版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
TechnicalandLegalCriteriaforAssessingCloudTrustworthiness
NIGELCORY|APRIL2024
Globaldataandtechnologygovernancewillbechallengingwithoutcooperationoncloud
trustworthiness.Policymakersshouldavoidsimplisticassessmentsbasedonnationalityandinsteaddevelopmoreholisticassessmentsbasedonlegalandtechnicalcriteria.
KEYTAKEAWAYS
.Concernsabouttrustingcloudserviceshaveexistedsincetheircreation,butrecentconcernsaboutgovernmentscompellingaccesstocloudfirms’dataandservicesareleadingtomisguidedknee-jerkreactionsbasedonnationality.
.Focusingsolelyonafirm’snationalitywithoutconsideringhowafirmoritshomecountrycontributestoordetractsfromcloudtrustworthinessdoeslittletoenhancecloud
cybersecurityanddataprivacyandcreateanopenandcompetitivecloudmarket.
.Chinaloomsovercloudtrustworthinessassessments,butit’smuchbroader.G7andlike-mindedcountrieshaveamixedrecordwithpoliciesthatbothfracturethecloudand
providethebasisforamorecooperativeapproachtocloudtrustworthiness.
.PolicymakersattheG7,OECD,andelsewhereshouldestablishtechnicalandlegal
criteriaforevaluatingcloudtrustworthinessratherthanrelyingonvaguenationalsecurityandintelligenceconcerns.
.Ifcountriestrusteachotherincontextssuchasdefense,intelligence,lawenforcement,andtrade,buttheydon’ttrusteachother’scloudfirms,thenhowaretheysupposedtoworktogether,andwiththirdcountries,onothertechissues?
.Adiversesetoflegalandtechnicalcriteriagivesfirms,andtheirhostcountries,acleargoaltoworktoward.Concernsaboutcloudtrustworthinessareglobalandnotjustan
issuefortheEuropeanUnion,theUnitedStates,andChina.
INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|APRIL2024PAGE
2
CONTENTS
KeyTakeaways 1
Introduction 3
TrustedCloudIsCriticaltoGlobalData,Cybersecurity,andTechnologyGovernance 7
CountryCaseStudies 8
Australia’sCriticalInfrastructureActandHowOneProblematicFirmShapedIt 8
CostaRica’sTrustedSupplierDecreeUsestheBudapestConventionasaCriterionto
Assess5GTrustworthiness 9
TheCzechRepublicUsesEUandNATOMembership,PlusOtherCriteria,toAssess
5GTrustworthiness 10
TheEuropeanUnion’sCloudCybersecurityRegimeandItsSovereigntyRequirements 10
France’sDiscriminatoryCloud“Sovereignty”Requirements 11
Germany’sInformationSecurityLawUsesSeveralNon-technicalCriteriatoAssess
Trustworthiness 12
India’sEvolvingCloudCybersecurityCertificationSchemeandItsEffortstoTarget
ChineseHardware,Software,andData 12
Korea’sUnprecedentedPublicSectorCloudRestrictions 13
RomaniaUsesStrategicPartnershipsasCriteriatoAssess5GTrustworthiness 14
TheUnitedKingdom’sInvestigatoryPowersActUnderminesCloudTrustworthiness 14
TheUnitedStates’ProblematicCleanNetworkandCloudInitiativesandProposed
ExpansionofDataLocalizationinFedRAMP 15
TechnicalandLegalCriteriaforAssessingTrusted—andUntrusted—CloudService
Providers 15
InternationalStandardsAreFoundationaltoCloudCybersecurityandTrustworthiness 16
CloudCybersecurityCertificationsAreCriticalPointsofCommonalityandConflict 18
MapandWorktoAlignTechnicalControlsandStandards,Audits,andCloud
CertificationRequirements 20
GovernmentAccesstoData:AssessingLegalFrameworksandWhatHappensin
Practice 23
TransparencyReportsAboutGovernmentRequestsforDataProvideCriticalTransparency
andDataonCloudTrustworthiness 25
GovernmentOperationalControlOverCloudServices 26
CooperationWithCybersecurityAuthoritiesDemonstratesCloudTrustworthiness 27
LegalCriteriatoAssessGeopoliticalRisksandCloudTrustworthiness 28
TheOECD’sDataFreeFlowwithTrustSecretariatShouldBetheForumforTrustedCloud
Discussions 30
Conclusion 31
Endnotes 33
INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|APRIL2024PAGE
3
INTRODUCTION
Concernsabouttrustingcloudserviceshaveexistedsincetheircreation.
