Cybersecurity Due Diligence

Slides:

Advertisements

Similar presentations

VOLUNTARY PRINCIPLES ON SECURITY & HUMAN RIGHTS. What are the Voluntary Principles? Tripartite, multi-stakeholder initiative Initiated in 2000 by UK Foreign.

Advertisements

Critical Infrastructure Protection Policy Priorities Sara Pinheiro European Commission DG Home Affairs.

Transport EU Maritime Security Policy and legislation Christian DUPONT Deputy Head of Unit for Maritime & Land Transport Security DG Mobility and Transport.

SUPPORTED BY THE EUROPEAN UNION’S OBNOVA AND PHARE PROGRAMMES EIA TRAINING RESOURCE MANUAL FOR SOUTH EASTERN EUROPE Scoping.

Comments Mari KOYANO Graduate School of Law Hokkaido University 1.

The French approach to CIIP ENISA workshop. Coordination of CIP in France ANSSI 2 A cross-ministerial issue The General Secretariat for Defense and National.

ENVIRONMENTAL LIABILITY IN GREECE THE LEGAL FRAMEWORK & THE ROLE OF FINANCIAL GUARANTEES/ INSURANCE PRODUCTS TO COVER OPERATORS’ RESPONSIBILITIES UNDER.

ICTS and VIOLENCE AGAINST CHILDREN: MINIMISING RISKS AND RELEASING POTENTIAL EXPERT CONSULTATION Costa Rica, 9-10 June 2014 Renato Leite Monteiro Council.

Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October

The role of ERE in Costumer Protection Eduard Elezi Albanian Regulatory Authority ERE Conference “Albanian Energy Sector, Challenges and Regulation” Tirana,

What is UN Global Compact?

The Aarhus & Espoo Conventions Making implementation work for stakeholders.

Tackling IT crime in a global context: the Convention on Cybercrime 3 years after Julio Pérez Gil University of Burgos, Spain.

Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.

Croatian Report on new Environmental Protection Law Josipa Blažević-Perušić, B.Sc. Arch. State Secretary Anita Pokrovac-Patekar, B.Sc. Pharm. Senior Environmental.

Corporate Responsibility and Compliance A Resource for Health Care Boards of Directors By Debbie Troklus, CHC and Michael C. Hemsley, Esq.

The issue of loss and damages in the UNFCCC negotiations Meron Tesfaye Sharowat Shamin Rosa Manzo.

The NIGF CONFERENCE © 2013 ADDRESSING THE VULNERABILITY OF CRITICAL ICT INFRASTRUCTURE by Ernest Ndukwe, OFR Chairman Openmedia Communications Ltd 18 th.

ENISA efforts for securing European Internet Infrastructure

The European SEA Directive Simon Marsden School of International Business, University of South Australia Module 1: Basics of SEA.

International Recovery Forum 2014 ~ The Role of Private Sector in Disaster Recovery ~ 21 January 2014 Kobe, Japan Dr Janet L. Asherson THE LINK BETWEEN.

Environment and Disaster Planning Hari Srinivas, GDRC Rajib Shaw, Kyoto University Contents of the presentation: -What is the problem? -Precautionary Principles.

Threat Prevention and Detection (within Critical Infrastructures) under EU Data Protection Legislation– Purpose Specification and Limitation. Laurens Naudts.

DG ENV Environmental assessment procedures for energy infrastructure projects of common interest (PCIs)

Deconstructing the EU NIS Directive: model, architecture, interfaces, expressions Tony Rutkowski, 08.

Polish Critical Infrastructure Protection System.

Corporate R2R Human Rights vis-à-vis Legal Duty of Care Cees van Dam – Filip Gregor – Paige Morrow EU Road Map to Business and Human Rights Conference.

Cybersecurity Due Diligence an ISP Perspective

Dialogue on Competition Policy and Intellectual Property *

FIDO Project 06/ /2017 Director: Prof. Wouter Vandenhole

Privacy in the Digital Age: the UN General Assembly Resolution

The UN Guiding Principles on Business and Human Rights: What Lawyers Need to Know Delhi, India – 16 September

European Union Law Week 10.

BAT - BREF Their scope Rob Kramers Senior advisor InfoMil.

