Accepted Manuscript

Government regulations in cyber security: Framework, standards and

recommendations

Jangirala Srinivas, Ashok Kumar Das, Neeraj Kumar

PII: S0167-739X(18)31675-3
DOI: https://doi.org/10.1016/j.future.2018.09.063
Reference: FUTURE 4498

To appear in: Future Generation Computer Systems

Received date : 16 July 2018

Revised date : 27 August 2018
Accepted date : 27 September 2018

Please cite this article as: J. Srinivas, et al., Government regulations in cyber security: Framework,
standards and recommendations, Future Generation Computer Systems (2018),
https://doi.org/10.1016/j.future.2018.09.063

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to
our customers we are providing this early version of the manuscript. The manuscript will undergo
copyediting, typesetting, and review of the resulting proof before it is published in its final form.
Please note that during the production process errors may be discovered which could affect the
content, and all legal disclaimers that apply to the journal pertain.
 Government Regulations in Cyber Security: Framework,
Standards and Recommendations
Jangirala Srinivasa , Ashok Kumar Dasb , Neeraj Kumarc
a Jindal Global Business School, O. P. Jindal Global University, Haryana 131001, India
E-mail: sjangirala@jgu.edu.in, getsrinunow1@gmail.com
b Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad 500 032, India
E-mail: iitkgp.akdas@gmail.com, ashok.das@iiit.ac.in
c Department of Computer Science and Engineering, Thapar University, Patiala 147 004, India

E-mail: neeraj.kumar@thapar.edu

Abstract
Cyber security refers to the protection of Internet-connected systems, such as hardware, software as well as data (information)
from cyber attacks (adversaries). A cyber security regulation is needed in order to protect information technology along with
computer systems with the purpose of compelling various organizations as well as companies to protect their systems and
information from cyber attacks. Several cyber attacks are possible, such as viruses, phishing, Trojan horses, worms, Denial-of-
Service (DoS) attacks, illegal access (e.g., stealing intellectual property or confidential information) as well as control system
attacks.
In this article, we focus on importance of various standards in cyber defense, and architecture of cyber security framework.
We discuss the security threats, attacks and measures in cyber security. We then discuss various standardization challenges in
cyber security. We also discuss about the cyber security national strategy to secure cyberspace and also various government
policies in protecting the cyber security. Finally, we provide some recommendations that are critical to cyber security and cyber
defense.
Keywords: Cyber security, Cyber attacks, Information security, Government policies, Standards.

1. Introduction tendency for criminals to select business and high-net-worth

consumers.
In recent years, the cyber security has gained a lot of at- Recently, the evolution of mobile banking was discussed
tention in the research community. The cyber security makes by Wazid et al. [3]. Various threats associated with mobile
protection of information systems, such as hardware, software banking as well as some of the most recent mobile banking
and related infrastructure, data on these systems and the ser- malware attacks are also discussed in [3]. Finally, a review of
vices provided by these systems, which can be done by illegal recent security solutions for enabling secure, mobile banking
access by adversaries (intruders or attackers), and also can be was also presented, mainly on user authentication problems
caused by harm or misuse. Sometimes, intentionally a harm and their solutions.
can be caused by an operator of the system. Therefore, either
intentional or accidental harm can result in failing to obey the 1.1. Importance of standards in information security and cy-
security procedures [1]. ber defense
According to a review conducted in 2016 including the sig- In this section, we discuss the importance of various stan-
nificant stakeholder engagement and evidence gathering from dards needed in both information security and cyber defense.
a wide range of sources, it was pointed out that there is re- The following important reasons are behind the develop-
quirement for additional regulation or inducements to lift the ment of standards, which play a crucial role in enhancing ap-
cyber risk management across various essential services, such proaches to information security across various geographical
as critical national infrastructure [2]. The concern raised from regions and also the communities.
this review was to deal with the growing threat from various
cyber attacks with probable implications for consumer confi- • Improve the efficiency and effectiveness of key processes.
dence, public protection as well as economic growth. Consider
• Facilitate the systems integration and interoperability.
the Internet banking fraud, which includes dishonest payments
taken from the bank accounts of a customer with the help of • Entitle various products or methods, which need to be
the Internet banking procedure. According to the report in [2], compared significantly.
such banking fraud jumped up by 64% to £133.5m in the year
2015. It is mentioned that the number of such fraud cases is • Provide a means for users to evaluate new prod-
increased at a lower rate of 23% and there was a significant ucts/services.
Preprint submitted to Elsevier October 1, 2018
 Figure 1: NIST cybersecurity framework (Source: [4])

• Structure the method to deploy new technologies/business 1.3. Research contributions

models.
The contributions made in this article are listed below.
• Simplify complex environments.
• We list and discuss the cyber attacks, security require-
• Promote economic growth. ments and measures.