1
Growinggeopolitical
tension,coupledwiththecloud’spivotalrolesindataprivacyandcyberandnationalsecurity,
arepromptingpolicymakersworldwidetoaddressthenumerouschallengesposedbycloud
services.However,manypolicymakersrelyonmisguided,knee-jerkassessmentsthatequate
localownershipwithtrustworthiness.
2
Focusingsolelyonafirm’snationalitywithoutconsideringhowafirmoritshomecountrycontributestoordetractsfromcloudtrustworthinessdoeslittletoenhancecloudcybersecurityanddataprivacyandcreateanopenandcompetitivecloudmarket.Moreover,itunderminestrade,cybersecurity,andnationalsecuritycooperationbetweenlike-
mindedcountries—suchasG7members(Canada,theEuropeanUnion,France,Germany,Italy,Japan,theUnitedKingdom,theUnitedStates),Australia,Singapore,Japan,Korea,andIndia—byimplyingtheydistrusttheirtradingpartners’cloudfirms.WhileconcernsregardingChina’s
controloveritscloudandtechfirmsaregrowing,effortstoaddressthefundamentalissueof
cloudtrustworthinessamongtheG7andlike-mindedpartnersarelacking.Withoutcollaborativeeffortsamonglike-mindedcountriestotackletheissueofcloudtrustworthiness,establishing
trusteddataflowsandgovernancewillbechallenging.
Policymakershavelongbeenconcernedaboutgovernmentscompellingcloudfirmstosurrenderdataforvariouspurposessuchassurveillance,lawenforcement,andpoliticalsuppression.KeyinitiativesaimedataddressingthisissueincludetheEuropeanUnion-UnitedStates
TransatlanticDataPrivacyFrameworkanditsprecedingagreements.Recently,policymakershaveshiftedtheirfocustothepotentialcontrolexertedbyforeignadversariesoverthe
operationalworkloadsprovidedbycloudfirmstogovernmentandcriticalinfrastructuresectors,particularlyintheeventofamajorcyberincidentorconflict.Forexample,U.S.cyberand
nationalsecurityofficialsareconcernedthatChinacould“flicktheswitch”toturnoffordisruptChina-connectedcloudandinformationtechnology(IT)servicesforbothgovernmentand
commercialservicesintheeventofwar.
3
ThispointstoanendscenariowhereintheUnitedStatesoptsfortechnologysovereigntyin
pushingforaChina-freeecosysteminsteadofadoptingarisk-basedapproachthatusestargetedmitigatingactionstoaddresstheunderlyingissues,suchascreatingasecureenvironmentto
managerisks(e.g.,well-managedupdates,visibilityandmonitoringofnetworkcommunications,pushingforequipmenttouseanopensoftwarestacksosoftwarecanbeinterchangeable,etc.).ChinaalreadypushesforaChina-onlytechnologysystem.ThedifferenceisthattheUnited
Statesandotherlike-mindedcountriesgreatlysupport,andbenefitfrom,anopenglobaldigitaleconomy.IftheUnitedStatesandeveryoneelsepushesfortheirowntechnologysystem,
everyonelosesintermsofthenegativeimpactit’llhaveontrade,innovation,cybersecuritycooperation,andeffortstobuildtrusteddataandtechnologygovernance.
GettingtheUnitedStates,theEuropeanUnion,andotherG7countries,aswellasothertrade
andsecuritypartnerssuchasAustralia,Korea,andIndia,tocollaborateoncloudtrustworthinesswillbechallengingduetoproblematiccloudpolicies.TheUnitedStatesisconsideringexpandeddatalocalizationrequirementsaspartoftheFederalRiskandAuthorizationManagement
Program(FedRAMP)cloudcybersecuritycertificationsystemthatfederalgovernmentagenciesusetoprocurecloudservices.FranceandotherEUmemberstatesalsowantdatalocalization
alongsideotherproblematic“sovereigntyrequirements,”suchaslocalownershipandcontrol,aspartofanEUcloudcybersecurityregime.Koreaforcesfirmstousededicated(nothybridor
INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|APRIL2024PAGE
4
public)cloudservicesthatmuststoredatalocallyandonlyuselocalstaff,encryptionalgorithms,andequipmentcertifications.AustraliasetaprecedentthatevenChinahasn’tdoneingivingitssignalsintelligenceagency(alsoaleadingcybersecurityagency)step-inpowerstoassume
controlofcloudprovidersandthepowertoforcefirmstoinstallsoftwareincertainsituations,withoutgivingfirmsclearavenuestoseekanindependentreviewofdecisionsoravenuesforlegalappeal.Similarly,theUnitedKingdompreventsfirmsfrompublicizingrequeststhey’vereceivedfordataortotakecertainactionanddoesnotprovidetransparencyreportsaboutthenumberandtypesofrequestsitmakesoffirms.ThisrestrictedandopaqueprocessisexactlywhatanimatesfearsaboutChina’sapproachtoaccessingdata.
Whetherit’sinChina,France,ortheUnitedStates,datalocalizationisamisguidedpolicy—eveninthecaseofgovernmentdataandservices.Localizationdoesnotimprovedataprivacyorsecurity.Thesecurityofdatadependsprimarilyonthetechnicalandphysicalcontrolsusedtoprotectit.
G7andlike-mindedcountrieshavelaws,regulations,initiatives,andagreementsthatalso
provideafoundationforbuildingacommonapproachtoassessingcloudtrustworthiness.Estoniaispushingfor“trustedconnectivity,”whichisthegoaltodobusinesswithpartnersaccordingtocommoninterests,democraticvalues,andhighregulatoryandsocialstandards.
4
TheUnited
States,Germany,Australia,and28othercountrieshaveadoptedthePragueProposalson5G,
whichareasetoftechnicalandnon-technicalrecommendationsonriskswhenplanning,
building,launching,andoperating5Ginfrastructurearoundtheworld.
5
Elsewhere,theCommonCriteriaRecognitionArrangement(CCRA,involvingover31countries)isoneofthefewgloballyrecognizedprogramsformutualrecognition(thereareaccreditedlabsinmultiplecountries)forevaluatingthesecurityofITequipmentandservices.
6
MajorcloudprovidersincludingAmazon,Google,Microsoft,SAP,andCISCOsetout“TrustedCloudPrinciples”onissuesrelatingtodata,
goingtocustomerstorequestdata,cross-borderdataflows,andaddressingconflictsinlaw.
7
TheOrganizationforEconomicCooperationandDevelopment’s(OECD’s)membercountries
negotiatedtheDeclarationonGovernmentAccesstoPersonalDataHeldbyPrivateSector
Entities(alsoknownastheTrustedGovernmentAccesstoDataInitiative)toimprovetrustin
cross-borderdataflowsbyclarifyinghownationalsecurityandlawenforcementagenciescan
accesspersonaldataunderexistinglegalframeworks.
8
TheDataFreeFlowWithTrustinitiative,anditsnewsecretariatattheOECD,providesareadyhomefordetaileddiscussionsandresearchintohowtobuildcommonapproachestotrustedcloud.
Cloudtrustworthinessassessmentsshouldinvolvebothtechnicalandlegalcriteria.Firmsthatusebest-in-classtechnicalcontrolsandinternationaltechnicalstandards,issuetransparency
reportsaboutgovernmentrequestsfordata,andcooperatewithlocalcybersecurityagenciesaredemonstratingavarietyofdatapointsthatpositivelydefinecloudtrustworthiness.Likewise,
whethercountrieshaverelevantdata,cybersecurity,andprivacylaws,regulations,andcloudcybersecuritypracticesandcertificationsarealldatapointstoassessthebehaviorofafirm’shomegovernment.
