybersecurity strategies in the national cybersecurity This is seen See infra See id. See infra 62 General Assembly Backs Right to Privacy in Digital Age See id. See generally See See Declaration of Human Rights, at art. 12 (Dec. 10, G.A. Res. 217 (III) A, Universal ORNELL 65 66 67 60 61 62 63 64 M K percentage mayfact that many owe to the nations agree in to privacy is a human right right individual’s principle that the recognized in international treaties, Declaration of Human International Covenant Rights, the 1966 on Civil and Political Rights, strategies include seventeen countries (47%)strategies include seventeen referencing “civil rights,” surveyed. For example,surveyed. twenty-two nations (65%) discussed national cybersecurity strategies. “privacy” in their Resolution that unanimously backed a “right to privacy in the digital age” in the aftermath of former NSA contractor Edward revelations. Snowden’s PYjBkU [http://perma.cc/P3CU-JFBH]. 2013), http://www.un.org/apps/news/story.asp? United Kingdom, and the United States). Republic, Germany, Italy, Macedonia, Netherlands, Poland, Russia, Spain, Sweden, Republic, Germany, Italy, Macedonia, Netherlands, Poland, Russia, Spain, Sweden, Switzerland, Turkey, the United Kingdom, and the United States). Czech Republic, Estonia, Finland, Italy, Japan, Lithuania, Macedonia, Netherlands, Czech Republic, Estonia, Finland, Italy, Spain, Switzerland, Turkey, the United Nigeria, Norway, Qatar, Russia, Slovakia, Kingdom, and the United States). broadly. 2200 (XXI) A, International Covenant on Civil and Political Rights, U.N. GAOR, 21st and Political Rights, U.N. GAOR, 21st Civil 2200 (XXI) A, International Covenant on Sess., U.N. Doc. A/6456, at art. 17 (Dec. 16, 1966) (reiterating text from Universal Declaration of Human Rights). 1948) (“No one shall be subjected to arbitrary interference with his privacy, family, home 1948) (“No one shall be subjected to arbitrary honour and reputation.”); or correspondence, nor to attacks upon his legal responses that limit privacy in extreme and irrational ways). legal responses that limit privacy in extreme such as withsuch Cyber In the (“CISPA”), which aimedto boost information better sharing to manage the arose regarding however, concerns cyberattacks; information quantity of personal type and shared. being 2016] Do Not Delete Not Delete Do Countries around the worldCountries around the balance between strike the in varied ways privacy and security protection of individual that national emergenciesflex as perceived and social trends ebb and flow. such a multi-facetedsuch a meaning concept, things to different It encompasses stakeholders. different (among much else) freedom integrity, solitude, information of thought, of bodily and personality. the protection of reputation integrity, and the difficulty arising in the U. arising in the difficulty (2002) (advocating a pragmatic approach to conceptualizing privacy). (2002) (advocating a pragmatic approach to Human Rights: The Right to Privacy Versus the National Interest—The Proper Balance Proper the National Interest—The Human Rights: The Right to Privacy Versus 37 C C Y 37838-chp_19-2 Sheet No. 59 Side A 05/09/2016 12:16:02 A 05/09/2016 59 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 59 Side B 05/09/2016 12:16:02 M K C Y 4/23/16 9:50 AM AM 9:50 4/23/16 (Oct. 18, 2013), IBERTIES .L 70 IV .&C [Vol. 19:2 [Vol. TS is vital to focus not only on .R IV .J.C TAN , S Relatedly, 56% Relatedly, G34 of the discuss 68 note 48, at 913. Chapman Law Review Law Chapman supra Dimension Summary Chart Dimension Figure 2: Civil Rights and Civil Liberties Figure 2: Civil Rights 69 Appendix B. See infra Rights vs. Civil Liberties Civil For more information on how information sharing is treated across these strategies, There is a growing consensus that nations bear increasing 68 69 70 https://journals.law.stanford.edu/stanford-journal-civil-rights-and-civil-liberties-sjcrcl/online/ civil-rights-vs-civil-liberties [http://perma.cc/UU7H-W79G]. responsibility for enhancing cybersecurity. Although a growingresponsibility for enhancing cybersecurity. number seem of countries to be recognizing this fact by enacting manynational cybersecurity strategies, are written as broad vision statements rather than comprehensive and concrete cybersecurity. Moreframeworks for enhancing national nations such as Saudi Arabia, which should emulate norm entrepreneurs has a detailed report of more than 100 pages in length, laying out great detail. Still, broad vision its cybersecurity posture in statements,while important, should be considered as merely one aspect of a global campaign to correct market failures surrounding cybersecurity. Hence, it including the private nations but also on other stakeholders, strategy to managesector, as part of a polycentric cyberattacks. play a vital role in promotingIn that perspective, businesses cyber peace, such as by identifying and spreading cybersecurity best practices. C. Summary Summary C. information for managing integral strategy as an sharing within though not necessarily generally, cyberattacks context the of civil rights. see Shackelford & Kastelic, 458 Do Not Delete Not Delete Do that the governmentthat for all conditions equal to create takes whereaspeople,” protections against refer “to “civil liberties” government more a perhaps actions,” that more thorny topic seemnations unwilling in their national to tackle or unable strategies. cybersecurity 37838-chp_19-2 Sheet No. 59 Side B 05/09/2016 12:16:02 B 05/09/2016 59 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 60 Side A 05/09/2016 12:16:02 74 cds- / 459 459 NVESTMENT 4/23/16 9:50 AM AM 9:50 4/23/16 I . (Jan. 18, 2013, K .W ECURITY S ch runs afoul of a ch runs afoul of NFO ARTNERSHIPS IN ARTNERSHIPS Likewise, many of Likewise, , I P 75 www.tuck.dartmouth.edu // note 9, 3. at Instead, the proactive Instead, the NFORMATION ECTOR 72 , I YBERSECURITY supra -S Proactive Cybersecurity: A Comparative Proactive Cybersecurity – Taking Control , overnment/cybersecurity/4-steps-for-pro C . L.J. 721 (2015). YNES (Apr. 2, 2014), http://www.symantec.com/ (Apr. 2, 2014), http://www.symantec.com/ However, two are briefly areas (2006), http: ccess of those partnerships and ccess of those partnerships and D US and may to be a be considered 71 73 .B RIVATE M LOBAL Orla Cox, ECTOR P COTT ONNECT S G C HACKELFORD , 52 A see also InfoSecManufacturing.pdf [http://perma.cc/9QG5-SZ24]. / rmationweek.com/g 4 Steps for Proactive Cybersecurity pdf YMANTEC / , S NHANCING ANUFACTURING E . (Feb. 27, 2014), http://www.rsaconference.com/events/us14/agenda/ . (Feb. 27, 2014), http://www.rsaconference.com/events/us14/agenda/ M Hackback? Claptrap!—An Active Defense Continuum for the Private Hackback? Claptrap!—An Active Defense MPORTANCE OF MPORTANCE , I HE ONF :T 18 U.S.C. § 1030 (2012). HE Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age research-projects / TUDY For more on this topic, see S For more background on the proactive cybersecurity movement, see Amanda N. For more on this topic, see S See See, e.g. , RSA C S Proactive does not mean “hack back,” whi Proactive does Space constraints prohibit a thorough rendering of the of the rendering a thorough prohibit Space constraints 74 75 71 72 73 III. T M K ASE Away from Attackers uploads response to the more reactive stance of an array of companies. considered to help enrich the discussion. First is the necessity of First is the the discussion. to help enrich considered rather than cybersecurity best practices investing in proactive NIST stance. Second is the relying on a reactive Framework, which is examined mechanism as an arguably successful for enhance national cooperation to fostering public-private cybersecurity. A. Best Practices Proactive Cybersecurity Sector Craig, Scott J. Shackelford & Janine S. Hiller, Industry and Regulatory Analysis widecybercrime array of national laws including the U.S. Computer Abuse Act. Fraud and active-cyber security/d/d-id/1108270 [http://perma.cc/G4L7-BLTF]. importance