Increasing access to the Internet and the risk of abuse surrounding its openness have become some of the most pressing issues of our time. In 2008 “the number of things connected to the Internet exceeded the number of people on earth” (Cisco Visualizations). As of 2010 there were an estimated 12.5 billion devices connected to the Internet, which some believe will rise to 50 billion by 2020 (Evans, 2011). This means that the “Internet of things” has arrived. Or rather the “Internet of us,” as “we, the people,” are at the heart of these new technologies that connect everything from ourselves to our phones, homes and cars. There is no doubt that this hyper connectivity is a powerful development tool that must remain open and accessible. It is an engine of growth and an opportunity for governments, business and individuals alike. However, this openness and accessibility does come with risks. The Internet has lowered the barriers of entry for criminal actors to participate in illicit activities while making it more difficult for law enforcement to link the crime to the perpetrator and jurisdiction. In an increasingly globalized world, a cyber-crime could originate from anywhere and pass through a series of computers compromised by hackers from across the globe before reaching its intended target (Bauer and Van Eeten, 2009). This is just one example of how the Internet complicates the concept of time, distance and jurisdiction.
While cyber-crime seems to be the newest threat it is important to note that there has always been crime, such as theft, only now conventional crimes have begun to adapt to the age of the Internet. New technology and the Internet simply act as an enabler for people to commit these crimes in new formats and with increased speed and the protection of anonymity. The amorphous and accessible nature of the Internet has unfortunately made it a security risk for governments, corporations, and private citizens alike. The “virtualization” trend has resulted in both increased efficiency in accessing information, while also making private information and critical infrastructure vulnerable to exploitation. Symantec’s 2014 Internet Security Threat Report stated that in 2013 breaches increased by 62%, and 8 of these breaches resulted in the theft of at least 10 million identities each (Internet Security Threat Report, 2014). Consequently private cybersecurity practices and insurance firms have become a growth industry, and are in the process of developing new cyber-insurance policies. Governments have also been concerned with the economic impact of these breaches, and have attempted to adapt to these new vulnerabilities with innovative Computer System Incident Response Teams (CSIRT).
The “Internet of things” has made society increasingly dependent on technology, which has resulted in increased vulnerability. There is now distrust between citizens, governments, and corporations due to spying accusations, wikileaks, hacktivists, and intellectual property threats. Cyber-threats require an adaptive policy response in order to resolve these societal insecurities. The multidimensional approach of cybersecurity policies, built around cooperation of public-private sector partnerships, has the ability to restore the trust between citizens and government by securing the integrity, authenticity, and privacy of communications and information. Rebuilding trust across sectors will ensure that the powerful tool of the Internet remains a positive force for development and equality. A multidimensional approach of cybersecurity policy has allowed national strategies to adapt to the changing capacities and volume of cyber-attacks by developing a multi-stakeholder infrastructure. These policies must routinely be updated in order to stay abreast of the latest malware and weaknesses, while also adapting existing legal frameworks to effectively prosecute and enforce jurisdiction over Internet-enabled crimes.
Given its fluid and adaptive nature, cybersecurity policy is a unique example of how national strategies should seek to respond to evolving and nebulous security threats. This paper examines and analyzes the adaptive nature of these policies and applies their integrated multi-stakeholder approach to other security policy processes. Section 1 will trace the evolution of policy and the history of the Internet in order to better understand the formation of cybersecurity policy processes. Section 2 examines the tenements of modern-day national cyber strategies with a particular focus on their adaptive nature. Section 3 examines how these policies might be adapted to a variety of policies meant to respond to security threats. Section 4 discusses the role of the Organization of American States’ (OAS) Cyber Security Program in the region, and Section 5 concludes the investigation with a summary of the results and a discussion on the challenges and opportunities for security policies in the future.