Cloudtrustworthinessisnotapurelytechnicalissue,aspoliticalandsecurityfactors,suchas
thebehaviorofafirm’shomegovernment,alsodefinethesecuritycontextthatcloudfirms
operatein.
9
Inparticular,policymakersareconcernedwithChina’spotentiallybroad,arbitrary,andopaqueabilitytoaccessdataandcontrolitstechfirms.However,policymakersshouldavoid
INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|APRIL2024PAGE
5
mirroringChina’sapproachiftheywanttodemonstratethatthey’redifferentandbetterthan
Chinainregardtodataprivacyandsecurityandtosetthebenchmarkforwhatothercountries
aroundtheworldshouldaimfor.Legalcriteriatoassessgeopoliticalrisksshouldbespecificand
detailed.Policymakerscanrefertointernationalsecurity,lawenforcement,trade,and
cybersecurityagreementsasdatapointstodemonstratethetrustworthinessofacloudfirm’s
homegovernment,forexample,whethercountriesarepartytorelevantmultilateralcyberandlawenforcementagreementsandinitiatives,suchastheBudapestConventionandtheOECDTrustedGovernmentAccesstoDatainitiative.It’salsofairtoassessacloudfirm’srelationshipwithits
homegovernment.Forexample,Germany’sInformationTechnologyLaw2.0assessesanation’spotentialcontrolovercloudandwhetherit’sapartofasecuritydefenseagreement,namely,theNorthAtlanticTreatyOrganization(NATO).
G7,OECD,andotherpolicymakersshouldestablishaspecificsetofcriteriaforevaluatingcloudtrustworthinessratherthanrelyingonvaguenationalsecurityandintelligenceconcerns,which
oftenlackclarityandfailtoaddresswhatfirmsandcountriesshoulddo.Thisapproachcanbe
misusedforprotectionistpurposesandotheragendas.Apositiveanddetailedlistofcriteriagivesfirms,andtheirhostcountries,acleargoaltoworktoward,asconcernsaboutcloud
trustworthinessareglobalandnotjustanissuefortheEU,theUnitedStates,andChina.
Cooperationoncloudtrustworthinessismuchbroaderthanjustgovernmentprocurementandcriticalinfrastructureandraisessignificanteconomic,trade,andtechnologyinterests,as
restrictivecloudmeasurescaneasilyimpactthebroaderdigitaleconomy.
G7,OECD,andotherlike-mindedcountriesshouldestablishspecificpositiveandnegativecriteriatoevaluatecloudtrustworthinessratherthanrelyingonvaguenationalsecurityandintelligence
concerns.
Thisreportbeginsbydetailingwhycooperationontrustedcloudisfoundationaltoboth
cybersecuritybestpracticesandtechnology’sgrowingroleinforeignaffairs,becauseifcountriesthattrusteachotherinothercontexts—suchasdefense,intelligence,lawenforcement,and
trade—don’ttrusttheirrespectivecloudfirms,howaretheysupposedtoworktogetherandwiththirdcountriesonrelatedissues,suchasdatagovernanceandcybersecurity?Thereportthen
analyzescountrycasestudiestohighlightbothconstructiveandproblematicpoliciesthatare
instructivewhenconsideringhowlike-mindedcountriesshouldworktogethertodevelopcriteriaforcloudtrustworthiness—andindoingso,hopefullyleadcountriestoreconsiderproblematicpolicies.Thereportthenanalyzesaseriesoftechnicalandlegalcriteriatoconsiderwhen
assessingcloudtrustworthiness.Thisincludestheuseanddevelopmentofnewtechnicalstandards;mappingoftechnicalcontrols,standards,audits,andcloudcertification
requirements;thecriticalissueofgovernmentaccessandoperationalcontroloverdataandcloudservices;andcooperationwithlocalcybersecurityauthorities,amongothers.
Asummaryoftherecommendations:
.Policymakersshoulduseinternationaltechnicalstandardstoprovidedetailedand
commondefinitions,concepts,usecases,andcriteriatoassesscloudtrustworthinessandaddressissuesassociatedwithcloudcybersecurity,trust,andrisk.
INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|APRIL2024PAGE
6
.Policymakersshouldconductamappingexerciseacrosscloudcybersecurityregimestoidentifyandusecommontechnicalcontrolsandstandards.Thiswouldallowdiscussionsabouthowtobuildalignmentandinteroperability,andideallymutualrecognition,
betweendifferentsystemssothatfirmsthatundergoanauditinonecountrycanusethistodemonstratecomplianceinothercountries.Thiswouldreduceregulatorycomplianceandimprovecloudcybersecurityandcompetitionincloudmarkets.
.Governmentsfromlike-mindedcountriesshouldassesswhetheracountryhasan
independentjudiciaryandrule-of-lawregimetoassesstherisksofdomesticand
extraterritorialgovernmentaccesstodataheldbycloudfirms.Combinedwithan
assessmentofacountry’sprivacy,cybersecurity,andsurveillancelaws,thisprovidesaholisticpictureastowhetherthereareconstraintsongovernmentpowersinrelationtogovernmentaccesstodataheldbycloudfirms.
.Cloudfirmandgovernmenttransparencyandopennessinandaroundgovernment
requestsfordatabuildstrust.Policymakersshouldsettherightexampleinensuringthatnationalsecurityandotherlawsdon’tpreventfirmsfromreportinggovernmentrequestsfordata.Policymakersshouldworkwithcloudfirmstodevelopacommontemplatefor
transparencyreportstheyprovideonthenumberandtypesofrequestsandtheirresponsetogovernmentrequestsfordataaroundtheworld.
.Policymakersshoulduseinternationalsecurity,defense,dataprivacy,lawenforcement,andcybersecurityagreementsaspositivelegalandgeopoliticalcriteriatoassesswhetheracloudprovider’shomecountryshouldbeconsideredtrusted.Theseagreementsaddressthecentralconcernabouthowgovernmentsbehaveinrelationtocloudservicesand
provideclearevidenceaboutthecomplianceoflegalnorms,principles,andcustomsbywhichacloudsupplierislegallybound.
.Policymakersshoulddevelopcommoncriteria,andimprovedtransparency,todeterminewhetherthereisclearanddemonstratablelegalandoperationalseparationor
interdependencebetweenafirmanditshomecountrygovernment.
.Policymakersshouldconsidercooperationwithlocalcybersecurityauthoritiesasa
demonstratedfeatureoftrustedcloudfirms.Likewise,whethercountrieshave
constructiveandmeaningfulcybersecuritycooperationandagreementsshouldbea
considerationforassessingwhetheracloudfirm’shomecountrycanbetrustedvis-à-vistheirhomecloudfirms.
.G7countriesshouldcreateadedicatedworkstreamontrustedcloudcriteriaaspartofthe
newlyestablishedOECD-basedsecretariatfortheDataFreeFlowWithTrustinitiative.
INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|APRIL2024PAGE
7
TRUSTEDCLOUDISCRITICALTOGLOBALDATA,CYBERSECURITY,AND
TECHNOLOGYGOVERNANCE
Thecloudplaysacrucialroleintheglobaldigitaleconomy,impactingbroaderconcernssuchastrusteddataflows,governance,anddigitaltrade.Cloudtrustworthinessbecomesincreasingly
significantamidgeopoliticaltensionsandthemigrationofcriticalinfrastructuresectorstothe
cloud.Itwillonlygrowmorecontentious,forexample,ascountriesconsiderextendinglawful
interceptrequirementsbeyondtraditionaltelecommunicationservicestocloudservicesand
enactnewlawsandregulationsthattargetthecloudaspartofupdatedintelligenceandnationalsecuritylaws.
10
Globalcybersecuritycooperationreliesonpublic-privatecollaborationandinformationsharing.Thiswillonlybemademoredifficultthanitalreadyis—givenexistingcloudmarketaccessanddatatransferrestrictionsincountries—ifcountriesusebroadandvagueconcernsabout
trustworthinessasanothertooltotargetcloudfirms.
11
Cloudfirmsneedmarketaccessanddatatransferstoseamlesslymapglobalthreatpatternsagainstdomesticonesortracesignsof
maliciousactivityfromglobalnetworksontodomesticones.
