This document outlines key terminology and concepts regarding cybersecurity including fragmentation of approaches, notification of incidents, and data localization. It discusses both "don'ts" and "dos" for cybersecurity policy. For "don'ts", it warns against using security standards to limit market access or civil liberties and advocates balancing security with trade and innovation. For "dos", it suggests focusing on critical systems, public agencies, coordination, planning, private sector engagement, research, and participation in international cooperation.

1. C Y B E R S E C U R I T Y:
D O S & D O N ’ T S
M A R T I N A F R A N C E S C A F E R R A C A N E
R E S E A R C H A S S O C I A T E A T E C I P E
Q E D
2 2 J U N E 2 0 1 7

2. O U T L I N E
1. G E T T I N G T H E T E R M I N O L O G Y R I G H T
2. D O N ’ T S
3. D O S

3. O U T L I N E
1. G E T T I N G T H E T E R M I N O L O G Y R I G H T
2. D O N ’ T S
3. D O S

4. C Y B E R S E C U R I T Y
Cybersecurity is the body of technologies, processes and
practices designed to protect networks, computers,
programs and data from attack, damage or unauthorized
access.
Elements of cybersecurity include:
Application security; Information security; Network
security; Disaster recovery / business continuity planning;
Operational security; End-user education.
Source: http://whatis.techtarget.com

5. C Y B E R S E C U R I T Y
Cyber threats can be grouped in 4 categories:
- Crime: fraud, extorsion, theft, DoS, etc
- Commercial espionage
- Nation-State espionage
- Warfare
Source: Information Technology Industry Council (2015)

6. A C C E S S T O D A TA F O R N A T I O N A L S E C U R I T Y
& L A W E N F O R C E M E N T
Different issues such as:
- Counter-terrorism measures
- MLATs
- Data sovereignty

7. D A TA P R I VA C Y
Data privacy concerns the
collection, protection and
dissemination of personal or
private information about
individuals or organisations.
Source: http://lexicon.ft.com/

8. F R E E D O M O F E X P R E S S I O N
Different issues such as:
- Fake news
- Censorship
- Hate speech

11. O U T L I N E
1. G E T T I N G T H E T E R M I N O L O G Y R I G H T
2. D O N ’ T S
3. D O S

12. F R A G M E N TA T I O N ( I )
“Member States have very different levels of
preparedness, which has led to fragmented approaches
across the Union. This results in an unequal level of
protection of consumers and businesses, and
undermines the overall level of security of network and
information systems within the Union.”
Recital (5) - NIS Directive

13. F R A G M E N TA T I O N ( I I )
“Each Member State shall adopt a national strategy on
the security of network and information systems defining
the strategic objectives and appropriate policy and
regulatory measures with a view to achieving and
maintaining a high level of security of network and
information systems (…)”
Article 7 - NIS Directive

14. F R A G M E N TA T I O N ( I I I )
“Member States shall lay down the rules on penalties
applicable to infringements of national provisions
adopted pursuant to this Directive and shall take all
measures necessary to ensure that they are
implemented (…)”
Article 21 - NIS Directive

15. N O T I F I C A T I O N O F I N C I D E N T S
Digital services: have to report those incidents that have
a ‘substantial impact on the provision of a service (…)
they offer in the EU’.
Operators of essential services have to report those
incidents ‘having significant impact on the continuity of
the essential services they provide’
Art. 14 & Art. 16 - NIS Directive
‘without undue delay’

17. C O M P U L S O RY S E C U R I T Y S TA N D A R D S ( I )
“Member States shall (…) encourage the use of
European or internationally accepted standards and
specifications relevant to the security of network and
information systems.”
Article 19 - NIS Directive

18. C O M P U L S O RY S E C U R I T Y S TA N D A R D S ( I I )
- Multi-Level Protection Scheme (MPLS) - China
- Preferential Market Access (PMA) - India
- Cybersecurity Law - China
‘The security reviews will not target any country or region,
they will not discriminate against foreign technology or
products, nor limit their access to the Chinese market. On
the contrary, they will boost consumer confidence in such
products and services, and expand their markets.’
CAC China

19. “We cannot allow [terrorism] the safe space it
needs to breed – yet that is precisely what the
internet, and the big companies that provide
internet-based services provide”
Theresa May
H O W S E C U R I T Y S TA N D A R D S C O U L D B E A B U S E D …

20. ‘Personal information and important data collected and
generated by critical information infrastructure operators
in the PRC must be stored domestically’
Art. 37 - China Cybersecurity Law - June 2017
D A TA L O C A L I S A T I O N ( I )
‘Where due to business requirements it is truly necessary
to provide it [data] outside the mainland, they shall (…)
conduct a security assessment’

21. D A TA L O C A L I S A T I O N ( I I )
Source: Digital Trade Estimates Database - ECIPE

22. O U T L I N E
1. G E T T I N G T H E T E R M I N O L O G Y R I G H T
2. D O N ’ T S
3. D O S

23. - Focus on systems that are truly critical in nature
- Improve public agencies
- Improve coordination intra-EU and globally
- Develop national cybersecurity plans
- Involve the private sector in the development of
cybersecurity strategy
- Invest in R&D
- Increase PPP
- Participate in international fora and consortia
D O S

25. - Preserve interoperability and openness to the
global market
- Balance cybersecurity concerns with:
- civil liberties
- innovation
- trade
- other policy priorities
D O S

26. "It's no longer OK not to understand how the
Internet works.”
Aaron Swartz

27. R E F E R E N C E S
- Directive (EU) 2016/1148 of the European Parliament and of the Council of 6
July 2016 concerning measures for a high common level of security of network
and information systems across the Union: http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX%3A32016L1148
- English Sina (2017). China Internet regulator says cyber security law not a trade
barrier: http://english.sina.com/news/2017-05-31/detail-ifyfuvpm6886418.shtml
- FT (2017). Special Report on Cyber Security: https://www.ft.com/reports/cyber-
security
- Independent (2017). Theresa May says the internet must now be regulated
following London Bridge terror attack: http://www.independent.co.uk/news/
uk/politics/theresa-may-internet-regulated-london-bridge-terror-attack-
google-facebook-whatsapp-borough-security-a7771896.html

28. R E F E R E N C E S
- ITIC (2013). ITI Position Paper on the Proposed “Directive of the European
Parliament and of the Council Concerning Measures to Ensure a High
Common Level of Network and Information Security Across the Union”:
https://www.itic.org/dotAsset/a748f2f7-7d73-4d62-8ea0-b5ad35e3af27.pdf
- ITIC (2015). The IT Industry’s Cybersecurity Principles for Industry and
Government: https://www.itic.org/dotAsset/0e3b41c2-587a-48a8-
b376-9cb493be36ec.pdf
- NIST (2014): Framework for Improving Critical Infrastructure Cybersecurity:
https://www.nist.gov/sites/default/files/documents/cyberframework/
cybersecurity-framework-021214.pdf
- QUARTZ (2016). How countries like China and Russia are able to control the
internet: https://qz.com/780675/how-do-internet-censorship-and-surveillance-
actually-work/

29. R E F E R E N C E S
Websites:
- www.ecipe.org/dte
- http://whatis.techtarget.com
- http://lexicon.ft.com/

30. M A R T I N A F R A N C E S C A F E R R A C A N E
E M A I L : M A R T I N A . F E R R A C A N E @ E C I P E . O R G
THANK YOU!