Section 1: The History of Cybersecurity
The Internet and information technology is the great equalizer, bringing together people from all countries and socioeconomic backgrounds. The development of the Internet has ushered in a new era that has greatly enhanced access to information, provided more efficient forms of communication, and fostered innovations. However, while an advantageous development tool, the openness and connectivity of the Internet and its increasing incorporation into aspects of everyday life has created exploitable vulnerabilities for criminal activity, with new means and opportunities to commit crimes. Cyber-crime should not however be seen as a profoundly new threat or form of criminal activity. What is new is the speed, distance, breadth and anonymity at which crimes of theft, scamming and racketeering are now taking place through connected devices. Cybersecurity policies developed alongside these new threats, and have continuously evolved throughout history to better protect citizens, corporations, and governments from cyber-attacks.
What we now call “cybersecurity” originated as nations struggled to protect sensitive information, particularly during times of war. Cyber-crime or the technological infiltration of networks existed long before the dawn of the computer as cybersecurity and cyber-attacks are essentially means of defending or attacking an adversary on the battlefield of information warfare. During World War I and II enciphered communication and its protection became of critical importance as the fate of a battle could depend on secure communications. The Battle of the Atlantic turned the tide of WWII with the help of Allied successes in cracking the Germans “Enigma” machine, highlighting the vitality, even then, of information security. Information security and crime continued to develop with the creation of the first ‘Internet’ in 1969 when ARPANET, a network for the United States Department of Defense, was connected to four universities (Lipson, 2002). The development and innovation of Internet protocols and of an international Internet throughout the 1970s and 1980s saw increased accessibility with larger amounts of people participating in the open network. Simultaneously this meant that there were increasing vulnerabilities in the developing cybersphere and an increasing number of cyber-criminals willing to exploit them.
Cybersecurity as we understand today developed alongside the Internet, in part as a reactionary response to cyber-attacks which became more and more difficult to deter and respond to on the open web (Bauer and Van Eeten, 2009). A RAND report commissioned by the US Senate in 1970 warned that “contemporary technology [could not] provide a secure system in an open environment, which include[d] uncleared users working at physically unprotected consoles connected to the system by unprotected community” (Warner, 2012). The beginnings of the “Internet of things” also created new challenges for securing information as ever increasing aspects of daily life became vulnerable to cyber-attack.
Governments responded to these new challenges by developing the first cybersecurity strategies. The United States led the charge with the introduction of legislation and the Computer Emergency Response Team (CERT) Communication Center, through Carnegie Mellon University (First, 2014). Other countries soon began to follow suit by developing their own CERTs or CSIRTs. Legislation also continued to develop to define cyber-crimes and integrate cybersecurity responses into the justice system. Today, the US-CERT is a highly organized agency that coordinates with a variety of departments to effectively counter cyber-attacks; the international community has likewise streamlined and consolidated their policies and established CSIRTs typically based on existing models. For example, Paraguay’s Computer Emergency Response Team (CERT-PY) was constructed with the goal of protecting critical infrastructure, developing public-private sector partnerships, and coordinating responses to cyber-attacks in a similar manner to other CSIRTs in the region.
Unfortunately, due to the quickly evolving and innovative nature of cyber-crime, as strategies developed new forms of cyber-crime arose (see Figure 1). During the 1980s concerns over the security of critical infrastructure grew; Cyber policies attempted to improve their resilience and response to such attacks through coordination with Non-Governmental Organizations (NGO), the private sector, and national CSIRTs (Warner, 2012). Cybersecurity policy continues to become more efficient and innovative in response to the rapid changes in cyber-crime witnessed in the cybersphere. The proliferation of “mega-attacks” has prompted further reliance on public-private cooperation and an integrated and standardized approach towards cyber resilience (Symantec Corporation, 2012). In the next section, these modern policies and the current state of the cybersphere will be discussed with a focus on policy processes in a multidimensional security context.
Figure 1: Cyber-Attack Sophistication over Time (Lipson, 2012)
Cybersecurity policies have continued to be responsive in the present day to increasingly sophisticated cyber-attacks. The proliferation of adversaries and the asymmetrical nature of cyberwarfare in some ways mirror the changing international environment in the 21st century. Fewer barriers to entry mean that an assailant could be anyone from a college student with a laptop to a sophisticated military unit. The increase in non-state actors and asymmetrical conflicts reflects the complex nature of defense against an adaptable enemy with unconventional weapons (NDP, 1997). This section will analyze the nature of the current cybersphere and the corresponding government strategies that have arisen in response to the changing conditions of the international Internet environment. The increasing relevancy of public-private partnerships in this new environment will also be considered as an aspect of national strategies.
While the “virtualization” of information systems has lead to increased efficiency and innovations from the economic sector to our personal lives, it has also introduced new vulnerabilities and risks. With millions of financial transactions everyday, people are at increased risks of personal information being exposed. The “Heartbleed” vulnerability that allowed cyber-criminals to access personal information and login credentials affected as many as a billion people (Egan, 2014). Cyber-attacks have also become increasingly sophisticated and adaptive; the illicit economy has incentivized cyber-criminals to “specialize” in various parts of an attack or campaign, resulting in increased productivity and innovation in malware development (Bauer and Van Eeten, 2009).
Another example of cyber-crime, related to the illicit economy, and its constant fluidity and evolution can be seen in illicit e-commerce and “the Amazons of the dark net;” online black markets known for selling drugs and other illegal goods, from weapons and fake university diplomas to stolen credit cards and fake IDs (The Amazons of the Dark Net, 2014). The ever evolving technical complexity of such sites is one factor that makes them so difficult to shut down. This, couple with the physical separation of buyers and sellers increases the anonymity they have and the difficulty police face. Many vendors also post on more than one site to ensure the continuation of their business should one site be shut down (The Amazons of the Dark Net, 2014). The extreme adaptability and constant evolution of illicit e-commerce sites provides a perfect example of the difficulties faced in cybersecurity and the adaptability and continued evolution needed by law enforcement to keep up with such cyber-crimes.
Yet, national and international cybersecurity policies and policing are in fact developing and advancing technologically alongside cyber-criminals. In a recent breakthrough approximately 400 dark net sites were shut down and 17 people arrested in a joint operation between 16 European countries and the US (Wakefield, 2014). The operation signified a renewed global cooperation to fight cybercrime as well as a technological breakthrough in the use of new techniques used by authorities to disable illegal sites and track down the physical locations of the individuals behind them. The operation represents a blow to dark net and illicit e-commerce activities operating in an area many believed unreachable by law enforcement. It also highlights the successfulness of cybersecurity policies that incorporate a multidimensional and “Smart Security” approach in cooperation with various countries, programs and agencies.
Increased connectivity has meant that information has become more difficult to protect. Government’s national cybersecurity policies have responded by drafting strategies that usually address the following areas: 1) Establishing a CERT or CSIRT 2) Promoting international and private sector cooperation and the sharing of best practices 3) Encouraging the participation of all stakeholders in policy processes 4) Developing a risk-aware culture among citizens and companies 5) Passing legislation that develops international norms and judicial precedents for cyber-crimes 6) Protecting critical infrastructure from cyber-attacks and 7) Promoting innovation in the field of cybersecurity. While not all national strategies fulfill all of the aforementioned objectives, they do usually acknowledge the importance of these areas. When developing a policy a country is more likely to pick only a few of the previous focus areas depending on their resources and motives. For example, France focuses heavily on innovation and best practices given its desire to be a leader in the field. In smaller countries with less capacity, there is usually a higher emphasis on protecting critical infrastructure with the support of international cooperation in order to draft a resource-appropriate policy. The development of Dominica’s national cyber strategy has been an example of such a targeted approach, as the nation has developed a resource-sensitive policy tailored to its capacities with the assistance of the OAS Cyber Security Program. This country-specific tailoring of national strategies has become a cornerstone in cyber policies in the region, and has resulted in a more cost-effective approach to cybersecurity.