12
Likewise,public-privateincidentanalysisandresponseswillbemademoredifficult,ifnotimpossible,ifcloudfirmsfromtrustedpartnersareexcludedfromacountry’smarket.
Restrictionsoncloudprovidersfromotherwisetrustedpartnersunderminethecloud’sincreasingsignificanceinforeign,technology,andeconomicpolicy.It’scontradictoryforcountriestotrusteachotherwithnationaldefensewhiledistrustingeachother’scloudfirms.HowcanG7and
like-mindedcountriescooperateondataprivacy,cybersecurity,andotherissuesiftheylacktrustineachother’scloudproviders,especiallyinglobalandthird-countryengagements?WhetherintheU.S.-EU,EU/U.S.-Africa,orotherbilateralandregionalcontexts,mutualtrustisessentialforcollaborationonglobaldigitalandcyberissues.Forinstance,whiletheUnitedStatesandEU
aimtoengagethird-countrygovernmentsontrustedICTinfrastructure,France’s(andpotentiallytheEU’s)cloudcybersecurityregulationsmaynottrustU.S.cloudfirms.CollaborationoncloudtrustworthinessiscrucialforUnitedStates,EU,andotherpartnersintradeandsecurityeffortstoestablishglobaldataanddigitalgovernanceanddetermaliciousactorsincyberspace.
13
It’scontradictoryforcountriestotrusteachotherwithnationaldefensewhiledistrustingeachother’scloudfirms.Restrictionsoncloudprovidersfromotherwisetrustedpartnersunderminetheirabilitytobuildtrusteddata,technology,anddigitaltradegovernance.
Gettingcloudcybersecurityandtrustframeworkswrongalsoentailssignificanteconomiccosts.
TheEuropeanCenterforInternationalPoliticalEconomyestimatesthatdiscriminatorydata
localizationandnationalityrequirements(socalled“sovereignty”requirements)inthe
EuropeanCybersecurityCertificationSchemeforCloudServiceswouldleadtoestimated
lossesforEUmembereconomiesinannualgrossdomesticproduct(GDP)from$31billionto$659billionwithintwoyearsofimplementation,dependingontheextentofrestrictions.
14
WhilecloudtrustworthinessisjustoneofseveralrationalesChinausestorestrictU.S.firmsfromaccessingitscloudmarket,theInformationTechnologyandInnovationFoundation(ITIF)conservativelyestimates(basedonmarket-sharecomparisons)thatAmazon’sandMicrosoft’scloudservices(deliveredasInfrastructureasaService,orIaaS,whichisrestrictedinChina)
INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|APRIL2024PAGE
8
lostacombined$1.6billioninforgonerevenueoverthetwo-yearperiodfrom2017to2018.
15
WhileU.S.firmsmaynevergetthesamefairandequalmarketaccessasChinesefirmsgetintheUnitedStates,theestimateisindicativeoftheeconomicimpactifothercountriesare
allowedtousebroadandopaqueconcernsaboutcybersecurityandnationalitytosimplyblockaccesstotheircloudmarkets.
COUNTRYCASESTUDIES
Chinaisnotaloneinusingbroadandvaguecybersecurityrequirementsascovertodiscriminateagainstforeignfirmsduetotheirnationality.
16
ThesecasestudiesincludebothproblematicandconstructivepoliciesfromcountriesthatareinterestedandengagedineffortstobuildtrustedITinfrastructureandgovernance,suchaswiththecloud.Somecasestudiesfocuson
trustworthinesspoliciesrelatedtotheuseof5G.Thecasestudiesareinstructiveinconsideringpositiveandnegativecriteriatodefinetrustedanduntrustedcloudservices.
Australia’sCriticalInfrastructureActandHowOneProblematicFirmShapedIt
CyberattacksoncriticalinfrastructurearearecurringissueinAustralia,mirroringglobaltrends.TheAustralianCyberSecurityCentrereportedthatone-quarterofreportedcyberincidentsin
2020and2021wereassociatedwithAustralia’scriticalinfrastructureoressentialservices.
