5
The Catalog Approach
A recent attempt to catalog all possible ways in which cyber security may be measured resulted in a list of over 900 items (Herrmann 2007). The full spectrum of issues that may one day be laid before cyber security policy decision makers would be similarly long. A listing of all cyber security policy issues is not feasible to attempt because it is the type of list that would be out of date as soon as it was done. Nevertheless, a catalog approach provides structure for classification and examples of cyber security policy issues. Chapter 6 uses a catalog approach to isolate and explain decision criteria on which cyber security policy mandates are frequently based.
The primary reason for listing and explaining a set of issues is to introduce and explain the foundations of concepts that frequently recur in cyber security policy debates. A secondary reason for presenting a catalog is to impress the reader with the variety and breadth of the field of cyber security policy. A third reason is to include enough detail in the explanation of cyber security policy issues for decision makers to recognize how the consequence of a given policy may affect their enterprise, whether or not it is a policy they themselves adopt, or a policy that has been adopted by others. Given that the list is necessarily incomplete, and its purpose is elucidation and awareness, it is first necessary to present the nomenclature used to create the list, which has itself become a taxonomy of cyber security policy issues.
The original taxonomy for this Catalog transformed considerably as this book took shape. The process of listing the issues and the corresponding discussion among authors while contributing to the list altered the taxonomy several times. As more issues were added to the list, more prior explanatory guidance was needed for them to be comprehensible to the reader.
Moreover, debate in cyber security typically centers on the impact of cyber security incidents. Root cause analysis of cyber security incidents, as in any root cause analysis exercise, will produce two types of causes: events and conditions. Events are the proximate causes, and conditions are the situations that allowed the event to occur. For example, a situation in which dry kindling is left next to a gasoline soaked rag is a condition, an event is a discarded cigarette that ignites the rag and causes a fire that burns out of control due to the presence of the kindling. Events are by nature unpredictable and difficult to control. But conditions that allow events in cyberspace to become security issues may be controlled with policy. Concentration on conditions rather than events led to the current taxonomy for the catalog of cyber security policy issues. Although other taxonomies may be equally valid, the current catalog is a viable method to promote education and awareness of cyber security policy issues. It is an alternative to the typical fear, uncertainty, and doubt (also known by security professionals as the FUD factor) that surrounds the conventional presentation of security issues in terms of events. Rather than accept the current situation as described in Chapter 2, where the latest threat is typically unanticipated, an overview of cyber security policy alternatives provides a comprehensive look at what might be done to avert the high impact of an unexpected threat. Rather than give up on security validation metrics because they are as difficult as described in Chapter 3, an overview of cyber security policy alternatives presents a comprehensive picture of the significance of metrics data that we are capable of gathering. Cyber policy issues faced by individual agencies and organizations seem hopelessly complicated in isolation, but in the context of the issues faced globally, sense can be made of the individual organization’s choices in the context of the cyber-enabled community. For many of the seemingly hopeless situations, a solid understanding of cyber security policy issues suggests potential solutions not only for the organization, but provides a solid foundation for the organization to lobby for choices made by others that affect them.
For example, nearly everyone who uses cyberspace is affected by mechanisms that govern the allocation of Internet domain names and numbers. But only those who have been affected to the extent that policy choices in this domain have facilitated incidents that cause negative impact to their enterprise have likely investigated these issues. Even then, the investigation is typically into how Internet governance works, rather than how it could work if policy was different. From the Catalog’s clear presentation of the issues related to Internet Governance, it is apparent that no matter how many lawyers one has, all domains will continue to be subject to threats of impersonation unless several policies are changed globally. If more organizations came to this recognition, we may collectively realize that our combined resources may be better spent in diplomatic efforts and cooperative prevention pacts than in law tribunals. A comprehensive catalog that describes conditions under which cyber events turn into security issues should assist all organizations to better use their own sphere of influence to further their own cyber security strategies.
To that end, we present the Cyber Security Policy Catalog of Chapter 6. Like each chapter before it, this chapter looks at cyber security from a different dimension. The dimensions in this case are suggested by the policy issues themselves. The chapter divides cyber security policy issues into sections based on five aspects of cyber security policy goals:
This classification scheme was chosen in order to explain the types of issues that build on each other so as to provide a more thorough understanding of the entire set. Figure 5.1 illustrates that these sections build on each other to produce comprehensive insights into how policy is expected to contribute to cyber security. Cyber Governance is concerned with issues relating to Internet operation and its continued utility and feasibility. Of course, where cyberspace networks are privately operated, these issues will also apply, but their scope will be smaller. The resolution of issues in the governance arena undoubtedly will heavily influence the e-commerce environment, which is how most users are exposed to cyber security policy issues. Cyber Users are concerned with the stability of cyberspace as a platform upon which to conduct business, as well as their own personal expectations for Internet communication. Cyber security policy issues decided in that arena may have downstream consequences, both intended and unintended, on Cyber Conflict between political factions and nation-states. These conflict issues will drive cyber security requirements and thus present policy issues in the practice of technology operations and management. Cyber Management policies in some sense form a baseline of due care with respect to security, although each industry will face issues of unique concern. Hence, we provide examples of Cyber Infrastructure issues.