Public Participation in Biofuels Voluntary

Equality and Human Rights Exchange Network

Žilinská univerzita v Žiline Fakulta špeciálneho inžinierstva

French Port Cybersecurity Initiative

Business sector engagement and Consumer Awareness October 3rd, 2017

CIRAS FINAL CONFERENCE

E.U. Public Policy Professor John Wilton Lecture 10 Environment policy

About the NIS directive

HEALTH IN POLICIES TRAINING

The Security of Network and Information Systems Directive

Critical Infrastructure Protection Policy Priorities

Business environment in the EU Prepared by Dr. Endre Domonkos (PhD)

Vulnerability Assessments and Adaptation to Climate Change

National Arrangements for Response to Transport Emergencies.

Nick Bonvoisin Secretary to the Convention on the

Legal Issues Critical to SSA

Trust and Security Unit

Protecting the Public Core of the Internet

Human Rights Due Diligence as a mechanism for prevention and enhancing access to justice Claudia Saller European Coalition for Corporate Justice Access.

Combating Cybercrime: Tools and Capacity Building for Emerging Economies WSIS 2015, Geneva Jinyong Chung May 25, 2015.

Foundation module 2 Child rights-based approaches.

Information technologies/NBIC and Big data

The partnership principle in the implementation of the CSF funds ___ Elements for a European Code of Conduct.

The activity of Art. 29. Working Party György Halmos

Ofcom’s role in cyber security

Is Data Protection a Fundamental Right Protecting the Individual?

Securing free and fair European elections

ARTICLE 16 OF REGULATION (EC) 1083/2006

Strategic Environmental Assessment (SEA)

State aid in the field of Energy: challenges

Overview of Article 6 procedures under the Habitats Directive

Outline Background: development of the Commission’s position

European Programme for Critical Infrastructure Protection (EPCIP)

Deborah Housen-Couriel, ADV.

The EU Strategy for Adaptation to climate change

THE EU LEGAL FRAMEWORK ON EMPLOYEE INVOLVEMENT

Presentation transcript:

Cybersecurity Due Diligence an ISP Perspective Joanna Kulesza, October 27th, 2016

New challenges, old solutions? Let’s start with some examples Joanna Kulesza, October 27th, 2016

Joanna Kulesza, October 27th, 2016

Cybersecurity challenge potential targets of cyberthreats? infrastructure and systems the malfunction of which imminently results in “significant” damage or puts a large number of individuals at risk civil defense notion of “critical infrastructure” (means of mass transportation, water, or electricity supplies and the like) Joanna Kulesza, October 27th, 2016

Council Directive 2008/114/EC of 8 December 2008 provides guidelines on identifying elements of critical infrastructure and setting particular obligations on its operators, including running a risk analysis for those particularly vulnerable assets sets obligations to provide the maximum level of security and resiliency of systems crucial for European security on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (ECIs) OJ L 345, 23.12.2008, p. 75–82 Joanna Kulesza, October 27th, 2016

Joanna Kulesza, October 27th, 2016

Network and Information Security Directive (NIS Directive) Joanna Kulesza, October 27th, 2016

Joanna Kulesza, October 27th, 2016

DIRECTIVE 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL ANNEX II (essential services) 1. Energy (a) Electricity; (b) Oil; (c) Gas 2. Transport (a) Air transport; (b) Rail transport; (c) Water transport; (d) Road transport 3. Banking 4. Financial market infrastructures 5. Health sector 6. Drinking water supply and distribution 7. Digital Infrastructure: IXPs; DNS service providers; TLD name registries DIRECTIVE 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning measures for a high common level of security of network and information systems across the Union Joanna Kulesza, October 27th, 2016

DIRECTIVE 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL Annex III ANNEX III TYPES OF DIGITAL SERVICES FOR THE PURPOSES OF POINT (5) OF ARTICLE 4 Online marketplace. Online search engine. Cloud computing service. DIRECTIVE 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning measures for a high common level of security of network and information systems across the Union Joanna Kulesza, October 27th, 2016

DIRECTIVE 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL key challenges: identifying critical infrastructure (a shared definition?) individual obligations of CI operators financial support for additional security measures exchange of information (scope, platform) DIRECTIVE 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning measures for a high common level of security of network and information systems across the Union Joanna Kulesza, October 27th, 2016

