No cyber security without government imposed regulation

24 October 2013 - A Workshop on Security in Bali, Indonesia


Cyber security as a standard is aimed inwards. As concluded from last year’s workshop #87 on 'Cross border cooperation in incidents involving (Internet) Critical Infrastructure', cyber security should be a priority but solely through self-regulation. This workshop takes off from this premise by staging a debate around the provocative title: cyber security is unattainable without government imposed regulation. Cyber security as a standard is aimed inwards. How do I protect my property? Millions are invested in cyber securing organizations. At the same time these organizations bring products to the market to which hardly any thought seems to be given towards cyber security, providing new opportunities to cyber criminals, hackers, etc., perpetuating cyber insecurity. Cyber security can be obtained through more secure products. That’s why standardized best cyber security practices need to be continuously implemented in very diverse industries active on and around the Internet. This needs a preset understanding that is not commonly felt at present: a jointly accepted obligation to make and keep the Internet more secure and ensure a safer Internet experience for all end users. We will discuss forms of cooperation between governments, industry and regulatory bodies that could enhance cyber security significantly in the coming years. Building bridges for better cooperation and joint actions to enhance self-regulation and secure the Internet.


Several questions will be addressed. Does the present state of self-regulation lead to an acceptable level of cyber security? Are there examples of successful self-regulation and can these models be copied? How could sharing of best practices be encouraged? What makes regulation unacceptable? Are their forms of regulation that could be acceptable?Could an imposed and regulated "duty to care" make a difference? If a form of regulation could be agreed upon, what form should this take? Is the present form of regulation/regulatory bodies equipped for the 21st century Internet? If attaining security takes a global approach, how can a discussion be started in such a divided environment