engagement private-sector of active a to help create of cybersecurity. global culture connect/blogs/proactive-cybersecurity-taking-control-away-attackers [http://perma.cc/35TW- R37E]; Michael A. Davis, C 2016] Do Not Delete Not Delete Do 12:25 PM), http://www.info PM), 12:25 sessions/1146/hackback-claptrap-an-active-defense-continuum-for [http://perma.cc/PM3S- sessions/1146/hackback-claptrap-an-active-defense-continuum-for as a diverse set of techniques along a spectrum EF2Z] (“[A]ctive defense should be viewed of varying risk and legality.”); Market leaders such as Microsoft and Google have helped to sharing, threat intelligence popularize such tactics as advanced enabling security companies to reasonably predict access attempts by maliciousguard against already actors rather than known malicious represents an traffic. Such an approach opportunity for firms to create broad, collective defense partnerships; however, with whom and how intelligence is shared will impact the su both how polycentric private-sector security actors shape evolving in Part IV. governance structures discussed cybersecurity movement best practices includes technological ranging from real-timeto cybersecurity audits analytics promoting built-in resilience, C Y 37838-chp_19-2 Sheet No. 60 Side A 05/09/2016 12:16:02 A 05/09/2016 60 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 60 Side B 05/09/2016 12:16:02 M K , 77 C Y 4/23/16 9:50 AM AM 9:50 4/23/16 (Feb. 9, 2014, One of the 81 (Feb. 13, 2013), OLITICO , P Edward Snowden Urges (July 17, 2014, 12:14 PM), ONITOR bama-s-executive-order-on-cyber [Vol. 19:2 [Vol. .M CI The NIST Framework UARDIAN S 79 note 29, at 1. if things go wrong. Hence, in , G supra , 78 Why Obama’s Executive Order on Cybersecurity HRISTIAN stry collaboration is impactingstry collaboration the This is pitting Silicon Valley pitting Silicon This is against 76 , C FBI Director Brings Silicon Valley Encryption Fight to FBI Director Brings Silicon Valley Encryption RAMEWORK Cybersecurity Still in Slow Lane F Chapman Law Review Law Chapman Mark Clayton, Section I.B.1. , Rusbridger & Ewen MacAskill, Alan Yet the Framework also has its detractors. Some, for , Tony Romm, YBERSECURITY see also 80 , NPR (July 8, 2015, 6:34 PM), http://www.npr.org/2015/07/08/421225069/fbi- Dina Temple-Raston, Improving Critical Infrastructure Cybersecurity, 78 Fed. Reg. 11,739, 11,741 Improving Critical Infrastructure Cybersecurity, NIST C NIST e.g. See, See, e.g. See supra See The difficulty of formingThe difficulty of cybersecurity regulatory effective 79 80 81 76 77 78 Doesn’t Satisfy Most Experts Professionals to Encrypt Client Communications (Feb. 12, 2013). interventions is high, as is the cost interventions is regulatory confusion, morepart to avoid the are jurisdictions moving toward bottom-up to mitigate approaches cyber risk. One is the NISTsuch approach Framework; as an first announced the Frameworkexecutive order in February 2013, version 1.0, Framework for Improving Critical Infrastructure Cybersecurity 2014. was released in February B. B. NIST Framework Case Study: harmonizes and industry best practices to consensus standards a flexible and cost-effective provide, its proponents argue, that assists owners and approach to enhancing cybersecurity in assessing and managingoperators of critical infrastructure cyber risk. 10:40 PM), http://www.politico.com/story/2014/02/cybersecurity-in-slow-lane-one-year- after after-obama-order-103307.html?hp=f1 [http://perma.cc/8ZT4-K572] (“Nearly a year President Barack Obama issued an executive order to improve of the the cybersecurity is nation’s vital assets, the administration doesn’t have much to show: The government to about to produce only some basic standards, with little incentive for the private sector participate.”); 460 Do Not Delete Not Delete Do http://www.theguardian.com/world/2014/jul/17/edward-snowden-professionals-encrypt- client-communications-nsa-spy [http://perma.cc/5HUZ-F6CS]. main questions surrounding the NIST Framework is how “voluntary” it will to be—as actually turn out well as how At level, indu the national ways in whichand is being conceptualized cybersecurity wasregulated, as with seen the development of the NIST Framework above. introduced these samethese companies better for the race in involved are customers’safeguard their to help encryption from data contractor former NSA in the wake of intrusions unwanted leaks. Snowden’s Edward http://www.csmonitor.com/USA/Politics/2013/0213/Why-O security-doesn-t-satisfy-most-experts [http://perma.cc/5TET-5DK6]. the law enforcement community, name that in the fearing of maynational security civil rights, protecting be compromised. example, the Framework have cautioned that does not go far enough in terms of its scope, influence, or impact. Capitol Hill [http://perma.cc/WH9Y-AW58].director-brings-silicon-valley-encryption-fight-to-capitol-hill 37838-chp_19-2 Sheet No. 60 Side B 05/09/2016 12:16:02 B 05/09/2016 60 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 61 Side A 05/09/2016 12:16:02 , , , 461 461 4/23/16 9:50 AM AM 9:50 4/23/16 OURNALISTS J YBERSECURITY C ROTECT NSIDE P I ’ , This could arguably This could arguably 84 SSESSING THE EACE P Indeed, already some Indeed, ?A 83 OMMITTEE TO YBER AME , C C G tandard’ for ‘due diligence’ wastandard’ for ‘due ND ramework helping to identify best E An Introduction to IAD and the Language of the Ostrom . J. 163, 171–72 (2011), http://php.indiana.edu/~mcginnis/ ROSPECTS FOR note 8 (stating that experts have warned that many of the note 8 (stating that experts have warned P TUD S (Feb. 25, 2014), http://www.pivotpointsecurity.com/risky-business/ OLYCENTRIC Why the NIST Cybersecurity Framework Isn’t Really Voluntary Y ’ supra 10 Most Censored Countries NIST’s Voluntary Cybersecurity Framework May Be Regarded as de NIST’s Voluntary Cybersecurity Framework , AP OL Thus, a multifaceted,multi-stakeholder approach to , , 85 ECURITY S IV. Yet, the NIST Yet, the Framework an impact, is already having that challenges orthodoxy by demonstrating that challenges orthodoxy by the benefits , 39 P Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age 82 86 John Verry, OINT See EU Eying NIST Framework with ‘Great Interest See EU Eying NIST Framework See, e.g. Michael D. McGinnis, See, e.g. P No even if some nation is an island in cyberspace, may wish The field of polycentric governance has been built up over The field of polycentric governance 83 84 85 86 82 M K IVOT they were. both in the U.S.both in in terms context, and reinforcing of identifying and beyond. best practices, industry P Workshop global cybersecurity policymaking is required, which may be This final part discusses considered a polycentric undertaking. as a vehicle to promotingthe literature on polycentric governance safeguard both privacy and cyber peace and, in so doing, helping intellectual property. A. Introducing Polycentric Governance eminentsome scholars led by of an array of decades by the work Nobel Laureate Elinor OstromVincent Ostrom. and Professor This multi-level, multi-purpose, multi-functional, and multi-sectoral model iad_guide.pdf [http://perma.cc/769K-K32S] (defining polycentricity as “a system of iad_guide.pdf [http://perma.cc/769K-K32S] (defining polycentricity as “a system http://insidecybersecurity.com/daily-news/official-eu-eying-nist-framework-great-interest (last visited Mar. 26, 2016). https://cpj.org/2015/04/10-most-censored-countries.php [http://perma.cc/L6YN-D2LL]. now the NIST Cybersecurity Framework.” private-sector clients are receiving the advice that if their the advice that are receiving clients private-sector were practices “cybersecurity litigation or during ever questioned the ‘s a regulatory investigation, voluntary it should be—questions should it voluntary the extent part on turn in that to which a market the global cybersecurity is occurring in failure arena. 