4 Chapter 3: Governance Overview: Main Governing and Regulatory Mechanisms 4 Chapter 3: Governance Overview: Main Governing and Regulatory Mechanisms
Purpose: This chapter is designed to provide an overview of the main governing and regulatory mechanisms, both internationally and domestically, that cover cybersecurity considerations. Readings on select bodies in each domain are also presented. It is divided into three units: in addition to an introduction to Internet Governance Frameworks, the first unit provides an overview of the relevant international cybersecurity bodies, both public and private. The second presents domestic bodies and units. The final unit provides an introduction to some law-enforcement frameworks as they have been applied to the digital domain are presented. Concepts Covered: Globally-Relevant Bodies and Treaties (ICANN, IETF, ITU, Convention on Cybercrime (Council of Europe), Organization of American States (OAS), Shanghai Cooperation Organization); Relevant Domestic Organizations, Policies, and Strategies (White House (WH), Congress, The Department of Defense (DoD) (CYBERCOM, National Security Agency), the Department of Homeland Security (DHS), FBI, NIST, and the FCC; Law-enforcement frameworks (Jurisdiction and Territoriality in Cyberspace, Anonymity and Attribution, Application of the Laws of War, Issues with digital law enforcement (wiretapping and VoIP, digital search and seizure, private sector cooperation w/ law enforcement))
4.1 3.1 Overview of Relevant International Cybersecurity Bodies and Mechanisms (public and private) 4.1 3.1 Overview of Relevant International Cybersecurity Bodies and Mechanisms (public and private)
Purpose: To provide the reader an understanding of the theory behind Internet governance and the multi-stakeholder nature of the Internet. It will also outlines a number of globally relevant bodies and treaties, including ICANN, IETF, ITU, SCO, and the COE Convention on Cybercrime.
4.1.1 3.1.1 Introduction to Internet Governance Frameworks 4.1.1 3.1.1 Introduction to Internet Governance Frameworks
Presents an overarching framework for Internet governance and discusses the difficulties that arise with coordinating regulation across the globe in a rapidly changing cyber-environment.
4.1.1.1. Lawrence B. Solum, Models of Internet Governance, Illinois Public Law Research Paper No. 07-25, U Illinois Law & Economics Research Paper No. LE08-027, September 3, 2008
4.1.1.2. Robert Knake, Internet Governance in an Age of Cyber Insecurity, Council on Foreign Relations, September 2010
4.1.1.3. Jeremy Ferwerda, Nazli Choucri, and Stuart Madnick, Institutional Foundations for Cyber Security: Current Responses and New Challenges, Working Paper CISL# 2011-05, May 2011
4.1.1.4. Jack Goldsmith, Cybersecurity Treaties: A Skeptical View, Future Challenges in National Security and Law, February 2011
4.1.1.5. Abraham D. Sofaer, David Clark, and Whitfield Diffie, Cyber Security and International Agreements, Proceedings of a Workshop on Deterring Cyberattacks, pp. 179-206, 2010
4.1.2 3.1.2 Select Globally-Relevant Bodies and Treaties 4.1.2 3.1.2 Select Globally-Relevant Bodies and Treaties
Provides an understanding of the major bodies and treaties that impact cybersecurity on a global-level, to include ICANN, ITU, SCO, and various international treaties.
4.1.2.1 Internet Corporation for Assigned Names and Numbers (ICANN) 4.1.2.1 Internet Corporation for Assigned Names and Numbers (ICANN)
Provides an understanding of the major bodies and treaties that impact cybersecurity on a global-level, to include ICANN, ITU, SCO, and various international treaties.
4.1.2.1.1. International Corporation for Assigned Names and Numbers, Memorandum of Understanding, November 1998
4.1.2.1.2. International Corporation for Assigned Names and Numbers, Affirmation of Commitments, September 2009
4.1.2.1.3. Jose MA. Emmanuel A. Caral, "Lessons from ICANN: Is self-regulation of the Internet fundamentally flawed?", International Journal of Law and Information Technology, vol. 12, no. 1, pp. 1-31. 2004
4.1.2.2 The Internet Engineering Task Force (IETF) 4.1.2.2 The Internet Engineering Task Force (IETF)
The Internet Engineering Task Force is a loosely coordinated and self-organized body that contributes to the engineering and evolution of Internet technologies. It is the principal body engaged in the development of new Internet standard specifications.