The establishment of a CSIRT or CERT is perhaps the most crucial part of any strategy due its ability to manage response efforts to a cyber-attack and to orchestrate the cooperation of public-private partnerships through its multidimensional policy processes. Both are critical in detecting cyber-attacks and responding to them in real time in an organized and coordinated manner (Symantec Corporation, 2014). This usually entails cooperating with a diverse range of NGOs, government entities, and private companies in order to properly assist in stopping the attack and quarantining all servers infected with the malware. A proper response usually relies on information both provided by the victim (often a corporate retailer or a government department) as well as government intelligence units and private computer security companies who can assist in ascertaining where the attack came from and the extent of damage that was done. A CERT or CSIRT is also responsible for coordinating and disseminating best practices to this medley of organizations and relevant actors in order to promote an adaptive and innovative online culture.
The sharing of best practices promotes a risk-aware environment both among corporate actors as well as employees who might be targeted for phishing attacks. Not only does a program of best practices promote trust among these actors but it also facilitates innovation as each organization or actor can utilize shared information to further develop cybersecurity measures. This innovation also requires the participation of the private sector and other relevant “stakeholders.” The involvement of stakeholders, whose personal interests necessitate a stable cybersphere, is a critical part of this formula since the level of security in the cybersphere is dependent on the aggregate but decentralized decisions of these individual stakeholders (Bauer and Van Eeten, 2009). However, there are market incentives for these stakeholders to resist implementing policies; many companies and individuals feel that they are unlikely to be attacked, or that a simple firewall is enough of a deterrent. Many Internet users do not even purchase security software, and if they do they turn it off if it appears to slow down a computer. What’s more, overhauling policies can be costly, and given that online security is a “quasi-public good” some firms might be tempted to rely on the CERT to enforce security. According to an economic study of stakeholder incentives, “suppliers [of security software] will typically not be able to mark-up their products in accordance with the social value of their security features but only with the private value, leading to an under-provision of security” (Bauer and Van Eeten, 2009).
For corporations, incentives should aim to convey understanding of the costs of a cyber-attack. Oftentimes these attacks can have a devastating effect both on the company and the economy as a whole, depending on the size of the corporation. The loss of confidence and reputation can dramatically injure profits; on average firms lose between 1-5% in profits the days after an attack, losing stockholders anywhere between USD 50-200 million annually, according to a study of the New York Stock Exchange (Cashell, Jackson and Jickling, 2004). The insurance industry has also been slow to respond with appropriate corporate policies in case of a cyber-attack, and those that have provided compensation tend to be capped in the hundreds of millions (Perloth and Harris, 2014). In the case of a “mega-breach” where damages could exceed a billion dollars, the lack of cyber-insurance policies could put the company at risk for bankruptcy. Citizens face significant risk from these breaches as well; credit scores can be irreparably injured by the loss of their identities and lawsuits against the corporation can take months. Prevention, not response, is clearly the preferable approach to information security in the case of corporations and individuals.
Cybersecurity policies must therefore be effective at incentivizing citizens and the private sector to protect their devices and information from hackers through a multidimensional approach that encourages cross-sector trust through public-private partnerships. Given the open nature of the cybersphere, it is impossible to ever completely secure the Internet from cyber-attacks. However, coordination among governments, the private sector, civil society and individual citizens can decrease the probability and efficacy of cyber-attacks. When Secretary General of the OAS, José Miguel Insulza, created the Secretariat for Multidimensional Security (SMS) in 2005 it was due to the recognition of the evolving nature of emerging threats and the multidimensional policy responses they would require. The SMS’s “Smart Security” model, exemplifies this changing approach to security; its implementation in the SMS Cyber Security Program has resulted in policies that take a targeted resource-appropriate approach to cybersecurity that both preemptively promotes awareness of best cyber practices and promotes public-private partnerships.