Figure 5.1 Cyber security policy taxonomy.
None of the policy domains in Figure 5.1 stands alone. They are presented in an order that allows the conditions presented under one to be used as background explanations for those that follow. However, in practice, the policy discussions in these areas are often intertwined to the point where it is difficult even for experts to dissect the issues to the level included in Chapter 6. The point of this introductory discussion before the actual presentation of cyber security policy issues is to foster an understanding of the various types of policy issues in order to prompt recognition that they are separate and distinct. For example, most cyber governance issues may be resolved independent of user issues, though some may constrain the policy choices made on behalf of users. Also, the resolution of user privacy issues may limit choices or introduce constraints in alternatives for cyber policy concerning cyber conflict issues. The interaction and overlap between the sections of Chapter 6 are often highlighted in the discussions. The chapter also attempts to clarify the difference between major policy issues that often capture headlines, such as cyber crime and cyber war.
It is understood that some executives will find that a few sections of Chapter 6 offer enough education on, and diversity of, cyber security policy examples to allow them to peruse one or two and then skip to Chapter 7. Others may find the high-level description of each section to provide enough understanding and so skip reading the example policy issues in themselves. However, those interested in public policy on cyber security will read all sections and all of the debates with interest, as each brings richer understanding of the differing perspectives on the overall domain of cyber security.
Note also that government and private sector policy decision makers will have different issues to face in the policy debate. However, they may be very interested in the way issues are resolved in other domains. For example, telecommunications sector executives will be most involved in the issues of Internet Governance on a day-to-day basis, but they may also be very interested in the cyber security policy decisions made with respect to cyber conflict, although these are issues more directly faced by government officials in their role as public steward or servant. Also, although government officials do not confront decisions on cyber security issues faced by executives who manage large industrial control systems that are part of the nation’s critical infrastructure, they may nevertheless be very interested in the resolution of the issues because they may have consequences for the nation’s critical infrastructure. There are also policy issues that are common to large segments of the executive decision-maker population, no matter what their industry. For example, all of the technology practice issues that are faced by a corporate executive managing his or her own enterprise generically are also faced by leaders of government agencies.
5.1 Catalog Format
Each section of the Catalog follows a uniform format. Each section begins with an overview of the issues of interest for that section. The overview is meant to shed light on cyber security policy concerns and introduce a taxonomy for the issues within the general section heading. Each item in the taxonomy will have its own subsection introductory description. These descriptions are followed by a categorization of cyber security policy issues that illustrate the concerns of the subsection and may include examples of events that illustrate major cyberspace developments and corresponding security impact. The opening discussion in each subsection is followed by a table that lists specific examples of cyber security policy issues.
Each policy statement in a tabular list is enhanced with both explanation and opinions that indicate why cyber security policy constituents may be concerned about the issuance of executive mandates with respect to the issue. Rather than take sides on these opinions, they are neutrally presented as “reasons for controversy.” Readers should also keep in mind that cyber security policy that makes sense for one organization does not necessarily make sense for any other, and two organizations with inconsistent internal cyber security policies may nevertheless coexist in harmony. Hence, no sides are taken on whether any given proposed policy statement should be issued as policy in any given constituency. Instead, the reasons why a statement may stir controversy are presented in the form of virtual constituent opinions.
There are at least two reasons for controversy cited for each policy statement. However, the reasons for controversy reveal that there are often more than two sides to a cyber security policy debate. Note that many of the policy statements identified in this book are already mandated in the context of existing policy directives or published doctrines within some constituency, but many are not. Even those that have been adopted as policy may not have any corresponding enforcement structure. Nevertheless, all issues and corresponding literature have surfaced in published information security standards, government directives, or academic literature.
