A Comparative Study on Cybersecurity Act Implemented in the United States and China

학위논문 (석사) -- 서울대학교 대학원 : 국제대학원 국제학과(국제지역학전공), 2020. 8. 신성호.The past decade in cyberspace witnessed state-mediated attack in pursuance of accomplishing ones political end. Once limited to opportunistic private criminal groups, the concept of cyberattack transformed into a countrys important means to bolster national security and further propagate national stance in cyberspace. Henceforth, cyberspace emerges as compelling security realm. When compared to traditional security environment, judging the situation is convoluted on account of the unique characteristics of cyberspace. Under the amorphous nature of cyberspace, if anything, nations become more nationalized. The nature of cyber realm characterized by innate openness and hyper-connectivity will trigger structural change in cybersecurity landscape. Thus the thesis argues that although nations will actively interact and engage in collective initiatives fueled by the rising voice of forming global governance for cybersecurity, the overriding state sovereignty in the end would breed discord in the cyber era. Every move in cyberspace rests upon a nations political end thereby taking account of geopolitical interests assumes greater importance since invisible borderline matters. Given the nations inclination to utilize cyber capabilities for political ends, what happens in conventional security realm can also occur in cyberspace. The thesis chooses the US and China, allegedly Group of Two (G2), to study how both country take governmental measures vis-à-vis cybersecurity. Two great powers, with no doubt, are the pioneers in this emerging security realm. Not only both actively engage in building up cyber capabilities but also actively engage in appealing for cooperation to its allies. By conducting a comparative study on Cybersecurity Act of 2015 in the US and Cybersecurity Law of the PRC in 2016, the thesis aims to demonstrate how G2 implement legal regulation to safeguard domestic information infrastructure amidst the rising cyber threats posed by both state and non-state actors. In doing so, the thesis will research how respective country exerts its national interests in cyberspace while cooperate with other countries to defend global security. The thesis will add a new dimension on current cybersecurity studies by filling the gaps in previous literature. The thesis will contribute in understanding Sino-US relation regarding hegemonic competition in cyberspace and further propose the prospects of nations in the cyber era.지난 십 년의 사이버환경은 정치적 목적을 이루기 위한 수단으로써 국가 주도의 사이버공격이 주를 이룬다. 한때 기회주의적 범죄집단에 국한된 사이버공격은 이제 한 국가의 정치적 목적 달성, 사이버 공간에서의 정치적 선전의 중요한 수단으로 이용된다. 이에 따라 사이버공간은 그 귀추가 주목되는 신(新)안보영역으로 급부상하고 있다. 전통적 안보 영역과 비교했을 때 사이버공간의 독특한 특성으로 말미암아 사이버안보 환경을 가늠하는 것은 훨씬 복잡하다. 개방성과 초연결성으로 특징되는 무정형의 사이버 공간에서 역설적이게도 국가는 더욱 국가주의적인 경향을 보인다. 안전한 사이버안보 환경 수립을 위해 글로벌거버넌스 구축의 필요성에 더해 각 국가들이 공동의 이니셔티브를 위해 협력함에도 불구하고 더 우선시되는 주권국가의 이익은 사이버공간이라는 신(新)안보 영역에서의 갈등을 초래할 것이다. 이는 궁극적으로 사이버안보 전망의 구조적 변화를 부추긴다. 사이버공간 하에 한 국가의 정치적 행위가 결국 특수한 목적에 달려있음에 기인해 이 신(新)안보 영역의 이해에 앞서 지정학적 이익관계의 이해가 요구된다. 사이버 역량을 한 국가의 정치적 목적 달성의 수단으로 이용하려는 지난 십 년의 경향은 전통적 안보영역 차원에서 발생하던 일이 사이버공간에 또한 발생할 수 있음을 시사한다. 본 논문은 미국과 중국이 사이버안보 관련 어떠한 정부차원의 조치를 취하는 지 연구함에 목적을 둔다. 양국은 사이버 역량 발전에 국가적 투자를 아끼지 않을 뿐 아니라 동맹국들에게도 협력을 촉구하며 사이버공간이라는 신(新)안보영역에 가장 적극성을 띠는 국가이다. 미국의 2015년 사이버안보법과 중국의 2016년 사이버보안법을 비교 연구해 본 논문은 양국이 국내의 정보 인프라 보호를 위해 어떠한 법적 규제를 마련했는지 살펴보고자 한다. 또한 각국이 사이버공간에서 어떻게 국익을 행사하며 동시에 범지구적 차원의 사이버안보를 위해 어떠한 협력 매커니즘을 추구하는지 연구한다. 본 논문은 사이버안보를 미∙중 경쟁구도의 관점에서 재해석하며 더 나아가 거시적으로 사이버안보를 전망한다는 점에서 현재의 사이버안보 연구에 기여한다.I. Introduction 1 1. Research Background 1 2. Argument Overview 3 3. Significance of the topic 5 4. Methodology 8 II. Literature Review 10 1. Sino-US relation and Cybersecurity 10 2. Previous studies on cybersecurity 16 3. Cybersecurity and relevant legal regulation 25 a. The United States 25 b. China 29 4. Limitations of prior research 32 III. The United States 34 1. An overview of national security and cyberspace 34 a. Cybersecurity environment 34 b. Cybersecurity strategy guideline 37 2. Information security and regulatory regime 41 a. Definition of Critical Information Infrastructure 41 b. The evolution of discussion on information security 45 3. Cybersecurity Act of 2015 48 IV. China 51 1. An overview of national security and network security 51 a. The development process of informatization 51 b. Cybersecurity strategy guideline 54 2. Network security and regulatory regime 57 a. Cybersecurity environment 57 b. Definition of Critical Information Infrastructure and regulatory regime 59 3. Cybersecurity Law of the PRC 62 V. Analysis 64 1. Thesis findings 64 a. The US model of protecting homeland cybersecurity 66 b. Chinese model of controlling mainland network security 68 2. Implications and prospects of nations in the cyber era 69 a. Cybersecurity as a shared problem 69 b. Race to cyber supremacy 72 VI. Conclusion 75 Bibliography 78 Abstract in Korean 91Maste