2016] Do Not Delete Not Delete Do nist-cybersecurity-framework [http://perma.cc/48UL-8CHB]. be an instance, then, of cybersecurity regulation occurring from then, of cybersecurity regulation be an instance, the bottom-up, with this F punish marketpractices and fail to follow participants that them—which mayintellectual to better safeguard both help and beyond as rights both in the United States property and civil peace. approach to fostering cyber part of a polycentric recommendations in the framework “may be used by courts, regulators, and even be used by courts, recommendations in the framework “may for failures that could have been prevented if consumers to hold institutions accountable implementedthe cybersecurity framework had been fully by the respective institution”). Facto Mandatory C Y 37838-chp_19-2 Sheet No. 61 Side A 05/09/2016 12:16:02 A 05/09/2016 61 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 61 Side B 05/09/2016 12:16:02 M K 92 , 9 C Y such 89 35 (World 4/23/16 9:50 AM AM 9:50 4/23/16 137, 157 (2008) note 9. Beyond the New “Digital OVERNANCE supra , .&G [Vol. 19:2 [Vol. EG , 2 R g regulations “at multiple “at g regulations The Regime Complex for Climate Change HACKELFORD Constructing and Contesting Legitimacy and L. 119 (2014). S L ’ enhancing “flexibility across issues enhancing “flexibility NT 90 see also .J.I (Oct. 7, 2014), http://www.washingtonpost.com/blogs/the- TAN Chapman Law Review Law Chapman Julia Black, OST cf. note 89; ICANN Chief: “The Whole World is Watching” the U.S.’s Net .P , 50 S Polycentric Systems as One Approach for Solving Collective-Action Polycentric Systems as One Approach for It also posits that, due to the existence of free to the existence posits that, due It also A Polycentric Approach for Coping with Climate Change A Polycentric Approach for Coping with Climate ASH 88 The notion even seems to be diffusing beyond supra 91 , W and examining national and private extent to which the Nancy Scola, . 7, 9 (2011); Ostrom, 87 OL 1 (Ind. Univ. Workshop in Political Theory and Policy Analysis, Working Paper 1 (Ind. Univ. Workshop in Political Theory Elinor Ostrom, Elinor Robert O. Keohane & David G. Victor, See See Elinor Ostrom, Elinor managing the communications side of the Internet The IETF is responsible for .P Although much of the fieldwork comprising polycentric 89 90 91 92 87 88 ERSP Neutrality Debate P Problems Series No. 08–6, 2008), http://dlc.dlib.indiana.edu/dlc/bitstream/handle/10535/4417/W08- 6_Ostrom_DLC.pdf?sequence=1 [http://perma.cc/BF4K-B534]. multi-stakeholder collaboration. For more through voluntary mechanisms for fostering considered a successful polycentric may be it background on IETF and the extent to which Amanda N. Craig, undertaking, see Scott J. Shackelford & Divide”: Analyzing the Evolving Role of Governments in Internet Governance and Divide”: Analyzing the Evolving Role Enhancing Cybersecurity governance wasin the domestic conducted context, such as of marineinvolving the governance fisheries or commonly held has morepastures, the notion been applied to a range of recently global collective action problems, including climate change and cyberattacks. governance in which authorities from overlapping jurisdictions (or centers of authority) governance in which authorities from overlapping which these authorities, as well as the citizens interact to determine the conditions under to act as well as the constraintssubject to these jurisdictional units, are authorized put upon their activities for public purposes”). 462 Do Not Delete Not Delete Do Accountability in Polycentric Regulatory Regimes Such a model feeds off both public- and private-sector of self-organization, networkinself-organization, of scales,” switch/wp/2014/10/07/internet-operations-chief-snowden-disclosures-make-my-job-easier/ [http://perma.cc/2BQB-H479]. riders in a multipolarriders in world,“a single governmental is often unit” of managingincapable action problems,” collective “global control can in somecontrol coexist with cases communal management, as may Task Engineering the Internet of in the success be seen Force (“IETF”). academia. likes of the President of Estonia, Toomas The Ilves, Corporation for Assigned Namesand the head of the Internet and Numbers Fadi Chehadé, have used the term (“ICANN”), game“polycentric” to describe an end for Internet governance. as cyberattacks. Instead, a polycentric approach recognizes that Instead, a polycentric approach as cyberattacks. workingdiverse organizations at multiple governance scales from companies governments to national and regional to bilateral increase levels of create policies that can alliances can compliance,cooperation and and adaptability over time.”and adaptability (discussing the legitimacy of polycentric regimes, and arguing that “[a]ll regulatory (discussing the legitimacy of polycentric regimes, and arguing that “[a]ll regulatory regimes are polycentric to varying degrees”). Bank, Policy Research Working Paper No. 5095, 2009), http://www.iadb.org/intal/intalcdi/ Bank, Policy Research Working Paper No. pe/2009/04268.pdf [http://perma.cc/N2BF-VSUE]. 37838-chp_19-2 Sheet No. 61 Side B 05/09/2016 12:16:02 B 05/09/2016 61 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 62 Side A 05/09/2016 12:16:02 5 An 463 463 HRISTIAN at 53. This 4/23/16 9:50 AM AM 9:50 4/23/16 51, 51–53 , C 77, 82 (Int’l Id. EACE P note 9. , Roger Hurwitz, YBER YBERCONFLICT C supra ://perma.cc/Y2PC-FPGQ]. For C , See, e.g. Due to the common Global Governance and the Spread 93 UEST FOR note 95, at 78 (“The definition [of cyber on Info. Sec., 2011), http://www.itu.int/ on Info. Sec., 2011), http://www.itu.int/ Q 339, 350 (2012). Although certainly desirable, Although certainly HACKELFORD ONFRONTING HE 95 T d technically unlikely, at least in d technically unlikely, at least supra :C Non-violence and Racial Justice in , ORUM OVERNANCE F G Confidence-Building and International Agreement in Confidence-Building and International Rather, it is the construction of a network Rather, it is the construction of 97 LOBAL Cyber Peace That is why cyber peace is defined here not as That is why cyber peace is defined , 18 G ISARMAMENT 96 D , Martin Luther King, 94 in , ://citizenlab.org/cybernorms/augmented-summary.pdf (“At the very least, acceptance the very (“At ://citizenlab.org/cybernorms/augmented-summary.pdf , Feb. 6, 1957, at 118, 119 (“True peace is not merely the absence of some negative Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age See, e.g. recognizes this fact, and that the concept of To its credit, though, the ITU report The notion of negative peace has been applied in diverse contexts, including civil & Masashi Crete-Nishihata, Ronald J. Deibert James Andrew Lewis, Henning Wegener, The International TelecommunicationThe International Union (“ITU”), a U.N. 96 97 93 94 95 M K ENTURY perception on the part of manyperception on the policymakers risk is that cyber to engage in a of control,” an opportunity exists “escalating out dialogue on normconstructive, polycentric to promote building cyber peace. of Cyberspace Controls Cybersecurity cyber peace should be broad and malleable given an ever-changing political climate and cyber peace should be broad and malleable given an ever-changing cyber threat landscape. Henning Wegener, rights. peace] cannot be watertight, but must be rather intuitive, and incremental in its list of peace] cannot be watertight, but must be rather intuitive, and incremental in its ingredients.”). force—tension, confusion or war; it is the presence of some positive force—justice, good will and brotherhood.”). C experimentation in which works, what about can learn actors not work,and does managementthe field of cybersecurity in without risking top-down crowding structures governance out such bottom-up Ron to Professor efforts. According innovative Diebert Masashi and Crete-Nishihata, learn “states fromand imitate” “[t]he most another, and one intense forms imitation of because of the security issues national occur around and learning urgency involved.” high stakes and 2016] Do Not Delete Not Delete Do the near term. such an outcome is politically an more on the topic of cyber