Synopsis 01: From 1st to 3rd Generations (the evolution) of cybersecurity practices at the institutional level in the 21st century

The first documented cybercrime occurred in 1834, known as Hacking French Telegraph System – in which black-hat hackers with malicious intention attacked the French Telegraph System and stole essential financial market information for their financial gain. Since then to the present, there had happened numerous events of cybercrime mainly associated with information system and networks, smart devices and hardware, any software used in any computational system, the information in storage or transit in any IT Products, IT services, and IT processes, operating systems and software applications (used in desktop/server/mobile/tablet/laptop), IT services and systems that can be connected to the network or Internet of Things (LoT) directly or indirectly. Using the historical data and patterns, it is estimated by cybersecurity experts that cybercrime will cost about USD 6 trillion annually from 2021 onward.

To reduce that, the British Standard, known as BS 7799, was introduced in 1999 based on an information security policy manual, which was first developed by the Royal Dutch/Shell Group in the late 1980s and early 1990s. Since then, how to secure cyberspace has become a standard practice in many institutions. From my research, these ongoing cybersecurity practice-related developments can be categorized into the following three generations:

(1)  1st generation based on ISO/IEC 27000-series standards that provide best industry practices, not legally binding, on information security management system (ISMS), covering confidentiality, integrity, and availability (the well known CIA principles - that goes beyond the general practice of privacy in the context of ISMS) involved in cybersecurity issues. There is currently a collection of about 49 standards belonging to this series – regularly reviewed and updated in a 5-year cycle. THIS IS VERY IMPORTANT to note that these standards mainly say what to achieve but do not necessarily say how to secure cyberspace. That brings diversified, but not univocal and harmonized, cybersecurity practices – meaning each institution applies their cybersecurity practices in their ways to achieve the same goal. That creates a GAP for ensuring practicing a common cybersecurity practice framework.      

(2)  2nd generation based on the Convention on Cybercrime, known as Budapest Convention on Cybercrime, adopted in 8th November 2001 and entered in force on 1st July 2004 – this is the first legally binding international instrument, drawn up by the Council of Europe in Strasbourg, to regulate cybercrime and thereby to secure cyberspace within the 64 countries those rectified it. It covers, among many others, computer-related fraud, violation of network security, and crime committed via the internet and other computer networks. Subsequently, the European Union Agency for Cybersecurity (ENISA) was introduced at the EU level by the EU Regulation 460/2004. Then EU Directive 2013/40/EU specified several cyberattacks against the information system. Further on, the EU set up NIS Directive (the EU Directive 2016/1148), which introduced the legal accountability for reporting major cybersecurity breaches to the respective Cyber Security Incidences Response Teams (CSIRT) in the EU member-states. This is why we now have the Computer Incident Response Center Luxembourg (CIRCL) (http://www.circl.lu/) with its operational team. However, like the 1st generation above, these legal instruments do not specifically say how to implement the cybersecurity measures but say what to measure. That also brings the same GAP, as mentioned above.

(3) 3rd generation based on the recent legal developments in the area of cybersecurity in the EU. Most predominately, the EU Cybersecurity Act, the EU Regulation 2019/881, also known as EU Level-1 legislation, empowered the ENISA with a legal personality and provided essential legal power to help European Commission (EC) to produce the EU Level-2[1] legislations for implementing EU-wide cybersecurity certification framework for IT services, IT products and IT processes. This aims to fill the GAP as specified above and thereby to harmonize the cybersecurity practices throughout the single market in the EU with a common means and ends. Because these sets of legal instruments provide how to measure the risk-based cybersecurity into practices.

In my view, it will significantly affect the legal and regulatory operational aspects of cybersecurity in the EU and LU. 

[1] To understand the distinction between EU Level-1 and Level-2 legislations is very vital in this context. EU Level-1 legislations produced by the policymakers or EU-level legislators (mostly they are politicians) mainly provides what legal rules we need to implement through using various legal principles such as the principle of proportionality, the principle of maximum and minimum harmonization, etc. While EU Level-2 legislations are entirely based on EU Level-1 legislations mainly contain technical details (produced by the technical experts of the domain of the subject matter, not by the politicians) on how to implement the legal rules specified in the EU Level-1 legislation. In the case of the cybersecurity domain, for example, EU legislators produced EU Level-1 legislation, that is EU Cybersecurity Regulation 2019/881, and now EC has been preparing with the help of ENISA the EU Level-2 legislation for detailing technical details of how to implement the latter legislation.