The promotion of awareness is another critical aspect of national strategies, and highlights another relevant stakeholder: citizens. The proliferation of “smart” devices and the “Internet of things” have meant an increase in unsecured points of access. Due to this the amount of Internet users in the world continues to rise exponentially; in Latin America alone there were 147 million new Internet users in 2013 (Symantec Corporation, 2014). The discussion of Internet security needs to therefore be extended to the average citizen just as much as the corporate bank or the government intelligence ministry. Current attacks are usually coordinated through a series of botnets, a network of infected computers controlled by the hacker, in order to launch a cyber-attack without it being possible to trace it to the original source. Citizens face increasing risks of their smart devices being incorporated into such a network, making cyber-awareness more important than ever. Campaigns like “Stop.Think.Connect” and designating October as “Cybersecurity Awareness Month” can help generate a risk-aware culture by promoting awareness of how cyber-criminals infiltrate smart devices or steal personal information and offering recommendations for how to avoid or deter such attacks. By decreasing the points of access and potential botnets available to a hacker, their ability to launch an attack declines.
Campaigns like “Stop.Think.Connect” and other media efforts are usually coordinated through legislative bodies in conjunction with international and regional actors in order to have maximum impact. This mandates a consistent and long-term focus on cyber legislation in order to establish norms and coordinate standardized national cyber strategies between agencies. Often ministries, the military, and government agencies have departments that have similar policies but rarely coordinate together. The establishment of a CERT with the support of legislation can therefore be imperative to proper information sharing and the promotion of innovation. A standards based approach with common norms is therefore critical to their cooperation as well as to laying a proper legal foundation for the prosecution of cyber-criminals. International cooperation is also key in this aspect given that cyber-criminals frequently commit crimes in foreign countries, therefore a shared set of principles and legal frameworks can help facilitate extradition and prosecution when necessary.
There are heightened fears that cyber-criminals will target critical infrastructure, or infrastructure deemed essential to a nation’s survival such as health services, transportation services or energy centers. The expansion of the “Internet of things” and the linkage of industrial systems to the Internet has increased this vulnerability (Hare, 2009). Protection of critical infrastructure therefore has been an integral part of national strategies (DeVos, 2010). This usually involves the cooperation of the private sector in conjunction with a variety of governmental agencies and the national CERT in order to properly prepare for the possibility of a cyber-attack. This can ensure that private critical infrastructure companies, for example an electricity company, have the proper cyber policies in place to deter an attack and frequently update and repair vulnerable technology. At times there has been difficulty motivating the private sector to cooperate with the government over cybersecurity policies, particularly over the disclosure of when an attack has occurred for fear of falling stock prices. Hence, innovation in both policy and technology is essential to improving the field of cybersecurity as a whole. CERTs address this problem through their multidimensional approach to incorporate private sector innovations, incentivizing their cooperation with government cybersecurity teams. An open and trusting relationship between all stakeholders has the potential to foster innovation not only in new technology but also in developing more streamlined policy processes.
Section 3: Applying Cybersecurity Policy Processes to Multidimensional Security
The aforementioned policy processes were a product of historical context and the current state of the cybersphere; the policies produced were tailored to respond to asymmetrical and adaptive forces. These policy processes are therefore uniquely adaptable to other unconventional forms of crime or violence, such as gang warfare or drug cartels. All deal with non-state actors like hacktivists or terrorists, and attempt to respond to enemies that operate in a transnational environment, whether that be the cybersphere or in cartel territories. What has made these policies so successful is their ability to adapt along with these asymmetric forces and to incorporate the stakeholders into the policy solution. This section will discuss themes of a national cybersecurity strategy and their application to issues of multidimensional security.
The establishment of a coordinating body like a CERT, for example, has tremendous potential to improve inter-agency cooperation on a task and develop a more targeted response to a conflict. This could be particularly useful in coordinating the efforts of NGOs and other organizations to best utilize their resources. For example, the OAS has a cooperation agreement with the Argentine NGO Usuaria which is an excellent example of the multiplier effect and an effective multisectoral approach. This also corresponds to the SMS’s “Smart Security” approach, which advocates that all proposals be sustainable and take into account national and regional capabilities. Cybersecurity policies are often based on a country’s capabilities and it is important to recognize that a CERT-like committee might be too expensive for some countries. Yet, if the country lacks the capabilities, a “Smart Security” approach could be used and the same functions of a CERT-style security team could be designated to one person, coordinating with regional actors and NGOs to fulfill the team mandate.