Cybersecurity and cyber defence: national level strategic approach

Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology (OT) security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack adversaries. Use of the term “cybersecurity” as a key challenge and a synonym for information security or IT security confuses customers and security practitioners, and obscures critical differences between these disciplines. Recommendation for security leaders is that they should use the term “cybersecurity” to designate only security practices related to the defensive actions involving or relying upon information technology and/or OT environments and systems. Within this paper, we are aiming to explain “cybersecurity” and describe the relationships among cybersecurity, information security, OT security, IT security, and other related disciplines and practices, e.g. cyber defence, related to their implementation aligned with the planned or existing cybersecurity strategy at the national level. In the case study given example of The National Cybersecurity Strategy of the Republic of Croatia and Action plan is presented and elaborated. The Strategy’s primary objective is to recognize organizational problems in its implementation and broaden the understanding of the importance of this issue in the society

Warfighting for cyber deterrence: a strategic and moral imperative

Theories of cyber deterrence are developing rapidly. However, the literature is missing an important ingredient—warfighting for deterrence. This controversial idea, most commonly associated with nuclear strategy during the later stages of the Cold War, affords a number of advantages. It provides enhanced credibility for deterrence, offers means to deal with deterrence failure (including intrawar deterrence and damage limitation), improves compliance with the requirements of just war and ultimately ensures that strategy continues to function in the post-deterrence environment. This paper assesses whether a warfighting for deterrence approach is suitable for the cyber domain. In doing so, it challenges the notion that warfighting concepts are unsuitable for operations in cyberspace. To do this, the work constructs a conceptual framework that is then applied to cyber deterrence. It is found that all of the advantages of taking a warfighting stance apply to cyber operations. The paper concludes by constructing a warfighting model for cyber deterrence. This model includes passive and active defences and cross-domain offensive capabilities. The central message of the paper is that a theory of victory (strategy) must guide the development of cyber deterrence

Cyber Warfare and Precautions against the Effects of Attacks

Ninety-eight percent of all U.S. government communications travel over civilian-owned-and-operated networks. Additionally, the government relies almost completely on civilian providers for computer software and hardware products, services, and maintenance. This near-complete intermixing of civilian and military computer infrastructure makes many of those civilian objects and providers legitimate targets under the law of armed conflict. Other civilian networks, services, and communications may suffer collateral damage from legitimate attacks on government targets. To protect those civilian objects and providers from the effects of attacks, the law of armed conflict requires a state to segregate its military assets from the civilian population and civilian objects to the maximum extent feasible. Where segregation is not feasible, the government must protect the civilian entities and communications from the effects of attacks. The current integration of U.S. government assets with civilian systems makes segregation impossible and therefore creates a responsibility for the United States to protect those civilian networks, services, and communications. The U.S. government is already taking some steps in that direction, as illustrated by a number of plans and policies initiated over the past decade. However, the current actions do not go far enough. This Article identifies six vital actions the government must take to comply with the law of armed conflict and to ensure not only the survivability of military communication capabilities during times of armed conflict, but also the protection of the civilian populace and civilian objects