1.2. Minimum cyber security standard • We then discuss the cyber security incident management
A new minimum set of cyber security standards are needed. framework and its various purposes.
These standards help the government to expect departments to
• We also discuss the standardization challenges in cyber
adhere to and exceed wherever possible.
security.
The security policy framework (SPF) provides the manda-
tory protective security outcomes that all the departments are • The national strategy to secure cyberspace and various
required to achieve those. This defines the minimum security government policies have been discussed.
measures that the departments should implement with regards
to protect their information, technology and digital services in • Finally, we provide some recommendations that are es-
order to meet their SPF and the national cyber security strategy sential for both cyber security and cyber defense.
obligations. As far as possible the security standards should
define outcomes, allow the departmental flexibility in how the 1.4. Paper outline
standards are implemented depending on their local context.
Since the definitions of ‘sensitive’, ‘essential’, ‘important’ and The organization of the rest of this article is as follows. Sec-
‘appropriate’ are deliberately left open, the departments can tion 2 gives the cyber attacks, security requirements and mea-
apply their own values based on their particular circumstances. sures, while in Section 3 the cyber security incident manage-
However, the departments are accountable for the effectiveness ment framework is discussed. In Section 4, the standardization
of these decisions, and these shall reflect the government secu- challenges in cyber security are discussed. Section 5 focuses
rity classifications policy where they are relevant [5]. on the strategic objectives to secure cyberspace and Section 6
Compliance with the standards can be achieved in many provides various government policies to handle cyber security.
ways depending on the technology choices and business re- Some essential recommendations for both cyber security and
quirements. For digital services, this set of standards is cyber defense are given in Section 7. The article is finally con-
complementary to the digital service manual. The standard cluded in Section 8.
presents a minimum set of measures, and departments need to
look to exceed them wherever possible. Over the time, new 2. Cyber attacks, security requirements and measures
threats and various vulnerabilities increase [6].
The cyber security framework was needed in response to In this section, we first discuss various cyber attacks. After
executive order 13636 [4]. This framework was used to im- that we also discuss the security requirements and measures
prove the security of the nation’s critical infrastructure from for cyber security.
various cyber attacks discussed in Section 2. The framework
is also considered as a useful guide to any organization that
2.1. Cyber attacks
looks to improve the cyber security attitude (see Fig. 1). We
have provided the comparative features of information security Various cyber attacks can be mounted by an adversary (at-
and cyber defense in Table 1. tacker). Some of these attacks are discussed below [8].
2
 Table 1: Comparison of features [7]
S. No. Features Description
1. Identify a) There shall be clear lines of responsibility & accountability to the named individuals
Departments shall put for security of sensitive data (information) and key operational services.
in place appropriate b) There shall be appropriate management policies and processes
cyber security in place to direct the departments for overall approach to cyber security.
governance c) Departments shall identify and manage the significant risks to sensitive
processes. information and key operational services.
d) Departments shall understand and manage security issues that arise
because of dependencies on external suppliers or through their supply chain.
This should ensure that the standards defined in this document are met by
the suppliers of third party services. This could be achieved by having suppliers
to assure their cyber security against the cyber security standard or by
requiring them to hold a valid cyber essentials certificate as a minimum.
Cyber essentials allows a supplier to demonstrate appropriate diligence with
regards to standard number six, but the department should, as part of their risk
assessment, determine whether this is sufficient assurance.
e) Departments shall ensure that senior accountable individuals receive
appropriate training and guidance on cyber security and risk management, and
should promote a culture of awareness and education about cyber security
across the Department.
2. Protect a) Access to sensitive information and services shall only be provided to authorized,
Access to sensitive known and individually referenced users or systems.
information and key b) Users and systems shall always be identified and authenticated prior to being
operational services provided access to information or services. Depending on the sensitivity of the
shall only be provided information or criticality of the service, it is needed to authenticate and
to identified, authorize the device being used for access.
authenticated and
authorized users or
systems.
3. Detect a) As a minimum, the departments should capture events that could be combined with
common threat intelligence sources (e.g. Cyber Security Information Sharing
Departments shall Partnership (CISP)) to detect known threats.
take steps to detect b) Departments shall have a clear definition of what must be protected and why
common cyberattacks. (based upon Standard 1), which in turn influences and directs the monitoring solution
to detect events which might indicate a situation the department wishes to avoid.
c) Any monitoring solution should evolve with the department’s business and
technology changes, as well as changes in threat.
d) Attackers attempting to use common cyber-attack techniques should not be able to
gain access to data or any control of technology services without being detected.
e) Digital services that are attractive to cyber criminals for the purposes of fraud
should implement transactional monitoring techniques from the outset.
4. Respond a) Departments shall develop an incident response and management plan, with clearly
defined actions, roles and responsibilities. A copy of all incidents shall be recorded
Departments shall regardless of the need to report them.
have a defined, b) Departments shall have communication plans in the event of an incident which
planned and tested includes notifying the relevant supervisory body, senior accountable
response to cyber individuals, the departmental press office, the national cyber security center,
security incidents that government security group (cabinet office), information commissioner’s office
impact sensitive or law enforcement as applicable.
information or key c) In the event of an incident that involves a personal data breach, departments
operational services. shall comply with any legal obligation to report the breach to the information
commissioner’s office.
d) The incident response and management plan should be tested at regular intervals
to ensure all parties understand their roles and responsibilities as part of the plan.
Post testing findings should inform the immediate future technical protection of the
system or service to ensure identified issues cannot arise in the same way again.
Systemic vulnerabilities identification shall be re-mediated.
e) On discovery of an incident, mitigating measures shall be assessed and applied
at the earliest opportunity, drawing on expert advice where necessary (e.g. a cyber
incident response (CIR) company).
f) Post incident lessons shall be assessed and lessons implemented into future
iterations of the incident management plan.
5. Recover a) Departments shall identify and test contingency mechanisms to continue to deliver
essential services in the event of any failure, forced shutdown, or compromise of
Departments shall any system or service. This may include the preservation of out of band or manual
have well defined and processes for essential services.
tested processes in b) Restoring the service to normal operation should be a well-practiced scenario.
place to ensure the c) Post incident recovery activities shall inform the immediate future technical
continuity of key protection of the system or service to ensure the same issue cannot arise in the
operational services same way again. Systemic vulnerabilities identification shall be re-mediated.
in the event of failure
or compromise.

3
• Virus: A virus is considered as an infectious program. It monitors the Internet activities (for example, the web-
attaches itself to some other software (program) and re- pages) that one accesses and transmits the information
produces itself when the software is executed. Typically, to an adversary. Later, the spied information could be
virus spreads through sharing of infected software or files misused in many ways (for example, the contact list or
among different sources, such as computers and smart- email addresses stored in a smartphone could be sold to
phones. the spammer) [9].

• Phishing attack: A phishing attack is one of the so- • Unauthorized access: In this case, someone can gain ac-
cial engineering attacks. Phishing is treated as the pro- cess to a program, server, website, service, or even other
cess of attracting a victim a fake website by clicking on system using someone’s account or other modes. For in-
a given link. Generally, the victim encounters the link stance, if an adversary can keep guessing a password or
in an e-mail message sent to him/her or on a webpage user identity for an account until he/she gains access, it is
being browsed by him/her. The users should be aware treated as an unauthorized access. Other examples in this
not to click, download or open a file received in email category includes stealing intellectual property and secret
attachments as it may contain malware. Attackers can credentials.
then utilize unauthorized e-mails i.e., phishing to steal the
important information of the user, such as credentials of • Control system attacks: Control system security stan-
the banking account including user login, password and dards evolve in emphasizing strong intrusion prevention
credit card number. mechanism in the form of unidirectional security gate-
ways and removable media controls over intrusion detec-
• Trojan horse: A Trojan horse is a useful, or apparently tion systems [10].
useful, software program or command process contain-
ing hidden code that, when implored, executes some use- 2.2. Cyber security requirements
ful undesirable or harmful function. This is one of most The following are the cyber security requirements as in gen-
dangerous malware types. A Trojan horse is coded with eral computer networks:
the purpose of discovering somebody’s financial informa-
tion and taking over the system’s resources. This further • Confidentiality (privacy): As the data (information) re-
causes Denial-of-Service (DoS) attacks. For example, an lated to various organizations and sources is important,
android-infecting trojan malware can launch further at- the data should be available for access only by those who
tacks on a router using a connected smartphone [3]. are authorized to access it.