Many executives today are faced with responsibility for creating their own organizational cyber strategy and cyber security policy statements. These reasons for controversy are highlighted solely to enhance awareness of debates in progress while encouraging development of new opinions on the issue. In line with the objective of providing a comprehensive guide to cyber security policy issues for executive decision makers, an attempt has been made to phrase the cyber security policy issues in such a manner that an executive in the domain sees the consequences of mandating these statements as policy within their own sphere of organizational control. The members of the list have been grouped by subject of concern to the corresponding domain in order for an executive to quickly get a sense of how cyber security policy issues within a given domain may be related to each other. The adoption of one may entail the adoption of another, or it may conflict with the opportunity to adopt another. These lists are not intended to be a complete enumeration of all policy issues in a given domain that will serve as an executive menu (although such menus do exist; Peltier 2001). Rather, they are intended to provide insights which will allow the reader to build their own comprehensible framework to cover their own goals with respect to cyber security policy.
The catalog approach is intended to ensure that policy issues are captured systematically and without prejudice toward one overarching global strategy to accomplish any given organization’s objective for the utilization of cyberspace. Again, note that there are an infinite variety of policy statements that would serve to identify a cyber security policy issue for the purposes of discussion, and no attempt has been made at a complete enumeration.
A key goal of the Catalog is to provide well-articulated constituent opinions with respect to each policy statement. These opinions are clearly demarcated from the explanation of the policy issue itself, as the explanation is intended to be fact-based. Inclusion of a policy statement in this document in no way implies endorsement. A reason for controversy with respect to a policy statement is not highlighted as either a pro or a con. Though they may be grouped by category or similarity of opinion, reasons for controversy are not listed in any purposeful order. Note that all policies are subject to unanticipated, as opposed to unintended, consequences. Unanticipated consequences are inherently unknown and so will not be listed. By contrast, unintended consequences may be anticipated, though they are not certain to occur. Hence, an unintended consequence carries a likelihood value that is subject to opinion. If unintended consequences are included in the catalog in the context of a policy statement, they will be listed as opinions, that is, as reasons for controversy.
It is important for the reader to keep in mind when reading these opinions that many organizations have differing requirements for cyber security. An opinion that seems like it is a pro cyber security policy statement by one organization may be considered a con by another. Also keep in mind that enforcement of any policy relies on accompanying strategy, technically feasible strategy implementation, and enforcement. Therefore, expected benefits stated in opinions are not likely to be gained unless it is certain that the policy can be enforced.
5.2 Cyber Security Policy Taxonomy
As previously mentioned, each of the catalog sections is further broken down into subsections. The resulting taxonomy provides a methodology for examination of cyber security policy issues. The sections and subsections are:
Just as it is always possible to add more policy lists, it is always possible to find specific sectors of the population for whom cyber security policy will contain different and unique sets of issues. The original domain subsections for the Catalog were loosely modeled on the U.S. Department of Homeland Security Critical Infrastructure domains. Experts in these areas were invited to speak on cyber security policy at a conference of cyber security experts hosted by Stevens Institute of Technology (SIT 2010). The opinions of these experts, invited reviewers, and the authors, after over a year of discussions, were finally determined to correspond to the taxonomy of this list.
Each subsection is prefaced with a discussion of issues unique to that domain, and combined with background information with which to understand the point of some of the policy statements contained within its list. Sections 6.1–6.4 are generally applicable to any industry, but there are cyber security policy issues that do not apply generically to all organizations. Details on such industry-specific issues are not covered in the more general sections, but a few examples appear in subsections under the heading of Cyber Infrastructure Issues. For example, Section 6.5.2 concerns the Health-Care industry, wherein the pressure to digitize record-keeping and associated electronic health-care initiatives has called public attention to a variety of issues in the dominion of cyber security policy. These have motivated both legislation and enterprise cyber policy directives.
Each subsection discussion is followed by a table that contains the list of policy issues to be explained for that subsector. The table has three columns. Each row in the table begins with a clear articulation of a cyber security policy statement. The second column in each row is a fact-based explanation of the policy statement. The third column contains the list of the reasons why the policy statement may be controversial. This format is illustrated in Table 5.1.
Table 5.1 Format for Policy Lists
| Policy statement | Explanation | Reasons for controversy |
| This cell contains a statement of policy in the form it would be stated if it were a management directive. | This is a brief explanation of why the policy has significance in the domain of cyber security. | This column contains two or more cells. Each cell states a different reason why a policymaker might be motivated to issue the policy statement in the form of a management directive, or defer from association with the policy statement. |
The lists of issues in each table are representative. Though some sections will have more than the others, there is no expectation that any list is complete. It is always possible to add issues or include more opinions surrounding them, and enough issues have been listed in these tables to communicate a sense of the challenges in cyber security policy strategy to be accomplished by domain executives. Refreshing these lists with new unique and innovative cyber security policy issues and arguments will occur naturally in experienced readers. This is especially true in conjunction with new societal developments, and thus, after our publication of this initial subset, the development of other current and emerging cyber security policy issues will be left as an exercise for the reader.