Cyber Warfare and Precautions against the Effects of Attacks

Ninety-eight percent of all U.S. government communications travel over civilian-owned-and-operated networks. Additionally, the government relies almost completely on civilian providers for computer software and hardware products, services, and maintenance. This near-complete intermixing of civilian and military computer infrastructure makes many of those civilian objects and providers legitimate targets under the law of armed conflict. Other civilian networks, services, and communications may suffer collateral damage from legitimate attacks on government targets. To protect those civilian objects and providers from the effects of attacks, the law of armed conflict requires a state to segregate its military assets from the civilian population and civilian objects to the maximum extent feasible. Where segregation is not feasible, the government must protect the civilian entities and communications from the effects of attacks. The current integration of U.S. government assets with civilian systems makes segregation impossible and therefore creates a responsibility for the United States to protect those civilian networks, services, and communications. The U.S. government is already taking some steps in that direction, as illustrated by a number of plans and policies initiated over the past decade. However, the current actions do not go far enough. This Article identifies six vital actions the government must take to comply with the law of armed conflict and to ensure not only the survivability of military communication capabilities during times of armed conflict, but also the protection of the civilian populace and civilian objects

Due diligence in cyberspace: guidelines for international and European cyber policy and cybersecurity policy

Global cyberspace is undergoing fundamental change. There are now frequent references to a "fragmentation of the Internet", but many European and international working groups are also increasingly aware that "a free, open and at the same time secure Internet" is a global public good. However, the political rules adopted for International and European cyber policies and cybersecurity policies will always lag behind technological developments. It is the more important, therefore, to subject these rules to the over-arching norm of due diligence in cyberspace, and to do so on the national, European and international levels. This generates three requirements for Germany's future strategic orientation in cyberspace: European cooperation: integrating national policies into the European framework; inclusiveness: giving different interest groups broad and publicly accessible representation in formulating policies; civilian response: prioritising the civilian component over the military component, particularly in times of peace. However, Germany's major partners are confused as to what goals precisely it is pursuing in cyberspace. It is therefore advisable for Berlin to improve its coordination and communication of responsibilities at the national and EU levels, be it on issues of Internet Governance, the fight against cybercrime, or cyberdefence. (author's abstract

Stockpiling Zero-day Exploits: The Next International Weapons Taboo

In the current state of global affairs, a market exists for zero-day exploits where researchers, nation states, industry, academia, and criminal elements develop, buy, and sell these commodities. Whether they develop zero-days or purchase them, nation states commonly stockpile them for the future. They may then use them for purposes such as: espionage, offensive cyber operations, or deterrent effect. The immediate effect of this stockpiling though is that the exploit is not divulged to the public and is therefore not remediated. In our increasingly networked and code dependent world, this creates the potential for a cyber disaster with yet unimaginable impacts on global stability. It is therefore imperative that nation states responsibly divulge zero-day exploits through an international framework for the global good. Moving from the current state of affairs to one where responsible release of zero-day exploits is the norm will not be easy. There are many stake holders who argue that keeping stockpiles is beneficial or that this is an area that is not feasible to regulate. However, as we have seen with weapons such as nuclear, chemical, and biological weapons, it is possible to develop international regimes that prohibit the use of such weapons due to their extraordinary capabilities and impact. Alternatively, should these exploits be seen as equally pernicious as contagious diseases, nations may join together to form organizations similar to the WHO that can address international cyber issues. If a taboo against the use of zero-day exploits can be established, i.e., we make their use morally illegitimate, the security of all users will be improved

Cyber Plungers: Colonial Pipeline and the Case for an Omnibus Cybersecurity Legislation

The May 2021 ransomware attack on Colonial Pipeline was a wake-up call for a federal administration slow to realize the dangers that cybersecurity threats pose to our critical national infrastructure. The attack forced hundreds of thousands of Americans along the east coast to stand in endless lines for gas, spiking both prices and public fears. These stressors on our economy and supply chains triggered emergency proclamations in four states, including Georgia. That a single cyberattack could lead to a national emergency of this magnitude was seen by many as proof of even more crippling threats to come. Executive Director of the Cybersecurity and Infrastructure Security Agency (CISA), Brandon Wales, went on to describe the incident as a “galvanizing event for the country.” This Article challenges this characterization, suggesting instead that little has changed in terms of regulation, enforcement, or liability and that, as a result, another cyber incident targeting our critical infrastructure is, quite frankly, a matter of when and not if. The Article explores a set of kneejerk legal processes—litigatory, regulatory, and legislative—which were set in motion in the wake of the Colonial Pipeline incident. For each these processes the Article highlights points of failure in generating positive long-term effects aimed at increasing broader cybersecurity. Relying on insights from Daniel Solove and Woody Hartzog’s recent book Breached!, this Article treats the Colonial Pipeline incident as a microcosm through which to understand our broader regulatory deficits in critical infrastructure cybersecurity. Against this backdrop, the Article offers the first scholarly examination of a new and innovative blueprint developed by the Biden Administration to promote holistic regulations as part of a National Cybersecurity Strategy. The Article highlights both the promises and pitfalls of this Strategy on future regulation of critical infrastructures

Cyber Plungers: Colonial Pipeline and the Case for an Omnibus Cybersecurity Legislation

The May 2021 ransomware attack on Colonial Pipeline was a wake-up call for a federal administration slow to realize the dangers that cybersecurity threats pose to our critical national infrastructure. The attack forced hundreds of thousands of Americans along the east coast to stand in endless lines for gas, spiking both prices and public fears. These stressors on our economy and supply chains triggered emergency proclamations in four states, including Georgia. That a single cyberattack could lead to a national emergency of this magnitude was seen by many as proof of even more crippling threats to come. Executive Director of the Cybersecurity and Infrastructure Security Agency (CISA), Brandon Wales, went on to describe the incident as a “galvanizing event for the country.” This Article challenges this characterization, suggesting instead that little has changed in terms of regulation, enforcement, or liability and that, as a result, another cyber incident targeting our critical infrastructure is, quite frankly, a matter of when and not if. The Article explores a set of kneejerk legal processes—litigatory, regulatory, and legislative—which were set in motion in the wake of the Colonial Pipeline incident. For each these processes the Article highlights points of failure in generating positive long-term effects aimed at increasing broader cybersecurity. Relying on insights from Daniel Solove and Woody Hartzog’s recent book Breached!, this Article treats the Colonial Pipeline incident as a microcosm through which to understand our broader regulatory deficits in critical infrastructure cybersecurity. Against this backdrop, the Article offers the first scholarly examination of a new and innovative blueprint developed by the Biden Administration to promote holistic regulations as part of a National Cybersecurity Strategy. The Article highlights both the promises and pitfalls of this Strategy on future regulation of critical infrastructures

Cyber Law and Espionage Law as Communicating Vessels

Professor Lubin\u27s contribution is Cyber Law and Espionage Law as Communicating Vessels, pp. 203-225. Existing legal literature would have us assume that espionage operations and “below-the-threshold” cyber operations are doctrinally distinct. Whereas one is subject to the scant, amorphous, and under-developed legal framework of espionage law, the other is subject to an emerging, ever-evolving body of legal rules, known cumulatively as cyber law. This dichotomy, however, is erroneous and misleading. In practice, espionage and cyber law function as communicating vessels, and so are better conceived as two elements of a complex system, Information Warfare (IW). This paper therefore first draws attention to the similarities between the practices – the fact that the actors, technologies, and targets are interchangeable, as are the knee-jerk legal reactions of the international community. In light of the convergence between peacetime Low-Intensity Cyber Operations (LICOs) and peacetime Espionage Operations (EOs) the two should be subjected to a single regulatory framework, one which recognizes the role intelligence plays in our public world order and which adopts a contextual and consequential method of inquiry. The paper proceeds in the following order: Part 2 provides a descriptive account of the unique symbiotic relationship between espionage and cyber law, and further explains the reasons for this dynamic. Part 3 places the discussion surrounding this relationship within the broader discourse on IW, making the claim that the convergence between EOs and LICOs, as described in Part 2, could further be explained by an even larger convergence across all the various elements of the informational environment. Parts 2 and 3 then serve as the backdrop for Part 4, which details the attempt of the drafters of the Tallinn Manual 2.0 to compartmentalize espionage law and cyber law, and the deficits of their approach. The paper concludes by proposing an alternative holistic understanding of espionage law, grounded in general principles of law, which is more practically transferable to the cyber realmhttps://www.repository.law.indiana.edu/facbooks/1220/thumbnail.jp