peace generally, see more on the topic of cyber peace generally, S dms_pub/itu-s/opb/gen/S-GEN-WFS.01-1-2011-PDF-E.pdf [http dms_pub/itu-s/opb/gen/S-GEN-WFS.01-1-2011-PDF-E.pdf Telecomm. Union & Permanent Monitoring Panel Telecomm. Union & Permanent Monitoring (Kerstin Vignard, Ross McRae & Jason Powers eds., 2011). Though norms do not bind (Kerstin Vignard, Ross McRae & Jason Powers states like a treaty, Lewis notes that “[n]on-proliferation provides many examples of influence on state behavior.” non-binding norms that exercise a powerful scholars. position has also been supported by other and U. of Toronto Cyber Norms Workshop Augmented Summary of the Harvard, MIT (2012), http at risk. If it fails to follow the norm, other of a norm by a state puts the state’s reputation demand an explanation or account, rather states which accept that norm, will typically as self-interested behavior.”). than ignoring the violation or dismissing it B. Toward Cyber Peace in informationagency specializing and communication sometechnologies, pioneered of the early work by in the field “a universal order of cyberspace” defining “cyber peace” in part as built on a “wholesome of tranquility, the absence of disorder state .” . . . or disturbance and violence the absence of conflict, a state of affairs that maythe absence of conflict, a state be called negative cyber peace. C Y 37838-chp_19-2 Sheet No. 62 Side A 05/09/2016 12:16:02 A 05/09/2016 62 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 62 Side B 05/09/2016 12:16:02 M K C Y EACE P , UNESCO, 4/23/16 9:50 AM AM 9:50 4/23/16 NCYCLOPEDIA OF E HE T in , [Vol. 19:2 [Vol. cybersecurity, particularly in the cybersecurity, particularly in ONCLUSION ONCLUSION C see also A Declaration on A Culture of Peace Chapman Law Review Law Chapman Peace, Positive and Negative at 761; 98 Id. 760, 760–62 (Daniel J. Christie ed., 2011) (comparing the concepts of 760, 760–62 (Daniel J. Christie ed., 2011) Johan Galtung, See This Article has assessed the extent to whichThis Article has national 98 “The goal is to build a structure based on reciprocity, equal rights, benefits, and “The goal is to build a structure based on reciprocity, equal rights, benefits, and SYCHOLOGY A/Res/53/243, www.unesco.org/cpp/uk/declarations/2000.htm [http://perma.cc/22DW-GBQX] A/Res/53/243, www.unesco.org/cpp/uk/declarations/2000.htm [http://perma.cc/22DW-GBQX] (offering a discussion of the prerequisites for creating a culture of peace including “promotion of the rights of everyone to education, multi-stakeholder collaboration, and the freedom of expression, opinion and information”). negative and positive peace). Definitions of positive peace vary depending on context, but negative and positive peace). Definitions of the overarching issue in the cybersecurity space is the need to address structural and problems in all forms, including the root causes of cyber insecurity, such as economic peace. political inequities and legal ambiguities, as well as working to build a culture of Id. economy and . and a culture of peace, confirming and stimulating an equitable . . dignity an equal polity.” cybersecurity strategies are addressing the economiccybersecurity strategies are addressing impact of discussion on the appropriate role cyberthreats as part of a larger for the State in regulating property and civil rights and fields of protecting intellectual liberties. Overall, we have found that, although more nations are strategies that discuss commonpublishing national cybersecurity concerns such as cybercrime, only a minority discuss the importance of protecting intellectual property generally, and far fewer trade secrets in particular. Likewise, though privacy is discussed by a supermajority of nations in their cybersecurity strategies, fewer even less engage with discuss civil rights, and it maycivil liberties protections. Consequently, fruitful to prove policymakinglook beyond national cybersecurity if progress is to be made global cybersecurity such as by toward enhancing engaging with an array of the private-sector to help instill as that which mayproactive best practices, such now be the NISToccurring under the guise of Framework, which P 464 Do Not Delete Not Delete Do of multi-level regimes promote that and sustainable just, global, companiesof the road for the rules by clarifying cybersecurity conflict, threats of cyber help reduce the alike to and countries crime, comparable espionage to levels and and to other business goal, a new To achieve this security risks. national to approach from best practices that seeks out is needed cybersecurity the diligence. due to enhance cybersecurity private sectors public and Workingpolycentric partnerships, we together through can mitigate the risk of cyberwar by laying the groundwork for a peace that respects humanpositive cyber including rights practices to help Internet access along with best privacy, spreads and strengthens intellectual property, safeguard valuable governance mechanismsby fostering multi-stakeholder collaboration. 37838-chp_19-2 Sheet No. 62 Side B 05/09/2016 12:16:02 B 05/09/2016 62 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 63 Side A 05/09/2016 12:16:02 465 465 4/23/16 9:50 AM AM 9:50 4/23/16 Over time,success the 99 International Norm Dynamics and note 29, at 15–16. supra , RAMEWORK F . 887, 895–98 (1998). RG O L ’ NT YBERSECURITY , 52 I But the road will But the may even as the destination be long, Martha Finnemore & Kathryn Sikkink, NIST C 100 Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age See See 99 100 M K Political Change of this Frameworkof this help promoteand others could legal harmonization the way for norm and pave or even a convergence, norm and secrets theft the fields of trade including in cascade, privacy. includes a set of privacy best practices. best of privacy a set includes 2016] Do Not Delete Not Delete Do now be coming Ultimately, sharper relief. into we all have a role in the property privacy and intellectual both in safeguarding approach to of a polycentric, all-of-the-above digital age as part peace in an age of seeminglyfostering cyber endless cyber insecurity. C Y 37838-chp_19-2 Sheet No. 63 Side A 05/09/2016 12:16:02 A 05/09/2016 63 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 63 Side B 05/09/2016 12:16:02 M K C Y 4/23/16 9:50 AM AM 9:50 4/23/16 101 Provisions Quoted Language & Quoted Language [Vol. 19:2 [Vol. responsibilities are defined by the economic functions or eroding public confidence in information systems. (P.3) Cyber attacks on Armenia information networks can have serious consequences such as disrupting critical operations, causing loss of revenue and intellectual property, or loss of life. Countering such attacks requires the development of robust capabilities where they do not exist today if we are to reduce vulnerabilities and deter those with the capabilities and intent to harm our critical infrastructures. (P.3) The Statement indicates electronic espionage, both commercial and state-based, will be a growing vulnerability as the Australian Government and society become more dependent on integrated information technologies. It states that this challenge must and will be met with full vigour and identifies cyber security as amongst the Australian Government’s top tier national security priorities. (P.4) The Australian Security Intelligence Organisation’s (ASIO) Armenia’s enemies may conduct enemies may conduct Armenia’s espionage on our Government, and university research centers, may also private companies. They strikes seek to prepare for cyber by mapping during a confrontation systems, Armenia information and lacing identifying key targets, back doors our infrastructure with In and other means of access. may wartime or crisis, adversaries country’s seek to intimidate the political leaders by attacking and key critical infrastructures Title of Strategy Cybersecurity Australian Government Cyber Security Strategy Armenia National Armenia National Strategy to Secure Cyberspace Chapman Law Review Law Chapman