Cyber Security Industry Alliance Newsletter • Volume 1, Number 10 • June 2005

Report on the CSIA/GMU Symposium on Cyber Security and the Law: Addressing Compliance, Complexity, and Confusion — International Level

On Thursday, May 26, CSIA and George Mason University School of Law's Critical Infrastructure Protection (CIP) Program co-sponsored the third in a series of forums on state, federal and international cyber security legislation. This event focused on international level issues and legislative efforts.

The speakers provided a range of information.

  • Jody Westby, Esq., Managing Director, PricewaterhouseCoopers LLP, moderated the discussion.

  • Jonathan Winer, Partner, Alston & Bird LLP, discussed the European Union (EU) approach that computer security is a human right in the EU, enforced by the 1995 passage of the Data Protection Directive, which states that all personal information belongs to the individual, and personal data cannot be shared by a third party unless consent is given to gather and distribute.

  • Anthony Teelucksingh, United States Department of Justice, highlighted the challenges in Asia and developing countries, specifically the inconsistent, ad hoc approach many Asian countries take when addressing cyber security.

  • Richard Baird, Senior Deputy United States Coordinator, International Communications and Information Policy, Department of State, identified two key elements — economic development and political stability — and how they relate to a country's implementation of cyber security laws and regulations. Regarding internet governance, Mr. Baird also suggested that the Principle Interlocutor for security has shifted to the United States, with other countries turning to the US for models and discussions regarding security enhancement.
  • Drew Arena, Assistant General Counsel, Legal Compliance at Verizon, touched on the growing number of standards that global companies must comply with, and the political roles that industries play in the various governments.

The evening's discussion was spirited and raised a number of interesting points, including:

  • Discussion of the EU approach to personal information security: computer security is a “human right”, and companies are required to prove in an audited way that they have obtained consent from the individual to use or sell their information, or they may face legal action; however, enforcement here is weak.

  • Comments that Asia faces difficulty in achieving the “uniform” EU model for security policy; the differing governments and their ad hoc approach to security impede reaching a common policy. APEC – the Asia-Pacific Economic Cooperation – sponsors cyber security agents, and there is a definitive law enforcement perspective, both substantive and procedural; however, many countries lack the resources to train investigators to enforce these laws.

  • An observation that the US takes a fundamentally different approach to security policy because the infrastructure is primarily owned by the private sector, whereas many countries have government-owned infrastructure. To that point, it could be argued that security policy may be “easier” to implement in countries where the infrastructure is owned by the government.

  • It was suggested that the world is looking to the U.S., through forums such as WSIS, to define the future leadership responsibilities regarding internet governance in order to ensure a reliable and sustainable internet.

Given the diversity of views expressed at the symposium, CSIA will reconvene an international-level panel in the fall to further explore the issues that were discussed.