The principle of due diligence in international law a subsidiary principle of the law on state responsibility ILC (2006): The notion of “transboundary damage”, like the notion of “transboundary harm”, focuses on damage caused in the jurisdiction of one State by activities situated in another State. (…) the non-fulfilment of the duty of prevention (…) could engage State responsibility without necessarily giving rise to the implication that the activity itself is prohibited applicable to obligations of conduct (not ones of result) assesment based on state efforts to prevent significant transboundary harm („all neccesary measures”) Joanna Kulesza, October 27th, 2016

significant transboundary harm in international law state responsibility applicable only in cases of „significant” harm, i.e. ILC (2006): The term “significant” is understood to refer to something more than “detectable” but need not be at the level of “serious” or “substantial”. ILC (2001): The term “significant”, while determined by factual and objective criteria, also involves a value determination which depends on the circumstances of a particular case and the period in which such determination is made. Joanna Kulesza, October 27th, 2016

Duty of prevention The risk of significant transboundary harm originates a state duty of prevention a best efforts obligation to prevent such harm Individual treaty regimes specify details of this obligation in paricular circumstances (e.g. environmental law, law of treaties, protection of aliens, space law, antiterrorist treaties) Joanna Kulesza, October 27th, 2016

International treaty practice Usual references to: „best available technologies” or „newest technological developments” ILC (2006): The State of origin is expected to perform the obligation of due diligence both at the stage of authorization of hazardous activities and in monitoring the activities in progress after authorization and extending into the phase when damage might actually materialize, in spite of best efforts to prevent the same. (…) Further, the State concerned should ever be vigilant and ready to prevent the damage as far as possible and when damage indeed occurs to mitigate the effects of damage with the best available technology Joanna Kulesza, October 27th, 2016

The principle of due diligence Good faith Good neighborliness Limits of state jurisdiction Sustainable development The obligation to take all neccesary measures a hypothetical model of a „good government”, expected to enforce apriopriate administrative and other procedures Joanna Kulesza, October 27th, 2016

The principle of due diligence 6. State efforts assessed against current technological advancements as well as individual economic and technological situtation of the state of origin 7. An obligation to exchange information including consultations with potentially affected parties 8. No discrimination 9. A continuous obligation Joanna Kulesza, October 27th, 2016

a due diligence standard for cyberspace Recommendation CM/Rec(2011)8 of the Committee of Ministers to member states on the protection and promotion of the universality, integrity and openness of the Internet (Adopted by the Committee of Ministers on 21 September 2011 at the 1121st meeting of the Ministers’ Deputies) Joanna Kulesza, October 27th, 2016

Recommendation CM/Rec(2011)8 Commitment to protect and promote the universality, integrity and openness of the Internet 1. General principles 1.1. No harm 1.1.1. States have the responsibility to ensure, (…) 1.1.2. (…), that their actions within their jurisdictions do not illegitimately interfere with access to content outside their territorial boundaries or negatively impact the transboundary flow of Internet traffic. 1.3. Due diligence Within the limits of non-involvement in day-to-day technical and operational matters, states should, in co-operation with each other and with all relevant stakeholders, take all necessary measures to prevent, manage and respond to significant transboundary disruptions to, and interferences with, the infrastructure of the Internet, or, in any event, to minimise the risk and consequences arising from such events. Recommendation CM/Rec(2011)8 Joanna Kulesza, October 27th, 2016

Joanna Kulesza, October 27th, 2016

Human rights due diligence The UN Protect Respect and Remedy Framework (Ruggie principles) The Principles refer to three basic tools aimed at ascertaining human rights enforcement vis-a-vis transnational companies. 1) states’ obligation to protect human rights, 2) corporate responsibility for their protection 3) accessibility of a legal remedy for victims of abuses caused by companies. Contemporary international law does not permit putting international obligations directly onto private parties, therefore it is states who are obliged to assure that private companies operating under their jurisdiction, power or control meet human rights standards set by international law. Joanna Kulesza, October 27th, 2016

Privacy due diligence Joanna Kulesza, October 27th, 2016

Questions to be considered Is there a due diligence standard for cybersecurity? Infrastrucutre operators liability? ISP liability fund? What are the consequences of the multistakeholder model? Joanna Kulesza, October 27th, 2016

Thank you joannnakulesza@gmail.com Joanna Kulesza, October 27th, 2016