Protection fromProtection G34 Nations 2009 2005 Year Appendix A: Non-comprehensive Review of of Review Non-comprehensive A: Appendix Economic Property and Intellectual Espionage All material is quoted directly from the listed cybersecurity strategy. Name Armenia Country Australia 101 466 Do Not Delete Not Delete Do 37838-chp_19-2 Sheet No. 63 Side B 05/09/2016 12:16:02 B 05/09/2016 63 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 64 Side A 05/09/2016 12:16:02 467 467 4/23/16 9:50 AM AM 9:50 4/23/16 ASIO Act and, in and, in N/A N/A The term “cyber attack” refers to an attack through IT in cyber space, which is directed against one or several IT system(s). Its aim is to undermine the objectives of ICT security protection (confidentiality, integrity and availability) partly or totally. Cyber attacks directed against the confidentiality of an IT system are referred to as “cyber espionage,” i.e. digital spying. Cyber attacks directed against the integrity and availability of an IT system are referred to as cyber sabotage. (P.20) The text is only available in French and Dutch. Canadian organizations had suffered a cyber attack. The loss of intellectual property as a result of these attacks doubled between 2006 and 2008. (P.4) The most sophisticated cyber threats come from the intelligence and military services of foreign states. In most cases, these attackers are well resourced, patient and persistent. Their purpose is to gain political, economic, commercial or military advantage. (P.5) Australian Security Intelligence Intelligence Security Australian 1979 Act Organisation cyber security, include: relation to electronic attacks • Investigating for purpose of espionage, conducted or other forms sabotage, terrorism motivated violence, of politically the defence system and attacks on under the other matters that fall heads of security in the (P.29) to the loss Australia is vulnerable of economic competitiveness exploitation through the continued the of ICT networks and property compromise of intellectual and other sensitive commercial to data. This has the potential confidence undermine Australians’ (P.4) in the digital economy. Cybersecurity Strategy of the Czech Republic Cyber Security Strategy Cyber Security Strategy Austrian Cyber Security Strategy 2011 2014 2010 2013 Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age Czech Austria Canada Belgium Republic M K 2016] Do Not Delete Not Delete Do C Y 37838-chp_19-2 Sheet No. 64 Side A 05/09/2016 12:16:02 A 05/09/2016 64 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 64 Side B 05/09/2016 12:16:02 M K C Y 4/23/16 9:50 AM AM 9:50 4/23/16 [Vol. 19:2 [Vol. attacks against the integrity and availability of IT systems are termed cyber sabotage. (P.9) sovereignty and even, in certain circumstances, loss of human lives are nowadays the potential or actual consequences of the overlap between the digital world and human activity. (P.3) The interests of the private sector to protect itself against crime and espionage in cyberspace should also be adequately taken into account. (P.5) The capabilities of law enforcement agencies, the Federal Office for Information Security and the private sector in combating cyber crime, also with regard to protection against espionage and sabotage, must be strengthened. (P.6) A cyber attack is an IT attack in cyberspace directed against one or several other IT systems and aimed at damaging IT security. The aims of IT security, confidentiality, integrity and availability may all or individually be compromised. Cyber attacks directed against the confidentiality of an IT system, which are launched or managed by foreign intelligence services, are called cyber espionage. Cyber N/A N/A of cyber crime include Other forms fraud, the distribution harassment, or the violation of illegal materials property rights. of intellectual (P.11) N/A Cyberspace, like a virtual a place battleground, has become of for confrontation: appropriation of the personal data, espionage commercial scientific, economic and fall assets of companies which or foreign victim to competitors services powers, disruption of necessary for the proper and functioning of the economy of daily life, compromise our information related to Cybersecurity Strategy Danish Defense Defense Danish 2013–17 Agreement Cyber Security Strategy Cyber Security Strategy Information Systems Defense and Security Chapman Law Review Law Chapman 2011 2012 2008 2013 2011 France Estonia Finland Germany Denmark 468 Do Not Delete Not Delete Do 37838-chp_19-2 Sheet No. 64 Side B 05/09/2016 12:16:02 B 05/09/2016 64 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 65 Side A 05/09/2016 12:16:02 469 469 4/23/16 9:50 AM AM 9:50 4/23/16 Formalise the coordination and prioritization of cyber security frequency and scale of cybersecurity incidents . . . (P.16–17) Private companies, educational institutions and research institutions possess intellectual property related information such as technological information, financial information, manufacturing technology information and drawings, as well as personal information such as client lists, personnel information and educational information, and other critical information. (P.25) N/A N/A N/A Extensive coverage from pages 4–10. THRUST 5: Research & Development Towards Self- Reliance N/A N/A N/A is a plague that can Cybercrime of firms and cause the bankruptcy their intellectual the theft of an the wealth of property, crippling entire nation. (P.5) activities Cybercrime: all malicious carried out with a criminal intent swindles or in cyberspace, such as theft, internet fraud, identify intellectual stealing of data or of property. (P.13) to natural In the EU, in addition other disasters, terrorism and situations, new transnational or threats of economic espionage attacks have state-sponsored cyber the growing led to an awareness of Security (Cyber Security) for 2011– 2019 National Strategy on Cyber Security National Cyber Security Policy Law on the Security of Information Technologies Cyber Security Strategy of Latvia Programme for the Development of Electronic Information Cybersecurity Strategy: Toward a World-Leading, Resilient and Vigorous Cyberspace National Cyber National Strategy Security National Cyber Security Strategy National Strategic for Framework Cyberspace Security 2011 2006 2010 2014 2011 2013 2013 2013 2013 Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age Italy India Japan Latvia Hungary Malaysia Lithuania Luxembourg M K 2016] Do Not Delete Not Delete Do C Y 37838-chp_19-2 Sheet No. 65 Side A 05/09/2016 12:16:02 A 05/09/2016 65 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 65 Side B 05/09/2016 12:16:02 M K C Y f data f data 5/3/2016 3:555/3/2016 PM information. (P.7) (P.7) information. [Vol. 19:2 [Vol. government-held information for for information government-held other or gain political or financial (P.1) purposes. malicious The Dutch government is is government Dutch The awareness raising to committed amongbusinesses, citizens, organization and government security information bodies about that means This and privacy. partly will campaigns awareness and knowledge increasing on focus cyber of risks the insight into the hand, other the On espionage. the that ensures also government the within is prioritized issue services, security and intelligence better to tools the given are which and threats cyber document advanced and combat investigate the end, this To attacks. services security and intelligence cyber their combined have Sigint Joint the capabilities in (JSCU). Unit Cyber will government the Furthermore, o protection better a prioritize government the with share citizens about more transparent and being (P.24) management. data using increasingly are Criminals to gain access to space cyber steal information, personal property, intellectual businesses’ sensitive of knowledge gain and research developmentand activities cyber the strengthen and Enlarge community research security and development the Promote of intellectual commercialization and