Law, Cybersecurity and Critical Information Infrastructure Protection

Beckstrom’s Law of Cybersecurity

There is a new law in the field of Cybersecurity. Rod Beckstrom presented Beckstrom’s Law of Cybersecurity at this year’s DLD14 conference in Munich. Thereafter the following shall apply:

1. Anything attached to a network can be hacked.
2. Everything is being attached to networks.
3. Everything is vulnerable

The list of eponymous laws is already long. The list of laws related to the Internet is still growing. Another example for such a law is Matcalfe’s law that states a telecommunication network’s value increases proportionally with the square of number of connected system-users. Also a model of network related laws are the Zuboff’s laws, one of it says every digital application that can be used for surveillance and control will be used for surveillance and control. Among the most well known is Moore’s law according to which the number of transistors soldered onto a microchip would double regularly. Due to their very nature, such laws can little be more as a rule of thumb; at least they have to be considered partly as obsolete. Though, in the area of data protection and privacy such regularities have to be taken seriously. In many cases data security is of no less importance.

Beckstrom’s law spells out that an absolute state of cybersecurity is not to be achieved. That assumed for a working hypothesis, the challenge remains of how to develop relative security and safety. Particularly controversial is the precise design of security architecture for critical information infrastructures – on a legal, political and technical level.

To begin with, cybersecurity incorporates the areas of cybercrime, cyber espionage and cyber war. Information security is a big subset of cybersecurity. Another important subset is cybersecurity policy. Worldwide, national governments as well as the European Union have given high priority to the topic. Against the background of the German national cybersecurity strategy set out in February 2011, the Federal Government has recently fixed in the coalition agreement its intention to pass a IT security bill. The European Union presented in 2013 a European strategy for cybersecurity consisting of a directive of network and information security in its core part.

The strategy documents as well as the legislative proposals aim at the protection of so-called critical (information) infrastructures in particular. Infrastructures are termed ‘critical’ as they are organisations and facilities of great importance to society. Consequently, the failure or impairment of which would result in serious supply shortages, considerable disruption of public safety, or other dramatic consequences. By information infrastructures both is meant the sector of information and communications technology (ICT) itself as well as infrastructures based on ICT in other sectors.

Problems of legal, political and technical nature

There are many problems to be solved in critical information infrastructure protection. The spectrum can only roughly be pointed out here. The debate on protection of critical information infrastructures can be pretty much hold free of ideology though since in every  type of society, information and communications technologies represent the central nervous system  of social and economic life. It is a constitutional task of the state protecting (critical) civil networks and information. Among others, projects at European level are based on the legislative competence of the Harmonisation of the Internal Market.

The range of problem-solving approaches range from a defensive-preventive strategy of creating resilient ICT structures in a mode of self-regulation of the largely private infrastructure operators to technically disconnect the relevant infrastructure as a legally required option for protection of critical ICT structures. At least, in the most sensitive areas, the latter is indisputable.

Legally, the definition of  “criticality”, i.e. the question of what makes infrastructure critical to society, will be a substantial issue for further legislative steps.  The main question in this regard is which infrastructures in particular will fall in the scope of the directives and laws.  The original European proposal for the directive had a broad concept of network and information systems insofar as it even intended to cover cloud computing services. The more service providers fall within the scope of legal measures, the higher is also the bureaucratic and financial burden for official actors and private companies. This may also run counter to the desire to aim only at the essential infrastructures. In a nutshell, not every network and information system is a critical information infrastructure.

From a governance-theoretical perspective, the question rises of how collaboration between private and public actors could be designed in concrete terms, for instance in multi-stakeholder-platforms, without facing any criticism objecting lobbying. Similar thoughts will be made on standardisation committees. One could possibly use new smart forms of meta-governance, whereby public actors will set free dynamics purposefully as well as, after that, coordinating and steer them smoothly in order to achieve a ‘network response to network threats’. Several players like the German Federal Office for Information Security (BSI) and the European Agency for Network and Information Security (ENISA) have a key role in this area.

As far as it concerns the specific configuration, referring to  reporting obligations, substantial problems will be coming up, too. The legal projects provide an obligation for operators of critical infrastructures to report security incidents to the competent authorities. Such obligations to report are intended to be remedies for epistemic uncertainty; moreover, they should convey an objectified picture of the situation to the public actors.  However, it is arguable from when and which information need to be reported. At this, the threshold of significant security breaches is still to be defined. All in all, the considerations by European and German privacy protection supervisors in the context of further elaborations have to be taken into account. The approach of making certain reports about security incidents accessible to the public does not seem being unfruitful.

In the field of private law, it’s certain that the topic will experience a significant revaluation in the future, especially the compliance agendas in companies. The standard for companies’ liability concerning IT security will be specified by the legislative measures. This in turn has considerable influence on the contractual practice and insurance coverage practice.

All in all, problems concerning protection of critical information infrastructures are numerous. It’s necessary to develop appropriate solutions in this field on a legal, political and technical level. Generally spoken and out of a legal point of view, it is a matter of balancing the relevant stakeholders legally protected interests and last but not least of a properly designed relation between law and technology.

This post is part of a weekly series of articles by doctoral canditates of the Alexander von Humboldt Institute for Internet and Society. It does not necessarily represent the view of the Institute itself. For more information about the topics of these articles and asssociated research projects, please contact presse@hiig.de.