4.1.2.2.1. The Internet Engineering Task Force, The Tao of IETF: A Novice's Guide to the Internet Engineering Task Force, 15 October, 2011
4.1.2.3 Shanghai Cooperation Organization 4.1.2.3 Shanghai Cooperation Organization
The Shanghai Cooperation Organisation (SCO) is a permanent intergovernmental international organization created on 15 June 2001 in Shanghai (China) by the Republic of Kazakhstan, the People’s Republic of China, the Kyrgyz Republic, the Russian Federation, the Republic of Tajikistan and the Republic of Uzbekistan.
4.1.2.3.1. Yekaterinburg Declaration of June 16, 2009
4.1.2.4 International Telecommunication Union (ITU) 4.1.2.4 International Telecommunication Union (ITU)
An agency of the United Nations focused on telecommunication networks and radio frequency allocations. In recent years, a number of UN members have sought to provide the ITU more regulatory power of the Internet, an ongoing, and contentious debate.
4.1.2.4.1. Jeremy Ferwerda, Nazli Choucri, and Stuart Madnick, Institutional Foundations for Cyber Security: Current Responses and New Challenges, Working Paper CISL# 2011-05, May 2011
4.1.2.4.2. International Telecommunication Union, ITU’s Global Cybersecurity Agenda
4.1.2.4.3. Mcdowell, Robert M., The U.N. Threat to Internet Freedom, The Wall Street Journal, February 21, 2012
4.1.2.4.4. Maclean, Don. “Sovereign Right and Dynamics of Power in the ITU: Lessons in the Quest for Inclusive Global Governance” in Drake, William J and Ernest J. Wilson III, eds. Governing Global Electronic Networks. Cambridge: The MIT Press. pp. 84-126, 2008
4.1.2.5. Council of Europe Convention on Cybercrime
4.1.2.6 Organization of American States 4.1.2.6 Organization of American States
The OAS brings together all 35 independent states of the Americas and constitutes a political, juridical, and social governmental forum of the entire Hemisphere. In addition, it has granted permanent observer status to 67 states, as well as to the European Union (EU).
4.1.2.6.1. A Comprehensive Inter-American Cybersecurity Strategy
4.2 3.2 Introduction to Domestic Governing and Regulatory Bodies 4.2 3.2 Introduction to Domestic Governing and Regulatory Bodies
Purpose: To provide an overview of U.S. regulatory bodies that influence and shape the cyber-domain both domestically and throughout the world.
4.2.1 3.2.1 Overview 4.2.1 3.2.1 Overview
Provide an understanding of the overall structure of the U.S. response to the cybersecurity issues.
4.2.1.1. Lawrence B. Solum, Models of Internet Governance, Illinois Public Law Research Paper No. 07-25, U Illinois Law & Economics Research Paper No. LE08-027, September 3, 2008
4.2.1.2. Jeremy Ferwerda, Nazli Choucri, and Stuart Madnick, Institutional Foundations for Cyber Security: Current Responses and New Challenges, Working Paper CISL# 2011-05, May 2011
4.2.1.3. Paul Rosenzweig, The Organization of the United States Government and Private Sector for Achieving Cyber Deterrence, Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy, pp. 245-270, 2010
4.2.1.4. Abraham D. Sofaer, David Clark, and Whitfield Diffie, Cyber Security and International Agreements, Proceedings of a Workshop on Deterring Cyberattacks, pp. 179-206, 2010
4.2.2 3.2.2 Relevant Domestic Organizations, Policies, and Strategies 4.2.2 3.2.2 Relevant Domestic Organizations, Policies, and Strategies
Provides an introduction and broad overview of the major organizations, policies, and strategies involved in domestic cybersecurity policy-making and approaches, including: The White House (WH), Congress, The Department of Defense (including CYBERCOM and National Security Agency), the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI).
4.2.2.1 The White House 4.2.2.1 The White House
The White House’s interest and involvement in cybersecurity has grown and evolved since President Clinton issued Presidential Decision Directive 63 (PDD-63) in 1998.
4.2.2.1.1. The White House, International Strategy for Cyberspace, May 2011
4.2.2.1.2. Eric Chabrow, The Cybersecurity Czar Who Wasn't, GovInfo Security, 2 June 2012
4.2.2.2 Department of Defense 4.2.2.2 Department of Defense
The DoD encompasses much of the U.S. government’s technical expertise to both respond to cyber-incidents, as well as conduct and defend against cyberattacks; it includes both the NSA and CYBERCOM.
4.2.2.2.1. Department of Defense, Strategy for Operating in Cyberspace, July 2011
4.2.2.2.2. Department of Defense Cyberspace Policy Report, November 2011
4.2.2.2.3. The Secretary of Defense, Establishment of a Subordinate Unified U.S. Cyber Command Under U.S. Strategic Command for Military Cyberspace Operations, 23 June 2009
4.2.2.2.4. Statement of General Keith B. Alexander, Commander, United States Cyber Command, before the House Committee on Armed Services, 23 September 2010
4.2.2.2.5. William A. Owens, Kenneth W. Dam, and Herbert S. Lin, editors, Committee on Offensive Information Warfare, National Research Council; Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities; Pages 161-187, 2009
4.2.2.3 Department of Homeland Security 4.2.2.3 Department of Homeland Security
The DHS is responsible for responding to domestic cybersecurity incidents and has made cybersecurity one of its five most important mission areas. Most versions of cybersecurity reform envision greatly expanding DHS’s cyber responsibilities.
4.2.2.3.1. National Cyber Incident Response Plan, Interim Version, September 2010
4.2.2.3.2. Homeland Security Presidential Directive 5 , 28 February 2003
4.2.2.3.3. Blueprint for a Secure Cyber Future, DHS, “How We Will Protect Critical Information Infrastructure” and “How We Will Strengthen the Cyber Ecosystem”2, December 2011
4.2.2.3.4. Memorandum of Understanding Between the Department of Homeland Security and the National Security Administration Regarding Cyberspace, October 2010
4.2.2.4 Federal Bureau of Investigation 4.2.2.4 Federal Bureau of Investigation
The FBI maintains cyber squads at its field offices and leads the National Cyber Investigative Joint Task Force (NCIJTF), an interagency focal point for such cyber threat investigations and analysis.
4.2.2.4.1. The Federal Bureau of Investigation's Ability to Address the National Security Cyber Intrusion Threat, U.S. Department of Justice, Office of the Inspector General, Audit Division., April 2011
4.2.2.5 National Institute of Standards and Technology 4.2.2.5 National Institute of Standards and Technology
NIST is a non-regulatory federal agency within the Department of Commerce and promotes innovation and industrial competitiveness by advancing measurement science, standards, and technology. The NIST Laboratories conduct research in collaboration with industry to advances the nation's technology infrastructure.
4.2.2.5.1. NIST Computer Security Division
4.2.2.5.2. NIST Establishes National Cybersecurity Center of Excellence, 21 February 2012
4.2.2.6 Federal Communications Commission 4.2.2.6 Federal Communications Commission
The FCC regulates interstate and international communications by radio, television, wire, satellite and cable in all 50 states, the District of Columbia and U.S. territories.
4.2.2.6.1. Communications Security, Reliability and Interoperability Council (CSRIC) III
4.3 3.3 Introduction to Law-Enforcement Frameworks as Applied to the Digital Domain 4.3 3.3 Introduction to Law-Enforcement Frameworks as Applied to the Digital Domain
Purpose: To orient the reader to the law-enforcement frameworks that apply in the digital domain, and the inherent difficulties with enforcing rules in cyberspace.
4.3.1 Application of the Laws of War 4.3.1 Application of the Laws of War
With the revolutionary nature of the cyber-domain for international conflict, the current laws of war must be carefully considered to determine if they are sufficient to dictate proper conduct during cyberwars.