technologies properties, focused through innovations research development and cyber of growth the Nurture (P.5) industry security The threatsother from states of theft the concern mostly competition or confidential (cyber information sensitive professional while espionage), digital on focus mainly criminals offraud and theft cyber to approach More active espionage Cyber Security Strategy The National Cyber National Cyber The Strategy Security Chapman Law Review Law Chapman 2011 2011 Netherlands Netherlands New Zealand Zealand New 470 Do Not DeleteDo 37838-chp_19-2 Sheet No. 65 Side B 05/09/2016 12:16:02 B 05/09/2016 65 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 66 Side A 05/09/2016 12:16:02 471 471 4/23/16 9:50 AM AM 9:50 4/23/16 prescribed restrictions on access to confidential information. private companies are all vulnerable to espionage and sabotage. Many countries are developing capabilies for espionage and warfare against critical infrastructure. We must assume that sophisticated sabotage and attacks will be directed against critical information resources, including the computer systems that control industrial processes and critical infrastructure. (P.12) N/A Protecting the intellectual property rights of digital content creators. (P.19) N/A N/A [R]einforcing the mechanisms of legal governance of relations in the field of intellectual property protection, and creating conditions for observance of the federally Some of the most advanced and advanced of the most Some attacks on cyber persistent and critical governments worldwide are infrastructure originate from foreign thought to or intelligence services military and groups. Media organised criminal are around the world organisations reporting attacks on government systems, national infrastructure resulted and businesses that have sensitive in access to commercially property information, intellectual (P.5) and state or trade secrets. and The trend toward targeted of critical ICT professional hacking Targeted systems is increasing. vital espionage attacks against now national security interests challenge. constitute a significant units and Civil services, military Implementation of the National Cyber Security National Security Concept of the Russian Federation Cyberspace Protection Policy National ICT Plan 2015: Advancing the Digital Agenda 2010 Defense White Paper Cyber Security Strategy and the National Action Plan on National Strategy for Information Security 2000 2013 2011 2010 2013 2012 Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age Qatar Korea Russia Poland Norway Romania Republic of M K 2016] Do Not Delete Not Delete Do C Y 37838-chp_19-2 Sheet No. 66 Side A 05/09/2016 12:16:02 A 05/09/2016 66 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 66 Side B 05/09/2016 12:16:02 M K C Y 4/23/16 9:50 AM AM 9:50 4/23/16 [Vol. 19:2 [Vol. actions are always contrary to national interests – regardless of whether they originate from within or outside Spanish territory – and included, from state espionage to industrial espionage. (P.17) Espionage has adapted to the new landscape of the globalised world and currently makes use of the possibilities provided by information and communication technologies. Aggressions by States, groups or individuals for the purpose of gaining information that gives them strategic, political or economic advantages have been a constant feature in history and continue to pose a major threat to security. Economic espionage is of great importance in today’s competitive environment and consists of the illegal procurement of information, industrial property or critical technology, and even involves attempts to exert illegal influence on political decisions of an economic nature. Its potential impact is increasing on account of its ability to harm the economic system and affect citizens’ well-being. Spain, like the rest of the EU and NATO members, faces hostile actions from other States. These N/A N/A N/A N/A are The threats against information miss- those that cause the loss, misuse of handling, disclosure or information. are: Among these threats • Espionage. Within this category are all varieties of espionage Policy National Cyber Security: A Commitment for Everybody The National Security Strategy: Sharing a Common Project Developing Developing National Information Security Strategy of for the Kingdom Saudi Arabia National Cyber Security Masterplan 2018 National Strategy for Information Security Cyber Security Chapman Law Review Law Chapman 2013 2013 2013 2013 2008 2010 Spain Slovak Republic Singapore South Africa Saudi Arabia Saudi 472 Do Not Delete Not Delete Do 37838-chp_19-2 Sheet No. 66 Side B 05/09/2016 12:16:02 B 05/09/2016 66 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 67 Side A 05/09/2016 12:16:02 473 473 4/23/16 9:50 AM AM 9:50 4/23/16 cyberspace. (P.28) Business is the largest victim of crime and economic espionage ICT service or system providers) in the strategy is essential in order to protect against cyber risks. (P.6) N/A Some of the most sophisticated threats to the UK in cyberspace come from other states which seek to conduct espionage with the aim of spying on or compromising our government, military, industrial and economic assets, as well as monitoring opponents of their own regimes. (P.15) Organisations are not always aware of the new vulnerabilities that dependence on cyberspace can bring. Intellectual property and other commercially sensitive information (for example, business strategies) can be attractive targets. (P.16) The Centre for the Protection of National Infrastructure delivers advice that aims to reduce the vulnerability of organisations in the national infrastructure to terrorism and other threats such as espionage, including those from are particularly aggressive in aggressive are particularly or tension. of conflict situations traditional espionage Together with activities are methods, these based on sophisticated increasingly training programmes technological access to huge that can provide a information and, in amounts of sensitive worst-case scenario, to data. (P.33) N/A thus very The private sector is e.g. vulnerable to cyber risks, obtain unjust attacks to deceive, to financial gain or for economic the inclusion espionage. Therefore, private of all stakeholders (e.g. operators, sector, in particular CI Strategy 2010 – 2015 National Strategy for Switzerland’s Protection Against Cyber Risks National Cyber Security Strategy and 2013-2014 Action Plan Cyber Security Strategy for Information Security in Sweden 2012 2013 2011 2010 Protecting Intellectual Property & Property Intellectual Protecting Digital the in Privacy Age United Turkey Sweden Kingdom Switzerland M K 2016] Do Not Delete Not Delete Do C Y 37838-chp_19-2 Sheet No. 67 Side A 05/09/2016 12:16:02 A 05/09/2016 67 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 67 Side B 05/09/2016 12:16:02 M K C Y 4/23/16 9:50 AM AM 9:50 4/23/16 [Vol. 19:2 [Vol. networks maintained by U.S. networks maintained businesses, universities, and and government departments agencies. As military strength ultimately depends on economic vitality, sustained intellectual property losses erode both U.S. military effectiveness and national competitiveness in the global economy. (P.4) perpetrated through cyberspace. cyberspace. through perpetrated (P.32) N/A Whether insiders are malicious espionage, making a committing expressing political statement, or the personal disgruntlement, and national consequences for DoD, (P.3) security, can be devastating. While the threat to intellectual visible than property is often less the threat to critical infrastructure, cyber it may be the most pervasive an threat today. Every year, property amount of intellectual in the larger than that contained stolen from Library of Congress is Comprehensive National Cybersecurity Initiative of Department Defense Strategy for Operating in Cyberspace Chapman Law Review Law Chapman 2008 2011 United States United States 474 Do Not Delete Not Delete Do 37838-chp_19-2 Sheet No. 67 Side