• Worm: A worm propagates itself from one system to an- • Integrity: The information of various organizations and
other system, which actively seeks out more machines to sources should not be modified or altered by any unau-
infect and each machine that is infected serves as an auto- thorized entity (i.e., an attacker) under any circumstances
mated launching pad for attacks on other machines. Thus, in a network.
a worm program can destroy data and files in the system.
They can even spread over computer networks by exploit- • Authentication: Authentication is a mechanism by which
ing operating system vulnerabilities. Worms mostly harm the identity of a user is verified. Thus, it is expected
the host networks by consuming bandwidth and over- that only the authorized account holder should be able
loading the web servers. A worm can self-replicate and to access his/her account after successful mutual authen-
spreads independently while a virus relies on some user tication with the system. Based on the number of fac-
action (such as running a program and opening of a file in tors used in authentication, it is termed as single-factor,
a system) for it to spread. two-factor or multi-factor scheme. In two-factor authen-
tication mechanism [11, 12, 13, 14, 15, 16, 17, 18, 19],
• Ransomware: Ransomware is a malware that prevents a user applies two types (such as password and smart
or limits users from accessing their system by perform- card) as his/her credentials to login to the system. For
ing some unauthorized tasks such as locking the system’s this purpose, the smart card can store the useful creden-
screen or by locking the users’ files until or unless some tials at the time of user registration with the server (sys-
specific amount (ransom) is paid. In recent time, a ran- tem). In most applications, this information is manda-
somware called as crypto-ransomware infected several tory for the successful authentication between the user
systems all around the globe. It encrypts certain files of and the server. In three-factor authentication method
the infected systems and forces users to pay some money [20, 21, 22, 23, 24, 25, 26], a user applies three types
via some online payment methods such as bitcoin to get of credentials, such as smart card, password and personal
a decrypt key. Based on a recent report of the European biometrics (i.e., fingerprint and iris) in order to authen-
authorities, WannaCry, is a kind of ransomware attack, ticate with the system. There are several advantages of
which affected over 10,000 organizations and 200,000 in- using biometric keys as compared to passwords, which
dividuals over 150 countries [9]. are listed below [27, 28]:

• Spyware: A Spyware is another kind of programs, which – The biometric keys can not be forgotten or lost.
keeps track of crucial information from a system. It also – These are very difficult to share or copy.
4
 – These are hard to distribute or forge. – Only authorized traffic, which can be defined by the
– These can not be guessed easily as compared to low- local security policy, should be permitted to pass.
entropy passwords. Thus, various types of firewalls can be used in order
to implement various types of security policies.
Due to several advantages of using biometrics, biometric-
based authentication system is inherently more reliable – The firewall itself is resistant to perforation. This
as well as secure compared to traditional password-based requires the use of a trusted system with a secure
authentication methods. operating system.

• Availability: The information systems should be pro- By applying the above design goals for a firewall, the cy-
tected against any kind of DoS attack. If a customer (user) ber attacks can be prevented.
wishes to access his/her account or login to a system,
he/she should be allowed to access or login anytime. • Anti-virus software: There are four generations of anti-
virus software, which are briefly discussed below [31]:
• Authorization: It gives permission to someone to perform
some authorized (legal) activity. It restricts the user to – First generation: In first-generation scanner, a virus
access the information stored at the server(s) that he/she signature is required to identity a virus. Also, it
is allowed to (for example, based on his /her defined role maintains a record of length of programs as well as
in the system). looks for changes in length in order to detect a virus.
• Physical theft of devices: Sometimes, an adversary may – Second generation: A second-generation scanner
have opportunity to capture some devices physically. For does not depend on a specific signature. Such a
example, consider the Internet of Things (IoT), which is scanner applies heuristic rules in order to search for
composed of a large number of things/objects (called the portable virus infection.
IoT smart devices) that are connected through the pub- – Third generation: Third-generation programs are
lic Internet. In IoT environment, there is a possibility of memory resident, which can identify a virus by its
physical capturing of the IoT smart devices by an attacker actions rather than its structure in an infected pro-
due to hostile environment of some IoT applications [29]. gram. These kinds of programs do not necessar-
Also, the smart card or mobile device of a user may be lost ily require to develop signatures and heuristics for
or stolen. These devices may store some important secret a wide range of viruses.
credentials. Therefore, it is important that the adversary
– Fourth generation: In this generation, the products
should not misuse the stored information extracted from
are packages having of a variety of anti-virus mech-
the devices.
anisms to be used in conjunction, such as scanning
• Non-repudiation: It refers to the assurance that a commu- and activity trap components.
nicating party (entity) in the system cannot deny some-
thing. For example, the customers can be held account- A good and updated anti-virus software is needed to pro-
able for some transactions, such as online purchases, tect the system against attacks and keeps their system se-
which they cannot later deny. Therefore, non-repudiation cure.
refers to the inability of the user to deny the authentic-
• Intrusion detection and prevention systems: An intrusion
ity of his/her signature on a message (document) sent by
is an illegal task performed by an intruder (attacker) in
him/her.
a network/system [31]. The attacks can be passive (i.e.,
• Freshness: It ensures that the information (data) is recent information collection and eavesdropping) or active (i.e.,
and no adversary should replay old messages in future malicious packet injection and packet dropping). An in-
communications. It can be achieved by means of using trusion detection system (IDS ) is a device/software ap-
the current system timestamps and random nonces in the plication that can detect any suspicious activity occur-
transmitted messages among communicating parties. ring in the network/system. The suspicious activities in-
clude both intrusions (attacks from outside the organiza-
2.3. Cyber security measures tion) and misuse (attacks from within the organization).
We present some cyber security measures and solutions that On the other hand, an intrusion prevention system (IPS )
can mitigate various attacks as follows [3, 30]. monitors and detects anomalies in a network/system. The
• Firewalls: There are three common types of firewalls: major difference between IPS and IDS is that IPS can
1) packet filters, 2) application-level gateways, and 3) prevent against attacks, but IDS can only detect attacks.
circuit-level gateways. The design goals for a firewall are An IPS can raise alarms, if the anomalies are detected,
given below [31]: can drop malicious packets, can execute connection reset-
ting or even can block malicious traffic from a suspected
– All the traffic from inside to outside, and vice versa, IP address. Hence, it is important that a network/system
must go through the firewall. It can be done by phys- is equipped with IPS /IDS .
ically blocking all the access to the local network
except via the firewall. For this purpose, various • Encryption: It is essential that the data stored in the
configurations in the firewall are needed. servers should be in encrypted form so that an adversary
5
 Figure 2: Cyber security incident management framework [32]

can not decrypt the encrypted data without having the se- Fig. 2 shows the architecture of CIMF, which contains three
cret key. Based on the applications, one can use either major components: 1) technology infrastructure, 2) security
symmetric key encryption (e.g, triple Data Encryption operations center, and 3) computer emergency response cen-
Standard (3DES) [31] and Advanced Encryption Stan- ter. It describes the high level diagram and contains the list of
dard (AES) [33]) or public key encryption mechanism indicative activities. There are several primary objectives of
(e.g., elliptic curve cryptography (ECC) [34] and RSA CIMF. Some of them include the following [9]:
[35]).
• To avoid cybersecurity incidents before they occur.
• Login credentials: In authentication, password and/or • To minimize the impact of cybersecurity incidents in or-
biometrics of a user can be used. It is then essential for der to achieve to the confidentiality, integrity or availabil-
the user to pick up the high-entropy passwords rather than ity of the investment industry’s services, information as-
low-entropy passwords to avoid offline password guess- sets as well as operations.
ing attacks.
• To reduce threats and dangers as cybersecurity incidents
• Awareness: Some awareness programs are required to ed- occurr.
ucate users as well as employees about various poten-
tial threats, such as phishing, malware and malicious file • To improve cybersecurity incident coordination & man-
download, and also increase their awareness about the agement within the investment industry.
need for proper authentication and good antivirus soft- • To reduce the indirect as well as direct costs prodecued
ware. by cybersecurity incidents.
• Operating system updates: One of the most prominent • To report detections to executive management.
features of current systems (i.e., smartphone, desktop,
laptop and tablet) is the in-built feature of software up- The CIMF’s purpose is to have a consolidated whole of na-
dates. The operating system needs to be kept up-to-date tion mechanism to the management as well as coordination
in today’s environment. The software manufacturers are of potential or occurring cyber threats/incidents. The CIMF
constantly monitoring existing threats and bugs, and they also sets out various roles & responsibilities of all levels of
try to fix them remotely over the Internet provided the government, public and private sector partners, and critical in-
system is connected to the Internet. Hence, the up-to-date frastructure owners and operators. Hence, it is important that
operating system improves the reliability, security as well the CIMF should deliberately enable each organization to fully
as speed of the system. and effectively participate in a coordinated national cyber inci-
dent response.

3. Architecture of cybersecurity incident management 4. Standardization challenges in cyber security

framework
A cyber security standard is defined as a technique which
In this section, we discuss the architecture of cybersecurity is generally set forward in published documents in order to at-
incident management framework (CIMF) and its primary ob- tempt in protecting a user or an organization’s cyber environ-
jectives [32]. ment [36]. This standard includes various users, networking
6
devices, softwares, networks, processes, applications, infor- particular goal. For example, to implement the Public Key In-
mation in storage or transit that can be directly or indirectly frastructure (PKI), the organizations often adopt a combination
connected to the networks. The main objective of such a stan- of standards, such as X.509 of the International Telecommuni-
dard is to minimize various risks, such as prevention and alle- cation Union (ITU) for the format certificate, the Public-Key
viation of cyber attacks. The tools, security concepts, various Infrastructure (PKIX) of IETF for primary PKI and also the
policies, security protection, risk management, training, etc. Public Key Cryptography Standards (PKCS) (e.g., RSA) stan-
are parts of a cyber security standard. dards in order to interface with devices securely.
Though proper use of cyber security standards is definitely
beneficial for achieving a strong security approach, there are 4.5. Economic considerations
still several challenges that to be achieved in practice [1, 37].
Some of these challenges are discussed below. Some providers observe their use of admitted standards as a
unique selling point. However, there are several cases of com-
4.1. Organizational challenges panies with a supreme position, where their own proprietary
standards fail to positively support and implement the stan-
Over the last decade, a superfluity of the Standard Devel- dards for their products. Consider the following case study,
opment Organizations (SDOs) has been made. These kinds of where every mobile phone vendor uses there own charger plug.
organizations are mainly initiated by many industries, such as Therefore, the customers are annoyed with the usage of differ-
Internet Engineering Task Force (IETF), Information Technol- ent charger plugs, which is also wasteful in terms of resources.
ogy Infrastructure Library (ITIL), Adobe, Open Data Center, To resolve such difficulty to customers, the European Union
World Wide Web Consortium (W3C) and Oasis. It was noticed (EU) requires to take action to force vendors to adopt a sin-
that there was partly an industry response to the large expendi- gle standard universal mobile phone charger plug so that the
ture in terms of time and people needed for typical SDOs [36], customers can use any mobile charger plug.
such as the European Telecommunications Standards Institute The companies with a ruling position may have some incen-
(ETSI) and International Telecommunication Union (ITU). tives in order to adopt interoperable standards. This is because
it can strengthen the position of their competitors. There are
4.2. Areas of standardization several advantages if a company uses its proprietary standards
At the time of preparing the standards, only a number of as it can lock the consumer in. The lock-in process can happen
discrete areas are included. Some of these areas are listed be- in the following two ways:
low.
• The customer cannot purchase or merge compatible prod-
• Various technical standards. ucts from several competitors of a company. This will
help the companies to generate more revenues for their
• Various metrics that are related mainly to business pur-
providers.
pose.
• Various definitions. • Sometimes it is inconvenient for the customers to switch
to another supplier as moving data and processes to a
• Various aspects related to organization. competitor can not be done easily.

It is worth noting that some areas in the standards are eventu-

4.6. Lack of awareness
ally over-standardized. Only a few standards address the com-
pliance with privacy and data protection ratification. There are many disadvantages related to the use of propri-
etary standards. Unfortunately, there are several cases where
4.3. Lack of agility the customers including those in the government organizations
The process of designing and agreeing on various standards fail to demand open standards. Therefore, it is important task
takes long time (e.g., a few months (in the best cases) to a few to give awareness program to the customers.
years). The standards need to progress at a comparable mo-
mentum. Otherwise, the standards can be either outdated or 5. National strategy to secure cyberspace
only partly applicable to the real-life environments. To over-
come such problem, it is required to apply ‘good practice’ doc- The national strategy to secure cyberspace identifies the fol-
uments as precursors to the standards. Therefore, the suffi- lowing three strategic objectives [38]:
ciently matured good practice documents could be utilized as
a basis for a corresponding standard. • Prevention of cyber attacks against America’s critical in-
frastructures.
4.4. Competing sets of standards
• Reduction of national vulnerability to cyber attacks.
There are many different groups of standards defined in sev-
eral areas of information and cyber security. These standards • Minimization of damage as well as recovery time from
can compete each other for acquisition. Therefore, it could cyber attacks that do happen.
be difficult for the end users to verify/judge which standard
will be best for particular requirements. Also, the standards In order to satisfy the above objectives, the national strategy
from different families can be mixed and matched to achieve a outlines the following five national priorities:
7
 • The first priority is on the develop of a national cy- do so [39]. He also stated that the successful cyber attacks on
berspace security response system. It focuses on improv- government systems still happen despite of several government
ing the government’s response to cyberspace security in- efforts [40].
cidents and also reducing the potential damage from such The Data Quality Act provides the Office of Management
events. and Budget, a statutory authority, to implement crucial infras-
tructure protection regulations by the Administrative Proce-
• The second priority is based on the development of a na- dure Act rule making process. The idea has not been fully
tional cyberspace security threat & vulnerability reduc- assessed and it needs additional legal analysis before a rule
tion program. making could begin [41].
• The third priority is on the development of a national cy-
berspace security awareness and training program. 6.2. State governments

• The fourth priority is based on the requirement of se- State governments are responsible for improving cyber se-
curing government’s cyberspace. The second, third and curity by means of increasing public visibility of firms with
fourth priorities are created to reduce threats and vulner- weak security. In 2003, California, USA passed the Notice of
abilities related to cyber attacks. Security Breach Act. This act needs any company to main-
tain personal information of California citizens, and it has
• The fifth priority is on the establishment of a system of na- a security breach that requires mandatory disclosure of the
tional security and international cyberspace security co- event’s details. For example, the personal information, such
operation. This priority is designed to prevent cyber at- as name, driver’s license number, social security number and
tacks that could impact national security assets and also to financial information, can be disclosed. The California’s act
improve the international management and response for has been followed by other states, who passed the similar se-
cyber attacks. curity breach notification regulations [42]
In 2004, the California State Legislature passed the Cali-
The national strategy encourages companies to regularly re- fornia Assembly Bill 1950. It applies to businesses that own
view their technology security plans and individuals, who uti- or preserve personal information for the California residents.
lize the Internet to configure firewalls and also to install anti- The regulation dominates for businesses to preserve a reason-
virus software in their systems. In addition, the national strat- able level of security and that they required security practices
egy calls for a single federal center. The federal center’s task is to be extended to business partners. This regulation is an im-
to monitor, detect and then analyze several cyber attacks, and proved version of the federal standard. However, it needs a
also expand the research in cyber security along with improv- reasonable level of cyber security [43].
ing government-industry coordination.
6.3. Cybersecurity national security action plan
6. Government policies
In 2016, Barack Obama, 44th U.S. President, proposed the
In this section, we review the following policies adapted by Cybersecurity National Security Action Plan (CNAP) [44].
several governments. CNAP mainly encourages the private sector to share security
events with one another and the federal government. The long-
6.1. Federal government term actions along with strategies were made in this plan in
order to protect the US against cyber threats. It focused on
Few federal cybersecurity regulations have been suggested, several issues, such as informing the public about the growing
which focus on specific industries. There are three primary threat of cyber crimes, improving cyber security protections,
cyber security regulations: 1) 1996 Health Insurance Portabil- protecting personal information of Americans, and informing
ity and Accountability Act (HIPAA), 2) 1999 Gramm-Leach- Americans to control digital security. One of the highlights of
Bliley Act, and 3) 2002 Homeland Security Act, in which the this plan includes creating a commission on enhancing national
Federal Information Security Management Act (FISMA) is in- cyber security, which has a diverse group of thinkers with per-
cluded. spectives that can contribute to provide recommendations on
The healthcare organizations, financial institutions and fed- creating a stronger cyber security for the public/private sector.
eral agencies are parts of the regulations. These ae responsible Second highlight of this plan includes changing Government
for protecting their systems/information. For instance, FISMA IT. The new Government IT will make it so that a more secure
is applicable to every government agency. It needs expansion IT can be put in place. Third highlight of the plan is to provide
and implementation of compulsory policies, standards, princi- Americans for securing their online accounts and also to avoid
ples and guidelines on information security. However, these theft of their personal information with the help of multi-factor
regulations fail to address several computer related industries, authentication. Fourth highlight of this plan was to invest 35%
such as Internet Service Providers (ISPs) and software indus- more money that was invested in 2016 into cyber security [43].
tries. Moreover, these regulations do not specify how the cyber
security measures need to be implemented. Bruce Schneier,
6.4. Cyber security strategies of non-EU nations
who is the founder of Cupertino’s Counterpane Internet Secu-
rity, pointed out that companies will not make sufficient in- In this section, we provide is a short introduction to three
vestments in cyber security unless government forces them to strategies from non-EU countries. Many other countries have
8
also published NCSS(National Cyber Security Strategies) in- • Establishment of policies adapted to changes in the infor-
cluding India, Australia, New Zealand and Colombia. The fol- mation security environment.
lowing list illustrates the importance of cyber security that is
recognized globally [45]. • Establishing active rather than passive information secu-
rity measures.
6.4.1. United States of America
The United States released the international strategy for cy-
berspace in May 2011. It describes the following set of ac-
tivities across seven inter-dependent areas that are based on a
collaborative model involving government, international part-
ners, as well as the private sector [46]:

• Economy: It promoting international standards and inno-

vative, and open markets.

• Protecting networks: It enhances security, reliability, and

resiliency. Figure 3: China’s cyber security services [49]

• Law enforcement: It extends the collaboration and the

rule of law. 6.5. China’s cybersecurity services
• Military: It prepares for 21st century various security Having several years of experience in cybersecurity advi-
challenges. sory services, Klynveld Peat Marwick Goerdeler (KPMG) has
a deep understanding of the cybersecurity landscape in China,
• Internet governance: This promotes effective and inclu- as well the requirements of laws and regulations [49].
sive structures. KPMG provides a variety of advisory services based on cus-
tomer demands. The following four types of services in cyber-
• International development: It helps building capacity, se-
security management are provided by KPMG (shown in Fig.
curity and prosperity.
3):
• Internet freedom: It allows to support fundamental free-
• Strategy & governance: Under this category, the follow-
doms and privacy.
ing are considered:
6.4.2. Canada – Governance
The cyber security strategy of Canada was published in – Cyber in the boardroom
2010, and it was built on the following three pillars [47]:
– Risk management
• Securing government systems. – Privacy & data protection
• Partnering to secure vital cyber systems outside the fed- – Cyber resilience
eral government.
• Security transformation: This category has the following
• Helping Canadians to be secure online. components:

The first pillar aims to establish the clear roles and respon- – Security architecture
sibilities in order to strengthen the security of federal cyber – Change program
systems as well as for enhancing cyber security awareness
– Identity & access management
throughout the government. The second pillar covers a number
of partnering initiatives with the provinces and territories, and – Education & awareness
it involves the private sector and critical infrastructure sectors, – Cloud/digital/mobile
while the third pillar covers combating cybercrime and pro-
tecting Canadian citizens in online environments. It is worth • Cyber defence services: The following are included in
noting that the privacy concerns are notably addressed in the this category:
third pillar.
– Cyber exercise
6.4.3. Japan – Application security
The cyber security strategy of Japan was published on May – Penetration testing
2010, which can be decomposed into a number of key areas of – Incident response
actions as follows [48]:
• Assessments & assurance: The following components are
• Reinforcement of policies taking account of possible out- included in this category:
breaks of cyber-attacks along with establishment of a re-
sponse organization. – Industry standard alignment
9
 – Cybersecurity in internal audit • In order to support the specification of metrics, and sup-
– Supply chain security porting test and validation criteria to be used in resilience,
the work items should be actively boosted in the SDOs.
– Cyber maturity assessment Moreover, SDOs should assure that the resilience aspects
– Regulatory assessment are addressed comprehensively in Information and Com-
munication Technology (ICT) related standards.
6.6. ePrivacy regulation
The ePrivacy regulation is a proposal for regulating privacy 8. Conclusion
and electronic communications. The scope of this regulation We first discussed various cyber attacks, and their security
would be applicable to any business that furnishes any form requirements and solutions. We then discussed the cyber se-
of online communication service, applies online tracking tech- curity incident management framework (CIMF). It was traced
nologies, or attacts in electronic direct marketing [50]. This out that the CIMF should deliberately enable each organization
regulation on high level of privacy rules for all electronic com- to fully and effectively participate in a coordinated national
munications includes new players, stronger rules, communi- cyber incident response. After that we discussed several stan-
cations content and metadata, new business chances, simpler dardization challenges that are required in cyber security. The
rules on cookies, protection against spam and more effective tools, security concepts, various policies, security protection,
enforcement. risk management, training, etc. are parts of a cyber security
standard. We also discussed the national strategy to secure
7. Recommendations cyberspace and various government policies. Finally, we pro-
vided some recommendations that are useful for both cyber
The general recommendations are essential in order to de- security and cyber defense.
velop and use the standards in several critical areas of cyber
security and cyber defense. These recommendation will help Acknowledgment
to recognize the standards for specific R&D areas, define ef-
fective practices for verification of security in national security This work was supported by the Information Security Ed-
relevant systems, and standardize processes and enforcement ucation & Awareness (ISEA) Phase II Project, Department of
of regulations. Some of the recommendations are listed below. Electronics and Information Technology (DeitY), India. The
authors would like to thank the anonymous reviewers and the
• It is necessary for the policy-makers to encourage vendors Editor for their valuable feedback on the paper which helped
to concur on the use of the standards, and also to encour- us to improve its quality and presentation.
age both public & private sector organizations to include
the standards’ references in procurement procedures.
References
• It is needed for the governments to integrate standardiza- [1] R. J. Deibert, R. Rohozinski, Risking security: Policies and paradoxes
tion as part of their national cyber security policy. The of cyberspace security, International Political Sociology 4 (1) (2010) 15–
coordination between policy and operational levels and 32.
enhancement of the role of public-private partnerships in [2] UK Government Policies, Tech. rep.,
http://assets.publishing.service.gov.uk/ government/ up-
standardization procedures should be highlighted. loads/ system/ uploads/ attachment data/ file/ 567242/ na-
tional cyber security strategy 2016.pdf (2016).
• It is also needed for the national regulatory authorities to [3] M. Wazid, S. Zeadally, A. K. Das, Mobile banking: Malware threats
utilize greater application of the standards as a point of and security solutions, IEEE Consumer Electronics Magazine, DOI:
reference in order to impose regulations. 10.1109/MCE.2017.2764115.
[4] A. Chang-Gu, NIST-Cyber Security framework,
https://p16.praetorian.com/blog/nist-cybersecurity-framework-vs-
• Public organizations involved in the funding of research nist-special-publication-800-53 (2018).
& development need to pinpoint compatible sets of stan- [5] G. N. Ericsson, Cyber security and power system communicationessen-
dards to be used in various research activities. Therefore, tial parts of a smart grid infrastructure, IEEE Transactions on Power De-
it is important that the publicly funded research should livery 25 (3) (2010) 1501–1507.
[6] W. Knowles, D. Prince, D. Hutchison, J. F. P. Disso, K. Jones, A survey
need compliance with the standards, whenever appropri- of cyber security management in industrial control systems, International
ate. Journal of Critical Infrastructure Protection 9 (2015) 52–80.
[7] The Minimum Cyber Security Standard, Tech. rep.,
• Standards Development Organization (SDO) need to http://assets.publishing.service.gov.uk/government/uploads/system/ up-
loads/attachment data/file/719067/25062018 Minimum Cyber Security
work together to rectify various ways of speeding up the
Standard gov.uk 3.pdf (2019).
standards development process for cyber security related [8] Chronology of Data Breaches, http://web.archive.org/web/20100613183
standards. This should be done very quickly. 200/http://www.privacyrights.org/ar/ChronDataBreaches.htm. Accessed
on July 2018. (2010).
• A broad certification scheme should be defined by the [9] List of Common Malware Types, http://www.malwaretruth.com/the-list-
of-malware-types/. Accessed on June 2018.
governments of cooperating countries. It should permit [10] A. Ginter, Cyber Security Review, http://www.cybersecurity-
the end users to check that products or services upon review.com/industry-perspective/control-system-security-attack-
which they depend obey with security standards. models/. Accessed on June 2018.

10
[11] H. Mun, K. Han, Y. S. Lee, C. Y. Yeun, H. H. Choi, Enhanced secure http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf. Accessed
anonymous authentication scheme for roaming service in global mobility on June 2018.
networks, Mathematical and Computer Modelling 55 (1) (2012) 214 – [34] N. Koblitz, Elliptic Curve Cryptosystems, Mathematics of Computation
222. 48 (1987) 203–209.
[12] Q. Xie, B. Hu, X. Tan, M. Bao, X. Yu, Robust Anonymous Two-Factor [35] R. L. Rivest, A. Shamir, L. M. Adleman, A method for obtaining digital
Authentication Scheme for Roaming Service in Global Mobility Net- signatures and public-key cryptosystems, Communications of the ACM
work, Wireless Personal Communications 74 (2) (2014) 601–614. 21 (2) (1978) 120–126.
[13] D. Zhao, H. Peng, L. Li, Y. Yang, A Secure and Effective Anonymous [36] S. Purser, Standards for cyber security. (2014).
Authentication Scheme for Roaming Service in Global Mobility Net- [37] Cybersecurity Strategy of the European Union: An
works, Wireless Personal Communications 78 (1) (2014) 247–269. Open, Safe and Secure Cyberspace, European Com-
[14] I. Memon, I. Hussain, R. Akhtar, G. Chen, Enhanced Privacy and mission. http://eeas.europa.eu/archives/docs/policies/eu-
Authentication: An Efficient and Secure Anonymous Communication cybersecurity/cybsec comm en.pdf (2013).
for Location Based Service Using Asymmetric Cryptography Scheme, [38] DHS, The national strategy to secure cyberspace (2003).
Wireless Personal Communications 84 (2) (2015) 1487–1508. [39] M. T. McCaul, America is under cyber attack: Why urgent action is
[15] A. G. Reddy, A. K. Das, E. J. Yoon, K. Y. Yoo, A Secure Anonymous needed, http://homeland.house.gov/sites/homeland.house.gov/files/04-
Authentication Protocol for Mobile Services on Elliptic Curve Cryptog- 24-12%20McCaul%20Open.pdf.
raphy, IEEE Access 4 (2016) 4394–4407. [40] J. Garamone, Defense.gov News Article: Panetta
[16] C. T. Li, C. C. Lee, C. Y. Weng, A Chaotic Maps Based Key Agreement Spells Out DOD Roles in Cyberdefense,
and User Anonymity Protocol without Using Smart Cards and Symmet- http://archive.defense.gov/news/newsarticle.aspx?id=118187 (2012).
ric Key En/Decryptions, Journal of Internet Technology 18 (5) (2017) [41] B. Levinson, Do Agencies Already Have the Author-
975–984. ity to Issue Critical Infrastructure Protection Regulations?,
[17] C. T. Li, C. C. Lee, C. Y. Weng, A Secure Three Party Node Authentica- http://www.circleid.com/posts/20120820 agencies authority to issue
tion and Key Establishment Scheme for the Internet of Things Environ- critical infrastructure protection/ (2016).
ment, Journal of Internet Technology 19 (1) (2018) 147–155. [42] L. A. Gordon, M. P. Loeb, W. Lucyshyn, R. Richardson, 2005 CSI/FBI
[18] C. T. Li, C.-L. Chen, C. C. Lee, C. Y. Weng, C. M. Chen, A novel computer crime and security survey (2005).
three-party password-based authenticated key exchange protocol with [43] Executive order – improving critical infrastructure cybersecurity,
user anonymity based on chaotic maps, Soft Computing 22 (8) (2018) The White House. https://obamawhitehouse.archives.gov/the-press-
2495–2506. office/2013/02/12/executive-order-improving-critical-infrastructure-
[19] J. Srinivas, A. K. Das, N. Kumar, J. Rodrigues, Cloud Cen- cybersecurity (2013).
tric Authentication for Wearable Healthcare Monitoring System, [44] FACT SHEET: Cybersecurity National Action Plan,
IEEE Transactions on Dependable and Secure Computing, DOI: http://obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-
10.1109/TDSC.2018.2828306. sheet-cybersecurity-national-action-plan. Accessed on June 2018
[20] D. Mishra, A. K. Das, S. Mukhopadhyay, A secure user anonymity- (2016).
preserving biometric-based multi-server authenticated key agreement [45] European union agency for network and informa-
scheme using smart cards, Expert Systems with Applications 41 (18) tion security (enisa), national cyber security strategies,
(2014) 8129 – 8143. https://www.enisa.europa.eu/publications/cyber-security-strategies-
[21] Y. Lu, L. Li, X. Yang, Y. Yang, Robust Biometrics Based Authentica- paper (2012).
tion and Key Agreement Scheme for Multi-Server Environments Using [46] H. A. Schmidt, Launching the u.s. international strategy for cyberspace,
Smart Cards, PLOS ONE 10 (5) (2015) 1–13. https://obamawhitehouse.archives.gov/blog/2011/05/16/launching-us-
[22] H. Lin, F. Wen, C. Du, An Improved Anonymous Multi-Server Authenti- international-strategy-cyberspace (2011).
cated Key Agreement Scheme Using Smart Cards and Biometrics, Wire- [47] Canada’s cyber security strategy : for a stronger and more prosper-
less Personal Communications 84 (4) (2015) 2351–2362. ous canada, http://publications.gc.ca/site/eng/379746/publication.html
[23] D. He, D. Wang, Robust Biometrics-Based Authentication Scheme for (2010).
Multiserver Environment, IEEE Systems Journal 9 (3) (2015) 816–823. [48] Japan’s cyber security strategy, http://www.nisc.go.jp/eng/ (July 2018).
[24] C. Wang, X. Zhang, Z. Zheng, Cryptanalysis and Improvement of [49] Overview of china’s cybersecurity law,
a Biometric-Based Multi-Server Authentication and Key Agreement https://assets.kpmg.com/content/dam/kpmg/cn/pdf/en/2017/02/overview-
Scheme, PLOS ONE 11 (2) (2016) 1–25. of-cybersecurity-law.pdf (2017).
[25] V. Odelu, A. K. Das, A. Goswami, A Secure Biometrics-Based Multi- [50] Europa.eu, ePrivacy Regulation on Europa.eu,
Server Authentication Protocol Using Smart Cards, IEEE Transactions http://ec.europa.eu/digital-single-market/en/proposal-eprivacy-
on Information Forensics and Security 10 (9) (2015) 1953–1966. regulation (2016).
[26] M. Wazid, A. K. Das, V. Odelu, N. Kumar, W. Susilo, Secure Remote
User Authenticated Key Establishment Protocol for Smart Home En-
Jangirala Srinivas completed his Bache-
vironment, IEEE Transactions on Dependable and Secure Computing,
DOI: 10.1109/TDSC.2017.2764083. lor of Science in 2003 from Kakatiya Uni-
[27] C. T. Li, M. S. Hwang, An efficient biometrics-based remote user au- versity, India, the Master of Science de-
thentication scheme using smart cards, Journal of Network and Com- gree from Kakatiya University in 2008,
puter Applications 33 (1) (2010) 1–5. the Master of Technology degree from IIT
[28] A. K. Das, Analysis and improvement on an efficient biometric-based Kharagpur in 2011, and then his PhD de-
remote user authentication scheme using smart cards, IET Information gree from the Department of Mathemat-
Security 5 (3) (2011) 145–151.
[29] A. K. Das, S. Zeadally, D. He, Taxonomy and analysis of security pro-
ics, IIT Kharagpur in 2017. He is cur-
tocols for Internet of Things, Future Generation Computer Systems 89 rently working as an assistant professor
(2018) 110 – 125. with the Jindal Global Business School,
[30] EPIC Bill Track Tracking Privacy, Speech, and Cyber-Liberties Bills O. P. Jindal Global University, Haryana,
in the 111th Congress, http://www.epic.org/privacy/bill track.html. Ac- India. Prior to that he worked as a re-
cessed on July 2018. (2010). search assistant with the Center for Se-
[31] W. Stallings, Cryptography and Network Security: Principles and Prac-
curity, Theory and Algorithmic Research,
tices, 3rd Edition, Pearson Education, India, 2004.
[32] Cyber Incident Management Planning Guide, International Institute of Information Technology (IIIT), Hyderabad,
http://www.iiroc.ca/industry/Documents/CyberIncidentManagement India. His research interests include authentication protocols, in-
PlanningGuide en.pdf. Accessed on June 2018. formation security, digital rights management, cloud computing and
[33] Advanced Encryption Standard (AES), fIPS PUB 197, Na- management of information technology. He has authored 14 papers
tional Institute of Standards and Technology (NIST), U.S. in international journals and conferences in his research areas.
Department of Commerce, November 2001. Available at

11
 Ashok Kumar Das received a Ph.D. de-
gree in computer science and engineering,
an M.Tech. degree in computer science
and data processing, and an M.Sc. degree
in mathematics from IIT Kharagpur, In-
dia. He is currently an Associate Profes-
sor with the Center for Security, Theory
and Algorithmic Research, International
Institute of Information Technology, Hy-
derabad, India. His current research inter-
ests include cryptography, wireless sen-
sor network security, hierarchical access
control, security in vehicular ad hoc net-
works, smart grid, Internet of Things (IoT), Cyber-Physical Systems
(CPS) and cloud computing, and remote user authentication. He has
authored over 170 papers in international journals and conferences
in the above areas, including more than 150 reputed journal papers.
Some of his research findings are published in top cited journals,
such as the IEEE Transactions on Information Forensics and Secu-
rity, IEEE Transactions on Dependable and Secure Computing, IEEE
Transactions on Smart Grid, IEEE Internet of Things Journal, IEEE
Transactions on Industrial Informatics, IEEE Transactions on Vehic-
ular Technology, IEEE Transactions on Consumer Electronics, IEEE
Journal of Biomedical and Health Informatics (formerly IEEE Trans-
actions on Information Technology in Biomedicine), IEEE Consumer
Electronics Magazine, IEEE Access, IEEE Communications Maga-
zine, Future Generation Computer Systems, Computers & Electri-
cal Engineering, Computer Methods and Programs in Biomedicine,
Computer Standards & Interfaces, Computer Networks, Expert Sys-
tems with Applications, and Journal of Network and Computer Ap-
plications. He was a recipient of the Institute Silver Medal from
IIT Kharagpur. He is on the editorial board of KSII Transactions
on Internet and Information Systems, International Journal of Inter-
net Technology and Secured Transactions (Inderscience), and Recent
Advances in Communications and Networking Technology, is a Guest
Editor for Computers & Electrical Engineering (Elsevier) for the spe-
cial issue on Big data and IoT in e-healthcare, and has served as a
Program Committee Member in many international conferences.

Neeraj Kumar received the Ph.D. de-

gree in computer science and engineering
from Shri Mata Vaishno Devi University,
Katra (J&K), India, in 2009. He was a
Post-Doctoral Research Fellow at Coven-
try University, Coventry, U.K. He is cur-
rently an Associate Professor with the De-
partment of Computer Science and Engi-
neering, Thapar University, Patiala, India.
He has authored more than 200 technical
research papers published in leading jour-
nals and conferences from the IEEE, El-
sevier, Springer, John Wiley, etc. He is in
the editorial board of IEEE Communica-
tions Magazine, Journal of Network and Computer Applications (El-
sevier) and International Journal of Communication Systems (Wiley).

12
We list and discuss the cyber attacks, security requirements and measures. We then discuss the cyber
security incident management framework and its various purposes.

We also discuss the standardization challenges in cyber security. The national strategy to secure
cyberspace and various government policies have been discussed.

Finally, we provide some recommendations that are essential for both cyber security and cyber defense.