Report on the CSIA/GMU Symposium on Cyber Security and the Law: Addressing Compliance, Complexity, and Confusion — International Level
On Thursday, May 26, CSIA and George Mason University School of Law's Critical Infrastructure Protection (CIP) Program co-sponsored the third in a series of forums on state, federal and international cyber security legislation. This event focused on international level issues and legislative efforts.
The speakers provided a range of information.
- Jody Westby, Esq., Managing Director, PricewaterhouseCoopers
LLP, moderated the discussion.
- Jonathan Winer, Partner, Alston & Bird LLP, discussed
the European Union (EU) approach that computer security is
a human right in the EU, enforced by the 1995 passage of the
Data Protection Directive, which states that all personal information
belongs to the individual, and personal data cannot be shared
by a third party unless consent is given to gather and distribute.
- Anthony Teelucksingh, United States Department of Justice,
highlighted the challenges in Asia and developing countries,
specifically the inconsistent, ad hoc approach many Asian countries
take when addressing cyber security.
- Richard Baird, Senior Deputy United States Coordinator, International
Communications and Information Policy, Department of State,
identified two key elements — economic development and
political stability — and how they relate to a country's
implementation of cyber security laws and regulations. Regarding
internet governance, Mr. Baird also suggested that the Principle
Interlocutor for security has shifted to the United States,
with other countries turning to the US for models and discussions
regarding security enhancement.
- Drew Arena, Assistant General Counsel, Legal Compliance at Verizon, touched on the growing number of standards that global companies must comply with, and the political roles that industries play in the various governments.
The evening's discussion was spirited and raised a number of interesting points, including:
- Discussion of the EU approach to personal information
security: computer security is a “human right”,
and companies are required to prove in an audited way that
they have obtained consent from the individual to use or sell
their information, or they may face legal action; however,
enforcement here is weak.
- Comments that Asia faces difficulty in achieving the “uniform” EU
model for security policy; the differing governments and their
ad hoc approach to security impede reaching a common policy.
APEC – the Asia-Pacific Economic Cooperation – sponsors cyber
security agents, and there is a definitive law enforcement
perspective, both substantive and procedural; however, many
countries lack the resources to train investigators to enforce
these laws.
- An observation that the US takes a fundamentally different approach to security policy because the infrastructure is primarily owned by the private sector, whereas many countries have government-owned infrastructure. To that point, it could be argued that security policy may be “easier” to implement in countries where the infrastructure is owned by the government.
- It was suggested that the world is looking to the U.S., through forums such as WSIS, to define the future leadership responsibilities regarding internet governance in order to ensure a reliable and sustainable internet.
Given the diversity of views expressed at the symposium, CSIA will reconvene an international-level panel in the fall to further explore the issues that were discussed.