A CERT or CSIRT style response team could not only improve coordination between governmental agencies, but also with stakeholders. The importance of stakeholders cannot be undervalued, given their ability to be influential actors in whatever security related crisis unfolds. What’s more, any solution that is reached without the prior approval or inclusion of a relevant actor runs the risk that said excluded group or individual will refuse to uphold the policy. According to the “Smart Security” approach, policies are more effective when they take a multidimensional approach and incorporate the “positive experiences of participants;” the same is true for cyber as well as any security conflict (SMS/OAS).
The inclusion of the average citizen is also an important part both for a healthy cybersecurity policy as well as for tackling international security issues. The similarities between the “Stop.Think.Connect” campaign and the “If You See Something, Say Something” security and terrorism prevention campaign used in the US show how the promotion of awareness among citizens can help make issues of security a national “team effort.” This approach could be particularly useful for targeting at-risk youth who are vulnerable to gang recruitment, crime and violence. Integrated multisectoral prevention programs that target the social vulnerabilities that make these gangs attractive have a far greater chance of success than repressive over-incarceration programs of the past.
A CSIRT-style committee could also be useful in cooperating with NGOs to develop a consensus on international norms. Cybersecurity policies have shown remarkable efficacy in their ability to facilitate cooperation between countries and stakeholders to develop international norms and standards for the prosecution of cyber-criminals. A similar policy style that incentivizes public-private partnerships could be tremendously effective in combating other security issues that involve multiple stakeholders. While this can be difficult on more sensitive matters like the drug trade, cooperation between states and NGOs on security issues such as counter-terrorism efforts could help create a more unified front against criminals and promote the sharing of best practices. Cybersecurity policies that attempt to coordinate cyber defense policies within a sector could perhaps be adapted for key industries like the transportation sector which sees thousands of migrants and traffickers abuse their system annually. Perhaps a CSIRT-style committee could assist in a regional sharing of best practices to better defend infrastructure relevant to security conflicts by engendering trust across sectors with its multidimensional approach.
Perhaps the most useful aspect of cybersecurity policies is their ability to encourage innovation. With asymmetrical conflicts in a fast-moving and ever-changing environment the ability to be flexible and adaptive cannot be undervalued, whether in the cybersphere or in the international community. Therefore programs that coordinate the sharing of best practices and intelligence exchanges in relevant fields all encourage the optimal use of resources and knowledge to tackle fluid security problems like drug trafficking. By maximizing resources and capabilities, both government, civilian, and public actors have the potential to discover innovative new solutions to security problems.
Section 4: Cybersecurity and the OAS: An Example of Effective Multidimensional Security Policy
The OAS has played a unique role in the evolution of cybersecurity policy in the Western Hemisphere through its innovative Cyber Security Program in the Inter-American Committee against Terrorism (CICTE). Born out of “The Inter-American Integral Strategy to Combat Threats to Cyber Security” resolution, or Resolution AG / RES. 2004 (XXXIV-O/04), part of the program’s mandate has been to lead the charge in establishing CSIRTs and National Cybersecurity Strategies, as well as to promote awareness of online security in both the public and private sectors. The emphasis on a multidimensional approach through public-private partnerships and attention to targeted resource-realistic projects has made the cyber program a huge success and has assisted in the development of seven new national strategies in the past five years with strategies for four new countries to be developed in the next few years (OAS, 2014). The scalable approach of the OAS Cyber Security Program improves the efficacy of these national strategies by assisting the countries in developing a policy tailored to their needs and capabilities.
The work of CICTE is becoming increasingly essential as Internet penetration in the region and the proliferation of Internet accessible devices continues to rise. While access to information technology is crucial to economic development and must remain open, increased access to the Internet also means increased possibilities of cyber-attack; during 2011 there was an average 8-12% increase in cyber-attacks, with some countries reporting as high as a 40% increase (Trend Micro Inc., 2014). These attacks have also become more sophisticated; the use of ransomware to hold encrypted files hostage has grown over 300% in 2013 (Symantec Corporation, 2014). The exploitation of zero-day vulnerabilities and the use of watering-hole attacks have made it easier for cyber-criminals to target specific individuals without detection for extended periods of time. This “low and slow” method of gathering information has allowed for extended campaigns and increasing large amounts of data to be mined before the malicious activity is detected. Latin America specifically has become an attractive target to cyber-criminals due in part to the proliferation of mobile phone and social media usage. Brazil hosting the 2014 World Cup in particular offered new opportunities for scams and phishing campaigns. These attacks are costly to governments as well as victims; in 2013 alone cyber-crimes supposedly cost the globe USD 113 billion (Symantec Corporation, 2014).
The Cyber Security Program has endeavored to stymie these crimes through its comprehensive and multidimensional approach to cybersecurity. The program emphasizes the use of public-private partnerships as a method to effectively combat threats to critical infrastructure and foster innovation in cyber policies. The program’s assistance in developing national strategies and CSIRTS also emphasizes a multidimensional approach to security through the involvement of key stakeholders; by inviting NGOs and members of the private sector to assist in the construction of cyber policy it encourages their cooperation with government policy while simultaneously utilizing the expertise of their industry. These public-private partnerships have also been developed through OAS events, which not only help to promote awareness of cyber-crime but also expand the capabilities of member state specialists to respond to a cyber-attack. The OAS has also partnered with high-profile IT companies like Microsoft, Symantec, and Trend Micro in order to release reports about trends in the Americas. These public-private partnerships are just one example of the innovative nature of the OAS Cyber Security Program, exemplifying how a multidimensional approach to security can generate progressive and effective polices.
Section 5: Future Challenges and Concluding Notes
The Secretariat for Multidimensional Security’s “Smart Security” approach is uniquely applicable to cybersecurity policy processes. Both emphasize constructing policies and programs according to a state’s capabilities and resources and the participation of stakeholders. It is these linked factors that have helped the OAS Cyber Security Program have such success in assisting Member States with the development of national strategies. A multidimensional approach that encourages stakeholder involvement in particular is a key part of this process since the government and private sector are more likely to uphold policies that represent their interests. The OAS “Smart Security” approach is based on what works, and is tailored to the countries needs and capabilities, emphasizing the importance of objectivity, evidence-based problem analysis, and the evaluation of results. The lessons drawn from this approach therefore have the potential to change security policy processes if applied to other security issues.
The “multidimensional” aspect of the Secretariat means that the OAS approach to security must adapt to appropriately respond to the changing nature of risk in the international system. Security conflicts arise from vulnerabilities in social infrastructure and structural incentives to break laws, in the case of the cybersphere, the openness and ease of access has made cyber-crimes a low-risk high-reward venture. Policy processes have adapted to these vulnerabilities by promoting public-private partnerships and stakeholder participation; by encouraging the cooperation of all relevant actors trust is created and a more effective defense against exploitation can be formed. The application of these kinds of policy processes to issues of migration, drug trafficking, or gang violence could not only improve regional coordination on transnational issues but also the efficacy of such strategies due to their adaptable approach and ability to incentivize cooperation among relevant actors. For example, spreading awareness on the risks of joining gangs or the provision of vocational training to at-risk youth could adapt current Mano Dura, or strong handed, policies to a more socioeconomic approach to gang violence.
These policy lessons might not be applicable to every security conflict; for example protection of critical infrastructure is more suited to terrorism defense than responding to drug trafficking and it can at times be difficult to coordinate legislation on transnational issues between different states in a region that is not homogeneous. While it is unlikely that all member states will have consistent consensus on security issues, the OAS can play an important role in facilitating a dialogue between Member States in order to involve all the stakeholders. As a regional intergovernmental organization the OAS has a unique opportunity to coordinate multilateral responses to transnational issues, but these issues often require a capacity to adapt to changing circumstances. Cybersecurity policy processes therefore offer a unique potential to grow and evolve in response to constantly evolving aspects of cyber-crime through the adoption of the “Smart Security” model. An integrated and adaptive multi-stakeholder approach that reduces vulnerabilities and strengthens institutional fragilities, as seen in the OAS Cyber Security Program, is therefore the best approach for disrupting cyber-crime and has the potential to serve as a guide for future policies targeting other forms of crime and unconventional conflicts. These policy processes could generate a new style of regional policies that approach security issues with an innovative and multidimensional methodology capable of adapting to new security issues as they develop.