B 05/09/2016 12:16:02 B 05/09/2016 67 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 68 Side A 05/09/2016 12:16:02 475 475 5/3/2016 3:555/3/2016 PM compliance with human human with compliance Quoted Provisions Provisions Quoted (P.12) this balance is a continuing continuing is a this balance modern all for challenge the meet to seeking democracies challenges security cyber complex (P.vi) future. the of these managing and Confronting the against balanced be must risks of Australians, civil liberties and privacy, to right the including and efficiency promote to need the Australia that ensure to innovation the of potential full the realises (P.4) economy. digital cyber of area the in Governance high the meet has to security the of law of rule the of standards and administration Austrian guarantee and privacy particular in rights, the as well as protection data right the and expression of freedom (P.7) to information. Thetext is only available in French Dutch. and to steps is taking The Government a becoming from cyberspace protect cyber criminal will deny haven. We are they anonymity the criminals seeking while same time at the Canadians. of privacy the protecting Privacy and civil liberties must be be must liberties civil and Privacy Because process. the in protected be can plan cybersecurity no and sophisticated to unreceptive information attack, intelligent operate to able be must systems the have and attack under while operations full restore to resilience (P.4) quickly. cyber pursue must Australia enhance that policies security security collective and individual right Australians’ preserving while other fundamental and to privacy Maintaining freedoms. and values Title of Strategy Strategy Cybersecurity Cybersecurity Strategy Strategy Cyber Security Strategy Austrian Cyber Cyber Austrian Strategy Security Cyber Security Australian Australian Cyber Government Strategy Security Armenia National National Armenia Secure to Strategy Cyberspace 2010 2013 2014 2009 2005 Year Rights and Civil Liberties from G34 Nations G34 from Civil Liberties and Rights Protecting Intellectual Property & Privacy in the Digital Age Digital the in Privacy & Property Intellectual Protecting Appendix B: Non-comprehensive Review of Civil Civil of Review Non-comprehensive B: Appendix Name Name Austria Canada Belgium Belgium Armenia Country Country Australia Australia M K 2016] 2016] Do Not DeleteDo C Y 37838-chp_19-2 Sheet No. 68 Side A 05/09/2016 12:16:02 A 05/09/2016 68 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 68 Side B 05/09/2016 12:16:02 M K C Y 5/3/2016 3:555/3/2016 PM opted several several opted ordinated efforts of of efforts ordinated [Vol. 19:2 [Vol. data. Personal data means any informationon a private individual and any informationon his/her processes of national security security national of processes planning; pursued be should security • cyber co- the through of stakeholders, concerned all public and private sectors as well (P.7) society; civil as of Economic for Organisation the In Co-operation Development and security cyber of issue the (OECD), the of responsibility is the Committee for the Information, Computer and Communications groups, its working and Policy on Party Working the including Privacy. and Security Information The Committee has ad the including recommendations, Concerning Recommendation of Security the for Guidelines Networks and Systems Information (2002) and the Recommendationon the in Co-operation Cross-border Protecting Laws of Enforcement Privacy (2007). (P.25) the means privacy of Protection or unlawful the against protection privacy. personal of invasion hurtful the includes privacy of Protection right to privacy and other associated personal of processing the in rights There is no way how to achieve achieve to how way no is There The security. cybernetic absolute measures adopt will Republic Czech of evaluation realistic on based to appropriate be shall and risks respect will They risks. such basic and privacy of protection information, to as free access rights The others. and speech of freedom to appropriate be shall measures on security to ensure the necessity rights basic respect to and side one and freedoms on other the side. (P.5) N/A cyber national of procurement The the on based be should security guidelines: and principles following should plans action security • cyber routine the into be integrated Cyber Security Strategy Danish Defense Defense Danish Agreement 2013–17 Cyber Security Strategy Cybersecurity Cybersecurity of Strategy the CzechRepublic Chapman Law Review Law Chapman 2013 2012 2008 2011 Czech Estonia Finland Finland Republic Denmark Denmark 476 Do Not DeleteDo 37838-chp_19-2 Sheet No. 68 Side B 05/09/2016 12:16:02 B 05/09/2016 68 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 69 Side A 05/09/2016 12:16:02 477 477 5/3/2016 3:555/3/2016 PM in cyberspace, safeguarding of of safeguarding in cyberspace, networks, communication electronic critical and systems information against infrastructure information communication appliances, or also also or appliances, communication how difficult it can to be find the right balance between right the to privacy and the fight against criminal as child activities such pornography, drugs smuggling, hate - planning or terrorism incitement, individual only that notcrimes hurt and social liberties, but also an of existence very the undermine Internet. free and democratic open, (P.11–12). has As cyberspace a result, positive of variety a us provided innovation, including benefits for solutions and growth, economic ensuring still while issues social and expression of freedom (P.20) privacy. of protection N/A N/A to is Programme the of purpose The tasks and objectives the determine electronic of development the for the ensure to order in information and integrity confidentiality, of electronic accessibility provided services and information personal characteristics or personal are these where circumstances, or him/her concerning as identifiable or family his/her of members the (P.13) household. N/A N/A N/A N/A diverging often these Balancing if endeavor, complex a is objectives how instance for considers one technical the monitoring essentialfunctionality of networks is to allow fulfillment the of right the one’s theto of and integrity privacy Strategy of Latvia Strategy of Latvia the for Programme of Development Electronic Information (Cyber Security Security) 2011– for 2019 Cybersecurity Cybersecurity a Toward Strategy: World-Leading, and Resilient Vigorous Cyberspace Security on the Law of Information Technologies Security Cyber Security Strategy Strategy Security Strategic National the for Framework of Security Cyberspace Information Information Defense Systems and Security Cybersecurity Strategy Cyber National Strategy Security Cyber National 2011 2013 2010 2014 2013 2011 2011 2013 2013 Protecting Intellectual Property & Privacy in the Digital Age Digital the in Privacy & Property Intellectual Protecting Italy India Japan Latvia Latvia France France Hungary Hungary Germany Germany Lithuania Lithuania M K 2016] 2016] Do Not DeleteDo C Y 37838-chp_19-2 Sheet No. 69 Side A 05/09/2016 12:16:02 A 05/09/2016 69 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 69 Side B 05/09/2016 12:16:02 M K C Y works to works 5/3/2016 3:555/3/2016 PM promotes and improve the security security the improve and [Vol. 19:2 [Vol. privacyunder Constitution the of the Federal Republic of Nigeria, appropriate 1999 and shall take and organizational measures by the measures and by organizational of processors and controllers personalwell data, as as high a as society the in awareness public unavoidable condition for reaction of right the of breach of in case of the evaluation and privacy (P.4) results. achieved N/A sector private with Together partners, the government used be can that standards develop protect to of products services. and ICT (P.10) (everything Things of The Internet and internet) the to connected is hyperconnectivity (everything is other) to each connected usability. in results and innovation the raises it time, same the At digitally not or whether of question are services and products linked the what and actually safe privacy. for be may implications (P.15) N/A function any exercising Anyone due have shall section this under to right individual the to regard incidents and cyber attacks, attacks, cyber and incidents and data personal of protection tasks, the set as to as well privacy, would which of implementation of cyberspace security allow total this in operating entities and (P.1) medium. N/A I privacy. to right has Everyone the of motto the is privacy, my own Data Personal for Directorate data Personal Protection. everyday our of part is protection the of functioning for base and life modern and democratic society constitutional the on grounded the respecting for guarantees rights. human fundamental means privacy Guarantying technical for system establishing Cyber Security Strategy Bill, Cybersecurity 2011 National Cyber Cyber National Policy Security National Cyber The Strategy Security Macedonia 2012– 2016 National Strategy Strategy National Security on Cyber for Strategy Data Personal in Protection Republic of Chapman Law Review Law Chapman 2011 2011 2006 2011 2011 2012 Nigeria Nigeria Malaysia Macedonia Netherlands Netherlands Luxembourg Luxembourg New Zealand Zealand New 478 Do Not DeleteDo 37838-chp_19-2 Sheet No. 69 Side B 05/09/2016 12:16:02 B 05/09/2016 69 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 70 Side A 05/09/2016 12:16:02 479 479 5/3/2016 3:555/3/2016 PM N/A N/A minimum level of privacy privacy of level minimum sectors, all for required protection education, finance, including enforcement. law The health, and framework upon will draw while practices, best international looking, forward innovative, being its in neutral technology and approach. (P.22) N/A N/A rights constitutional the [S]ecuring the and man of freedoms and family and personal to citizen mail, postal of secrecy the privacy, other and telephone telegraph, the to as well as communications, reputation. and honor of defense N/A measures to safeguard the the safeguard to measures retained, data of the confidentiality the for retrieved or processed (P.8) enforcement. law of purpose threatened also Personal is privacy communication of methods by new information use to ways and Identity Internet. the and systems for challenge growing a abuse is public and businesses individuals, authorities. (P.14) N/A ictQATAR working is with stakeholders to develop a legal of privacy the protect to framework is which information, personal development healthy the to critical This sector. ICT Qatar’s of framework, targeted for completion the otend 2011, will set [sic] by the on of Developing Developing National Information Strategy Security of Kingdom the for Saudi Arabia Cyber National Security Masterplan 2018 2010 Defense White 2010 Defense Paper Cyber Security the and Strategy Action National on Plan Implementati the National Cyber Security Security National of the Concept Federation Russian National ICT Plan 2015: Advancing the Digital Agenda National Strategy Strategy National for Information Security Cyberspace Policy Protection 2013 2013 2010 2013 2000 2011 2012 2013 Protecting Intellectual Property & Privacy in the Digital Age Digital the in Privacy & Property Intellectual Protecting Qatar Qatar Korea Korea Russia Russia Poland Poland Norway Norway Romania Singapore Republic of Saudi Arabia M K 2016] 2016] Do Not DeleteDo C Y 37838-chp_19-2 Sheet No. 70 Side A 05/09/2016 12:16:02 A 05/09/2016 70 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 70 Side B 05/09/2016 12:16:02 M K C Y : 5/3/2016 3:555/3/2016 PM personal rights personal open to innovation innovation to open unt and to show how measures measures how show to unt and [Vol. 19:2 [Vol. Actions to strengthen our national national our strengthen to Actions consistent be also must security those as such obligations, our with promote cyber security. (P.38) (P.38) security. cyber promote N/A interests where sphere second A are conflict might protective improve to Efforts (e.g. cyberspace in mechanisms or controls stricter through weighed be must surveillance), It privacy. of protection the against strategy, of this tasks the of is one into considerations such to take acco (P.7) circumspectively. taken be can law, of rule of principles The and rights human fundamental freedoms protection and of privacy essential as accepted be should (P.16) principles. the tackle to determined are We which way a in but threats, for respect with security balances At rights. fundamental and privacy UK the internationally and home work to continue will Government remains cyberspace that ensure to – space open an ideas, of flow free the and (P.5) expression. and information The approachtoaddressing to need the by is driven security originated which problem a resolve technological and scientific from fully now by has and development issue. social global a into translated this resolve to seeks Society the both ensure and problem and assets valuable of its protection (P.4) privacy. individuals’ N/A aware become must society Spanish and (privacy risks of individual risks collective and intimacy) social economic, security, (national it which to prosperity) cultural and wouldexposed be in event the ofan of use space. cyber irresponsible must of Spain Government The model and educational lead an Cyber Risks Cyber National Strategy Security and 2013-2014 Plan Action Cyber Security Strategy Security, a a Security, for Commitment Everybody for Strategy Information Sweden in Security 2010 – 2015 Strategy National Switzerland’s for Against Protection National Strategy Strategy National for Information Security Cyber Security Policy Cyber National Chapman Law Review Law Chapman 2013 2011 2010 2012 2008 2010 2013 Spain Slovak Slovak United United Turkey Turkey Sweden Sweden Republic Kingdom Kingdom Switzerland Switzerland South Africa Africa South 480 Do Not DeleteDo 37838-chp_19-2 Sheet No. 70 Side B 05/09/2016 12:16:02 B 05/09/2016 70 Side Sheet No. 37838-chp_19-2 37838-chp_19-2 Sheet No. 71 Side A 05/09/2016 12:16:02 481 481 5/3/2016 3:555/3/2016 PM civil liberties guaranteed in the in guaranteed civil liberties all by cherished and Constitution (P.1) Americans. The was CNCI developed with privacy to attention and care great close in concerns civil liberties and experts privacy with consultation Protecting government. the across rights privacy and civil liberties in objectives fundamental remain CNCI. the of implementation the (P.2) interagency with its working DoD, to seeks partners, international and and U.S. to posed risks the mitigate while capabilities, cyberspace allied the respecting and protecting principles privacy of civil and and expression, free liberties, made have that innovation U.S. of part integral an cyberspace (P.1) security. and prosperity concerning freedom of expression; expression; of freedom concerning and receive seek, to right the to right the and ideas; impart should security Defending privacy. commitment our with be consistent course, Of liberties. civil to uphold and well-established these are cyberspace debates,ongoing but new in focus into them can bring in than quickly more and ways, (P.17) areas. other cyber will pursue we home At enhance that policies security security collective and individual right citizens’ UK preserving while other fundamental and to privacy freedoms. and values (P.22) that directed President the Finally, a in conducted be activities these with consistent is that way and rights privacy the ensuring Department of of Department Strategy Defense in for Operating Cyberspace Comprehensive Comprehensive National Cybersecurity Initiative 2011 2008 Protecting Intellectual Property & Privacy in the Digital Age Digital the in Privacy & Property Intellectual Protecting M K United States States United 2016] 2016] Do Not DeleteDo C Y 37838-chp_19-2 Sheet No. 71 Side A 05/09/2016 12:16:02 A 05/09/2016 71 Side Sheet No. 37838-chp_19-2