17
Aspecificcybersecuritysituationalsohadamajorimpactonthelaw.TheAustralian’s
governmentsresponse—theSecurityLegislationAmendment(CriticalInfrastructureProtection)Act2022(SLACIPAct)—includesbothproblematicandcommendablepoliciesthatareusefulwhendevelopingacomprehensiveapproachtoassessingcloudtrustworthiness.
18
Australia’sSLACIPActdoessomethingswell.Italignscertainkeydefinitionsofcritical
infrastructurewiththoseusedbytheEUandtheUnitedStates.Itrequiresfirmsthataresubjecttothelegislationtoprovideannualreportstothegovernmentregardingtheirriskmanagement
programs.Italsoprovidespowerstogovernmentagencieswithcybersecuritycapabilities,suchastheAustralianSignalsDirectorate(ASD,Australia’ssignalsintelligenceagency,whichisalso
responsibleforinformationsecurity),tohelpfirms(whichoftenlackeitherthecapacityorspecificcapabilities)torespondtomajorcyberincidents.
Noothercountry,includingChina,hascoerciveandemergencystep-inpowerslikethoseof
Australia’sSLACIPAct,whichallowsthegovernmenttocompelafirmtoinstallsoftwareoncorporatesystemsandfor(asalastresort)Australia’sSignalsDirectoratetostepinandcontrolafirm.
However,theSLACIPActhasalsocreatedcoerciverequirementsandemergencystep-inpowersthatarebroadandunprecedented—noothercountry,includingChina,hasdonewhatAustraliahasdonewiththeSLACIPAct.Thenewpowersarerifewiththepotentialforunintended
consequences,asChinaandotherscouldeasilycopyandmisusethesepowerstocontrollocalcloudprovidersandtheirdataandservices.
19
TheSLACIPActallowsthegovernmenttocompelafirmtoinstallsoftwareoncorporatesystemsthataredeemedtobeofnationalsignificance.However,thelegislationdoesnotprovidebroadenoughprotectionstocompaniessubjecttothispowerfromanydamagesorlegalliabilityarisingfromthecompelledinstallationofsoftware.Thelegislationlackscriticalsafeguardsand
limitations,suchasallowingfirmstoseekjudicialredressorreceiveanindependentreviewof
INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|APRIL2024PAGE
9
thesecurity,technicalfeasibility,andnecessityofthesoftwaretobeinstalled.Thelegislationcreatestransparencyandreportingrequirementsonfirmssubjecttothelegislation,whichisgenerallyfine,butitdoesnotreciprocatebyrequiringthegovernmenttoreportonhowitusesitsnewpowers.
TheSLACIPAct’sstrongest,andmostproblematic,powersallowASDtostepinandcontrola
firmsubjecttothelegislation,includingcloudservices.Thisismeanttobeameasureof“lastresort”incircumstanceswhereacybersecurityincidenthas,is,orislikelytoimpactacritical
infrastructureassetandth
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 超低延迟直播协议书信令
- 自救能力训练课件
- 呼吸内科肺癌化疗护理方案介绍
- 糖尿病足化脓性急性化治疗流程
- 大学生弘扬工匠精神的培养路径
- 科普互动区策划方案
- 初中新生行为规范
- 2026年宿州九中教育集团(宿马南校区) 教师招聘备考题库及完整答案详解
- 2026安徽铜陵市普济种子有限公司招聘派遣制人员1人备考题库附答案详解(满分必刷)
- 2026福建医科大学附属第一医院招聘非在编合同制人员20人备考题库(二)及答案详解【典优】
- 有关锂离子电池安全的基础研究课件
- 人工智能与计算机视觉
- 口腔材料学课件
- 盐酸凯普拉生片-临床用药解读
- 中建综合支架专项施工方案
- 医院财务制度专家讲座
- 2023年北京市中国互联网投资基金管理有限公司招聘笔试题库含答案解析
- 中控ECS-700学习课件
- 2023年上海市杨浦区中考一模(暨上学期期末)语文试题(含答案解析)
- 甲状腺病变的CT诊断
- 仁爱英语九年级上册Unit 2 中考英语复习课
评论
0/150
提交评论