100%(50)50 out of 50 people found this document helpful
This preview shows page 7 - 9 out of 16 pages.
protecting critical infrastructure through vulnerability coordination and a better understanding of what threats currently exist. Of course, this same coordination of vulnerabilities is beneficial to any entity public or private regarding the reduction of cyber-attacks. To that end, the NCCIC has developed a five-step process as illustrated in Figure 2 to act as the framework that ends in vulnerability disclosure (Department of Homeland Security, n.d.). Figure 2 NCCIC Vulnerability Coordination In addition to the primary objective of vulnerability coordination between public and private sectors, the NCCIC provides an Advanced Analytical Laboratory, Cybersecurity Evaluation Tools, Site Assistance and Evaluations, and Training (Department of Homeland Security, n.d.). This road is not a one-way street and coordination in the opposite direction has been historically difficult to manage from a legal perspective. Even with all the offerings that the NCCIC brings to the table to incentivize private sector participation and coordination, there are many privacy and civil liberty concerns that lead to the failure of initial attempts to pass CISA as an amendment of the National Defense Authorization
CYBERSECURITY STRATEGY, LAW AND POLICY8 Act (Mitchell, 2015). Taking this into consideration, it is probably for the best that participation from the private sector remains voluntary and that the NCCIC continues to provide services that benefit the good of both groups going forward. Private Sector Organizations Just as cyber threats are not limited to public or private sectors, they are also not limited to the boarders of the United States of America either. The political conversation that lead to the American attempts to balance individual privacy concerns against the threat of cybercriminals has played out in different ways throughout the world. Most notably the General Data Protection Regulation (GDPR) governing the citizens of the European Union and European Economic Area recognized the value of digital information similar to the CISA, but they codified into law a very different solution that was grounded in the perspective of an individual’s right to privacy (GDPR, n.d.). In order to achieve such an objective, the GDPR separates the handling of personal data into two conceptual definitions. Under the GDPR (n.d.), Data Controllers are required to implement technical and organizational safeguards so that personal data is unable to be directly tied to a real identity and that the highest privacy settings are enabled by default unless explicit, informed consent is given by the user. Data Processors are required to disclose the collection of data and justify the purpose of such processing while informing individuals as to how long the data will be retained of if the data will be shared with third parties (GDPR, n.d.).