News item | 07-06-2017
People are increasingly distrustful of the internet, and that poses a challenge to its future. Immediate steps to enhance internet trust must be taken. Governments can restore trust online by adopting a transparent and multi-stakeholder approach to the development of cybersecurity policies and strategies. Such an approach has two distinctive advantages: first, different stakeholders can establish cooperative relations and develop a common understanding of the identified threats and the tools to counter them; and second, all parts can gain greater confidence in the ultimate approach chosen and an understanding of their role in achieving the identified objectives.
Written by: Megan Stifel, Cybersecurity Policy Director, Public Knowledge and Agustin “Gus” Rossi, Global Policy Director, Public Knowledge
People are increasingly distrustful of the internet, and that poses a challenge to its future. Only 12% of the respondents of the 2017 CIGI-Ipsos Global Survey on Internet Security and Trust, strongly agree with the statement “Overall, I trust the Internet”, with 65% of those who don’t trust it citing security as the main reason. In Latin America, 64% of respondents are more or much more concerned about their privacy than they were a year ago.
Unless we take immediate steps to enhance trust, the internet will falter as a tool for economic growth, development, civic engagement, and the promotion of human rights. We believe that enhancing transparency and encouraging multi-stakeholder dialogues are key and necessary elements for building trust online.
Transparency and dialogue to build cybersecurity
Transparency increases the understanding of cybersecurity risks and encourages governments, industry and civil society to coordinate and act to prevent and respond to such activity. Understanding risks helps Internet users make more informed decisions about their online behavior – whether to open an email from an unknown sender, install a verified software update, click on an embedded link, visit an insecure website, or use two factor authentication. Improved user behavior in turn reduces the successfulness of many malicious activities. At the same time, improved software development practices can also reduce vulnerabilities. The combination of these actions, informed through greater transparency, would go a long way to improving security online. And recognizing these improvements would contribute to restoring and increasing trust in the Internet.
In the 2016 “Cybersecurity, Are We Ready in Latin America and the Caribbean” report, the Organization of the American States (OAS) and the Inter-American Development Bank highlighted the role of civil society in the developing of public-private partnerships to make meaningful cybersecurity advancements. We believe governments should continue the open approach the 2016 report exemplifies as they work to improve cybersecurity at the national and regional levels. A multi-stakeholder approach fosters transparency and ultimately increases awareness because users are better informed about the challenges presented through increasing connectivity and trust the steps taken to address them.
Opportunities for transparency and dialogue
A first and early opportunity governments have to increase transparency and dialogue is in the development of national cybersecurity strategies. In this process, which can raise the salience of cybersecurity issues in public debate, governments can and should work with industry and civil society to identify and implement policies to address the identified threats and vulnerabilities.
A transparent and multi-stakeholder approach has various advantages. First, its gives the different stakeholders an opportunity to establish cooperative relations and develop a common understanding of the identified threats and the tools to counter them. Second, it can give all parts greater confidence in the ultimate approach chosen and an understanding of their role in achieving the strategy ’s objectives. In Latin America, the OAS encourages a multi-stakeholder approach to cybersecurity.
The development and implementation of best practices for core national cybersecurity activities are also opportunities for transparency and awareness raising. Take for example OAS’ “Best Practices for Establishing a National Computer Security Incident Response Team” (CSIRT). The document outlines a CSIRT’s role, offers guidance in the development of the institution’s framework, and identifies core actions the CSIRT should undertake in establishing operations. The best practices include sample policies on use of the CSIRT’s information systems and disclosure of information held by the CSIRT.
Published best practices identify an action a government or other organization should undertake, and the methods through which it should be undertaken. In doing so, best practices raise awareness of an important cybersecurity activity and establish baselines against which an organization can be evaluated. Best practices can also provide opportunities for accountability of and by governments and civil society.
Public-private partnerships and the transparency they enable also evolve through the development and use of common frameworks, such as the U.S. Department of Commerce National Institute of Standards and Technology “Framework for Improving Critical Infrastructure Cybersecurity,” commonly known as the NIST Framework, and standards such as ISO 27001 “Information Security Management.” NIST developed the Framework through a series of public workshops and feedback sessions. Initially published in 2014, in early 2017 NIST announced it is in the process of updating the Framework, again using requests for public comment, workshops, and webinars to engage stakeholders. In the three years since its publication, 30% of surveyed U.S. companies have adopted the Framework in some form, with the number expected to grow to 50% by 2020. Companies also reported that they use additional frameworks to manage their cybersecurity risk, including ISO 27001/27002.
More recently, in April 2017, the Information Sharing and Analysis Organization Standards Organization requested public comment on draft Guiding Practices to Advance Consumer Privacy in Cybersecurity Information Sharing. Public Knowledge, a non-profit organization that promotes freedom of expression, an open internet, and access to affordable communications tools and creative works, cooperated with other civil society organizations, the U.S. government, and industry to develop the draft practices, which identify actions that promote user privacy while enabling efficient and effective cybersecurity information sharing. Like the adoption of best practices, organizations that publicize their use of recognized cybersecurity frameworks and standards inform their customers, partners, and relevant governments that they recognize cybersecurity as a risk and are taking responsible measures to address it.
Transparency, multi-stakeholder dialogue, and accountability around cybersecurity risks, capabilities, and activities, are necessary elements for the development of successful cybersecurity policies. In Latin America and the Caribbean, the OAS’ Cybersecurity Capability Maturity Model, the Best Practices for Establishing a National CSIRT, and the NIST Framework are in use and already incorporate some of these elements. Deepening and expanding these elements in cybersecurity policy development is necessary to restore trust online and maintain the internet as an open platform for progress and development.
This article first appeared in the third issue of the Global Cyber Expertise Magazine – May 2017