Bauer, J. and Van Eeten, M. (2009). Cybersecurity: Stakeholder incentives, externalities, and policy options. Telecommunications Policy, 33(10), pp.706–719.
Cashell, B., Jackson, W. and Jickling, M. (2004). The economic impact of cyber-attacks. Washington, D.C.: Congressional Research Service.
Cisco Visualizations. The Internet of Things. Available at: http://share.cisco.com/internet-of-things.html [Accessed 15 Oct. 2014].
DeVos, S. (2010). Google-NSA Alliance: Developing Cybersecurity Policy at Internet Speed, Fordham Intell. Prop. Media \& Ent. LJ, 21, p.173.
Egan, B. (2014). A Billion Smartphone Users May Be Affected by the Heartbleed Security Flaw. [online] Forbes. Available at: http://www.forbes.com/sites/bobegan/2014/04/11/a-billion-smartphones-users-may-be-affected-by-the-heartbleed-security-flaw/ [Accessed 20 Oct. 2014].
Evans, Dave. (2011). The Internet of Things: How the Next Evolution of the Internet Is Changing Everything. Cisco IBSG. Available at: http://www.cisco.com/web/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf [Accessed 15 Oct. 2014].
First, (2014). About FIRST / History. Available at: http://www.first.org/about/history [Accessed 10 Oct. 2014].
Hare, Forrest B. (2009) “Private Sector Contributions to National Cyber Security: A Preliminary Analysis,” Journal of Homeland Security and Emergency Management: Vol. 6: Iss. 1, Article 7.
Internet Security Threat Report 2014. (2014). Mountain View, CA: Symantec Corporation.
Lipson, H. (2002). Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues. Pittsburgh: Carnegie Mellon Software Engineering Institute.
National Defense Panel (NDP) (1997). Transforming defense: National security in the 21st century: Report of the National Defense Panel. Available at: http://www.fas.org/man/docs/ndp/toc.html [Accessed 15 Oct. 2014].
OAS, (2014). Cyber Security Program. Available at: http://www.oas.org/cyber/aboutus.asp [Accessed 17 Oct. 2014].
Perloth, N. and Harris, E. (2014). Cyber-attack Insurance a Challenge for Business. The New York Times. Available at: http://www.nytimes.com/2014/06/09/business/cyber-attack-insurance-a-challenge-for-business.html?_r=0 [Accessed 17 Oct. 2014]
Secretariat for Multidimensional Security (SMS/OAS). (n.d.) Developing Cooperation and Strengthening Capacity of OAS Member States on Matters of Security. Washington, D.C.: Organization of American States
Symantec Corporation, (2014). Latin American and Caribbean Cyber Security Trends. Washington, D.C.: Organization of American States, Secretariat for Multidimensional Security & Symantec Corporation.
The Amazons of the Dark Net. (November 1, 2014). The Economist. Available at: http://www.economist.com/news/international/21629417-business-thriving-anonymous-internet-despite-efforts-law-enforcers?frsc=dg%7Ca [Accessed 2 Nov. 2014].
Trend Micro Inc., (2014). Latin American and Caribbean Cybersecurity Trends and Government Responses. Washington, DC.: Organization of American States.
Wakefield, Jane. (November 7, 2014). Huge raid to shut down 400-plus dark net sites. BBC News. Available at: http://www.bbc.com/news/technology-29950946 [Accessed 7 Nov. 2014]
Warner, M. (2012). Cybersecurity: a pre-history. Intelligence and National Security, 27(5), pp.781–799.