Mariana Hentea - Building an Effective Security Program for Distributed Energy Resources and Systems

Increasing difficulty for individuals to understand and make choices related to the uses of their personal data; the uses of personal data are becoming increasingly complex and nontransparent to individuals.

Advances in technology and changes in organizational practices, which have transformed occasional transborder transfers of personal data into a continuous multipoint global flow.

As a result of this environment, the security of personal data has become an issue of concern to governments, businesses, and citizens [OECD 2011]. The report shows that the volume of personal data being transferred over public networks and retained by organizations has changed the risk profile, potentially exposing larger quantities of data in a single data breach. A data breach is a loss, unauthorized access to, or disclosure of personal data as a result of a failure of the organization to effectively safeguard the data. Data breaches can be attributed to both internal and external factors as discussed in [OECD 2011]:

Internal factors such as errors or deliberate malicious activity on the part of employees as well as errors or malicious activity on the part of third parties that are involved in processing personal data on behalf of organizations; the risk of potential harm is from identity theft to individuals and from the misuse of their personal data; organizations are impacted too – a substantial financial cost in recovering from the breach and fixing problems within the organization to prevent a recurrence; may be subject to legal actions, including private actions or fines levied by various authorities, where allowed; costs to the organization's reputation; loss of trust or confidence, which can have serious financial consequences.

External factors include intrusion from outside threat agents (e.g. malware); both organizations and individuals’ home computers and other devices are also at risk.

Other developments of recent years include:

A focus on finding common approaches to privacy protection at a global level, such as the development of international standards, as a response to the borderless nature of data flows, concerns around impediments to those flows, and the different cultural and legal traditions that have shaped the implementation of the privacy guidelines over the past 30 years.

Finding global solutions and a better understanding of different cultures' views of privacy and the social and economic value of transborder data flows may help to achieve this goal.

Seeking consensus on developing privacy protections in increasing numbers of countries besides OECD members.

Increased support from the global privacy community and commitment within international organizations, governments, and privacy enforcement authorities to addressing current challenges.

Many activities and policies for cybersecurity and privacy are supported by the Department of Homeland Security (DHS) in the United States [DHS 2016a]. One example is the policy of 2008 that declares the Fair Information Practice Principles (FIPPs) as the foundation and guiding principles of the DHS's privacy program. FIPPs are time‐tested and universally recognized principles that form the basis of the Privacy Act of 1974 and dozens of other federal privacy and information protection statutes. Also, a recent Executive Order [WH 2013] directs DHS to issue an annual report using the FIPPs to assess the Department's cyber operations under the Executive Order.

In the light of the risk and potential consequences of cyber events, strengthening the security and resilience of cyberspace has become an important homeland security mission in the United States [DHS 2015]. However, emerging cyber threats require engagement from the entire American community to create a safer cyber environment – from government and law enforcement to the private sector and, most importantly, members of the public. Cybersecurity is a shared responsibility as pointed by DHS [DHS 2016b].

A framework for protecting the US infrastructure is described in [CERT 2003]. As pointed out in this document, securing cyberspace is an extraordinarily difficult strategic challenge that requires a coordinated and focused effort from our entire society – the federal government, state and local governments, the private sector, and the American people. The cornerstone of America's cyberspace security strategy is and will remain a public–private partnership. The strategic objectives are to:

Prevent cyber attacks against America's critical infrastructures.

Reduce national vulnerability to cyber attacks.

Minimize damage and recovery time from cyber attacks that do occur.

Also, strategies that the United States can use for cyberspace protection are described to include the following objectives: establish a comprehensive strategy, maintain strong deterrents, strengthen public–private partnerships, avoid bureaucratic overreach, and forge an international consensus. These strategies can help policy makers make better‐informed decisions about how to properly defend the country from threats [Peritz 2010].

In the same time, it is recognized that the perimeter of information systems and networks is increasingly blurred and that, as a consequence, the management of risks and the protection measures should extend to the more global ecosystem level.

The analysis report [OECD 2012a] reveals the success of the guiding principles of [OECD 2002] to create a framework for security in an open digital world where participants reduce risk before accepting it, instead of avoiding risk by limiting interconnectivity. These guidelines have been adopted by OECD members and non‐OECD members. Responding to cybersecurity challenges has become a national policy priority in many countries. Gaps in the 2002 guidelines and new cybersecurity challenges are further analyzed in this report [OECD 2012c]. This report highlights many issues such as the following:

New national strategies to strengthen cybersecurity are pursuing a double objective: driving further economic and social prosperity by using the full potential of the Internet as a new source of growth and platform for innovation and protecting cyberspace‐reliant societies against cyber threats.

Governments are developing comprehensive approaches integrating all facets of cybersecurity into holistic frameworks covering economic, social, educational, legal, law enforcement, technical, diplomatic, military, and intelligence‐related aspects. The result is the elevation of this overall subject matter as a government policy priority and a higher degree of governmental coordination to develop strategies.

The scope of most strategies generally covers all information systems and networks, including critical information infrastructures that are not connected to the Internet.

Strategies generally lay out a narrative that varies across countries and leads to the introduction of various key objectives and concepts.

Most strategies recognize that cyberspace is largely owned and operated by the private sector and that policies should be based on public–private partnerships, which may include business, civil society, and academia. However, they place variable emphasis on this aspect.

While cybersecurity strategies share common concepts, there are still differences such as the concepts of cybersecurity and cyberspace that are not used by all countries.

Although strategies share fundamental values, some concepts are specific to some countries, such as the economic aspects of cybersecurity, the need for dynamic policies, and the emergence of sovereignty considerations.

Most strategies also stress the importance of the international dimension of cybersecurity and the need for better alliances and partnerships with like‐minded countries or allies, including capacity building of less developed countries; all countries support the establishment of stronger international mechanisms at the policy and the operational levels. In this respect, policy makers need to: