The Government Accountability Office identified 19 global organizations “whose international activities significantly influence the security and governance of cyberspace.”
The organizations range from information-sharing forums that are non-decision-making gatherings of experts to private organizations to treaty-based, decision-making bodies founded by countries. The groups address a variety of topics from incident response, the development of technical standards, the facilitation of criminal investigations to the creation of international policies related to information technology and critical infrastructure, the GAO stated.
From the GAO report:
- Asia-Pacific Economic Cooperation (APEC) is a cooperative economic and trade forum designed to promote economic growth and cooperation among 21 countries from the Asia-Pacific region. APEC’s Telecommunication and Information Working Group supports security efforts associated with the information infrastructure of member countries through activities designed to strengthen effective incident response capabilities, develop information security guidelines, combat cybercrime, monitor security implications of emerging technologies, and foster international cybersecurity cooperation.
- Association of Southeast Asian Nations (ASEAN) is an economic and security cooperative comprised of 10 member nations from Southeast Asia. According to the 2009-2015 Roadmap for an ASEAN Community, it looks to combat transnational cybercrime by fostering cooperation among member-nations’ law enforcement agencies and promoting the adoption of cybercrime legislation. In addition, the road map calls for activities to develop information infrastructure and expand computer emergency response teams (CERT) and associated drills to all ASEAN partners.
- The Council of Europe is a 47 member organization founded in 1949 to develop common and democratic principles for the protection of individuals. In 2001, the council adopted a Convention on Cybercrime to improve international cooperation in combating actions directed against the confidentiality, integrity, and availability of computer systems, networks, and data. This convention identified agreed-upon cyber-related activities that should be deemed criminal acts in countries’ domestic law. The US Senate ratified this convention in August 2006.
- The European Union is an economic and political partnership among 27 European countries. Subcomponents of its executive body-the European Commission-engage in cybersecurity activities designed to improve (1) preparedness and prevention, (2) detection and response, (3) mitigation and recovery, (4) international cooperation, and (5) criteria for European critical infrastructure in the information communication technology sector. The European Commission also formed the European Network and Information Security Agency (ENISA), an independent agency created to enhance the capability of its members to address and respond to network and information security problems. Several independent organizations within Europe develop technical standards. The European Committee for Standardization is to work to remove trade barriers for European industry and provide a platform for the development of European standards and technical specifications. The European Committee for Electrotechnical Standardization is a not-for-profit technical organization that is responsible for preparing voluntary standards for electrical and electronic goods and services in the European market. The European Telecommunications Standards Institute is also a not-for-profit organization that is responsible for producing globally applicable standards for information and communications technologies including those supporting the Internet.
- Forum of Incident Response and Security Teams (FIRST) is an international federation of individual CERTs that work together to share technical and security incident information. It includes over 220 members from 42 countries. The members’ incident response teams represent government, law enforcement, academia, the private sector, and other organizations. FIRST has also worked with multiple international standards organizations to develop standards for cybersecurity and incident management and response. In addition, FIRST uses the Common Vulnerability Scoring System as a standard method for rating information technology vulnerabilities, which helps when communicating vulnerabilities and their properties to others.
- The Group of Eight (G8) is an international forum that includes the governments of Canada, France, Germany, Italy, Japan, Russia, the United Kingdom, and the United States. The G8’s cybersecurity efforts are directed by the G8 Subgroup on High-Tech Crime, which seeks to prevent, investigate, and prosecute crimes involving computers, networked communications, and other new technologies. In 1997, the subgroup created the 24-7 High-Tech Crime Point-of-Contact Network, which lets law enforcement officials from countries-including those from outside the G8-quickly contact their counterparts in other participating nations for assistance with cybercrime investigations.
- The Institute of Electrical and Electronic Engineers (IEEE) is a professional association focused on electrical and computer sciences, engineering, and related disciplines. Its cybersecurity-related activities include the development of technical standards through the IEEE Standards Association, which follows consensus-based standards development processes. The IEEE Standards Association has been involved with the U.S. National Institute of Standards and Technology (NIST) to draft cybersecurity standards for electric utility control systems.
- The International Electrotechnical Commission (IEC) prepares and publishes international standards for electrical, electronic, and related technologies. Its membership includes national committees from over 70 nations, which are comprised of representatives from each country’s public and private sectors. The IEC and the International Organization for Standardization (ISO), through a joint technical committee (JTC), have developed information security standards for all types of organizations, including commercial enterprises, government agencies, and not-for-profit organizations. For example, ISO/IEC 27001:2005 addresses the development and maintenance of information security management systems and the security controls that protect information assets. According to the standard, ISO/IEC JTC 1 developed this international standard to be applicable to all organizations regardless of size.
- ISO is a nongovernmental organization that develops and publishes international standards through a consensus-based process involving a network of the national standards institutes of 162 countries with a Central Secretariat in Geneva, Switzerland, supporting the process. Its standards include those for traditional activities such as agriculture and construction, as well as those for the latest in information and communication technology. ISO is a part of the ISO/IEC JTC 1.
- The International Telecommunication Union (ITU) is a United Nations agency whose mission includes developing technical standards, allocating the radio spectrum, and providing technical assistance and capacity-building to developing countries. According to ITU, three sectors carry out these missions by promoting recommendations: the ITU-Telecommunication Standardization Sector (ITU-T), the ITU-Radiocommunication Sector (ITU-R), and the ITU-Telecommunication Development Sector (ITU-D). In addition, the ITU General-Secretariat provides top-level leadership to ensure that institutional strategies are harmonized across all sectors. ITU members include delegations from 191 nations, as well as more than 700 members from the private sector. The ITU has also developed technical standards for security.
- The Internet Corporation for Assigned Names and Numbers (ICANN) is the private, not-for-profit US corporation whose primary function is the coordination of the technical management of the Internet’s domain name and addressing system. According to ICANN officials, the corporation is overseen by a board of directors composed of 21 representatives, including 15 voting members and 6 non-voting liaisons. According to ICANN officials, it also performs the Internet Assigned Names Authority functions under contract to the Department of Commerce. The Internet Assigned Names Authority’s functions include coordination of the assignment of technical protocol parameters, performance of administrative functions associated with root zone management, and the allocation of Internet numbering resources.
- The Internet Engineering Task Force (IETF) is a technical standards-setting body responsible for developing and maintaining the Internet’s core standards, including the DNS protocol and its security extensions and the current and next-generation versions of the Internet Protocol. According to government officials, the core standards the IETF develops define, on a basic level, how the Internet operates and what functions it is capable of performing. It is a voluntary, consensus-based standards body, whose participants include network operators, academics, and representatives of government and industry, among others.
- The 2005 World Summit on the Information Society’s Tunis Agenda mandated that the UN Secretary-General create the Internet Governance Forum (IGF) as a venue to discuss public policy issues related to key elements of Internet governance. The IGF’s broad membership and emphasis on information exchange enable it to serve as a uniquely important forum for foreign governments, the private sector, civil society organizations, and individuals to engage in open discussion without being preoccupied with advocating a particular policy outcome. Although the annual meetings do not directly result in standards, recommendations, or binding agreements, ideas generated by IGF can contribute to outcome-oriented efforts at other international organizations.
- INTERPOL, the world’s largest international police organization, was created to facilitate cross-border police cooperation. It collects, stores, analyzes, and shares information related to cybercrime between its 188 member countries through its global police communications system. It is also responsible for coordinating operational resources such as computer forensic analysis in support of cybercrime investigations. Further, INTERPOL has a network of investigators in national computer crime units to help law enforcement seize digital evidence as quickly as possible and facilitate cooperation when a cyber attack involves multiple jurisdictions. To develop strategies for emerging cybercrime methods, it assembles groups of experts into regional working groups that harness the regional expertise available in Europe, Asia, the Americas, the Middle East, and North Africa.
- Founded in 2005, the Meridian Conference and Process aims to exchange ideas and initiate actions for government-to-government cooperation on critical information infrastructure protection issues globally. An annual conference and interim activities are held each year to help build trust and establish relationships within the membership to facilitate sharing of experiences and good practices on critical information infrastructure protection from around the world. Participation in the Meridian Process is open to all countries and aimed at senior government policy-makers. DHS’s National Protection and Programs Directorate’s Office of Cyber Security and Communication hosted the 2009 Meridian Conference, which brought together more than 100 participants from 40 countries.
- The North Atlantic Treaty Organization (NATO) is an alliance of 28 countries from North America and Europe.15 NATO approved a Cyber Defense Policy in January 2008 to provide direction to its member nations to protect key information systems and support efforts to counter cyber attacks. Specifically, the policy establishes the Cyber Defense Management Authority, which has authority for managing cyber defense crises, to include directing the NATO Computer Incident Response Capability.
- The Organization of American States (OAS) is an organization comprised of 34 independent nations in North, Central, and South America, as well as island nations in the Caribbean. In 2004, the OAS member states adopted the Inter-American Comprehensive Strategy for Cybersecurity. The strategy identifies cybersecurity as an emerging threat to OAS member states and requires three OAS entities to take action to address different aspects of cybersecurity. Specifically, the strategy directs the Inter-American Committee against Terrorism (CICTE) to develop plans for the creation of a hemisphere-wide, 24-hours-per-day, 7-days-per-week network of Computer Security Incident Response Teams.
- The Organization for Economic Cooperation and Development (OECD) is an intergovernmental organization composed of 31 democratic countries.17 Member countries’ governments can compare policy experiences, seek answers to common problems, identify best practices, and coordinate domestic and international policies. The OECD Working Party on Information Security and Privacy (WPISP) uses a consensus-based process to develop policy options to address the security and privacy implications of the growing use of information and communication technologies. In addition to developing policy analysis, OECD is responsible for making recommendations designed to improve the security and privacy of its member countries.
- The UN is an international organization with 192 member countries founded in 1945 and chartered to maintain international peace and security, develop friendly relations among countries, and promote social progress, better living standards, and human rights. The General Assembly, which provides a forum for discussing and adopting resolutions on cyberspace-related issues and raising international cybersecurity awareness, is the UN’s chief deliberative, policymaking, and representative body. Other organizational entities within the UN, such as the Office on Drugs and Crime, are additional forums where member countries can discuss approaches for transnational issues, including cybercrime.
Within the US there are of course multiple agencies such as the National Security Council, Department of Commerce, Department of State and others that help in the formulation, coordination, implementation, and oversight of international efforts that can impact cyberspace security and governance, the GAO stated.