The current issue and full text archive of this journal is available on Emerald Insight at:

https://www.emerald.com/insight/1359-0790.htm

Global
Cybersecurity and global regulatory
regulatory challenges challenges
Fabio Ramazzini Bechara
Department of Criminal Law, Universidade Presbiteriana Mackenzie,
São Paulo, Brazil, and 359
Samara Bueno Schuch
Universidade Presbiteriana Mackenzie, São Paulo, Brazil

Abstract
Purpose – This study aims to define objectively what are the elements that should be considered in the
repositioning of international cooperation, less under its value, which is unquestionable, but more under the
optics of the procedure, how can it be operationalized. International cooperation goes beyond the regulatory
effort, which, although an important step, is insufficient. It is inserted in an environment in which there is a
multiplicity of forces and instances, non-converging and tensioned. At the same time, in the authors’ view, it is
not about cooperation between states or between states and international organizations only, it must
understand the private sector equally, which has the expressive property of the technologies used.
Design/methodology/approach – The study uses an interdisciplinary approach, and the method of
analysis is the typothetical deductive.
Findings – Cybersecurity as a global and complex issue demands cooperation between nations, but also the
private sector and civil society engagement. It also demands a good governance in the decision making
process, more integrated, accurated and precised.
Originality/value – This study is original, and it represents a special concern and vision from professional
and academic fields.

Keywords Governance, Risks, Cybersecurity, Cyber cooperation, Regulatory challenges

Paper type Research paper

1. Introduction
Since the called peace of Westphalia, which in 1648 established a diplomatic solution for the
peaceful coexistence among sovereign states after many years of mutual threat and religion
wars between several European countries, in terms of international and national
governance, one of the top concerns always have been sovereign.
Almost 350 years later, the development and dissemination of computer technology and
the internet equally challenge global authorities to think about how to solve cyber threats
that spill over their borders and demand dialogue and the search for consensus between
jurisdictions to govern conflicts arising from the misuse of cyberspace. This is a very
current dilemma and one that motivates discussions about the transition to a new era of
post-territorial systems.
It is undeniable that the democratization of computer technology and the internet
has provided, and still provides, many benefits for society. The facilitation of access,
storage and dissemination of information on a large scale, meant that knowledge could Journal of Financial Crime
be transported beyond territorial limits. In this context, the development of societies Vol. 28 No. 2, 2021
pp. 359-374
has been optimized in organizational, cultural, intellectual, social and economic terms. © Emerald Publishing Limited
1359-0790
The initial physical boundaries were broken and communities became more creative DOI 10.1108/JFC-07-2020-0149
JFC and cultured, which fostered their social and political participation, stimulated
28,2 innovation and led to the development of new economic models, many of them based on
information itself.
In a short time, cyberspace became a social and economic phenomenon, because of its
technical, social and institutional openness [1]. However, although this technology has
allowed for many advances in global terms, the openness and philosophy of freedom [2] that
360 underpin the use of the network, also have negative consequences and challenge the global
authorities to think of new ways to solve the damages experienced, because of the use of
cyberspace for bad purposes.
In this new model of social interaction, the basic concepts that we used to define what
happened around us, created based on what we learned in the old social structural models,
are hardly applicable to situations occurring in the digital environment, generating the
feeling of disorientation and creation of an outstanding and parallel environment, in which
traditional rules of social control apparently do not apply.
At the same time, the speed with which these technologies develop does not allow their
impacts to be understood in a timely manner when proposing solutions for the resumption
of social control by states, because when we understand the consequences of a given
technology’s externality and how to accommodate it in the traditional regulatory model, a
more advanced technological model with different consequences is already having an effect
on society.
This legal uncertainty raises many doubts about how to resolve conflicts and threats
presented by misuse in cyberspace, which are mainly questions about the adequacy of
traditional models of social control by governments, about the possibility of applying
the legislation in force in jurisdictions to digital environment, the possibility of
regulating the digital environment and how to resolve any possible conflict between the
laws and interests of different countries, as cyberspace is not bounded by territorial
boundaries.
When observing the world scenario, there is a rapid growth in cyber incidents and
the urgent need for cooperation between countries for coordinated action to mitigate
threats. Currently, initiatives to combat cybercrime are fragmented and the lack of
normative, strategic and operational alignment generates rework and impairs the
absorption of lessons learned, putting at risk the prolonged effectiveness of these
actions.
In this context, cooperation between nations is increasingly necessary to give traction to
discussions on global cyber governance, aiming at the conclusion of international
agreements capable of establishing mutual assistance to guarantee digital inclusion, for the
sharing of information and collaboration in investigations of cybercrimes, as well as for the
harmonization and guarantee of enforcement regardless of territorial limits imposed by
traditional regulatory models.
In this sense, we intend to define objectively what are the elements that should be
considered in the repositioning of international cooperation, less under its value, which is
unquestionable, but more under the optics of the procedure, how can it be operationalized.
International cooperation goes beyond the regulatory effort, which, although an important
step, is insufficient. It is inserted in an environment in which there is a multiplicity of forces
and instances, non-converging and tensioned. At the same time, in our view, it is not about
cooperation between states or between states and international organizations only, it must
understand the private sector equally, which has the expressive property of the technologies
used.
2. Global governance and cybersecurity Global
Extensive examples are able to show how different nations are trying to avoid cyber threats regulatory
and, in some cases, those protection measures are, negatively, impacting the freedom of
speech and right of information [3]. In this group of nations, we could include Russia, China,
challenges
Belarus, USA and many others. As Lawrence Lessig – Law Professor at Harvard – said:
“Every age has its potential regulator and its threat to Liberty” (Lessig, 2000).
On the other hand, mostly nations are trying to be cooperative and gradually building
bilateral solutions regarding the provision of a new and fair cyber regulatory framework. 361
However, the reality for regulatory bodies is really complex and complicated, at long last
“governments have acknowledged that international laws apply to the Internet, such laws
are static and binding and do not necessarily address well new cyberspace scenarios” [4]. In
light of this, Martha Finnemore and Duncan B. Hollis have demonstrated that:
Norms may even arise for bilateral pairings of states, as witnessed by China’s recent
agreement on a norm against cyber espionage for commercial purposes with the United States
(and, later, with the United Kingdom). Given Anne-Marie Slaughter’s theories on
transnational government networks, it is not surprising to see norms emerging for specific
types of government actors, whether militaries (for example, the Tallinn Manual) or law
enforcement communities (for example, the Budapest Convention) (Finnemore and Hollis,
2016, p. 439).
Companies and countries are increasing collaborative networks and budget commitment
related to cyber security measures and threats mitigation risks. It addresses exactly the
critical point about the regulatory framework in cyberspace: cooperation among several
nations. The prosperity and accomplishment of global governance in cyber security matters
is directly related to a set of regulations which rests not just in what it says, but in who
accepts it, not to mention where, when and how they do so. It matters to the content and
future and even beyond considering a multistakeholder group open to all many international
and national players as NGOs, United Nations (UN) entities, nation states, transnational
business and specially people.
Some attempts have already been made by international organizations to seek consensus,
relevant and equal political participation and to include the topic of cyber governance in the
countries’ agenda. The UN established, from the 2000s, study groups of governmental experts
in information security and telecommunications dedicated to proposing rules of conduct
applicable to cyberspace. From these groups, reports were issued with recommendations for
international codes of conduct, through which cyber threats were identified and explained,
basic rules of governance and responsibility for cyberspace were developed and measures for
the construction of international cooperation mechanisms were proposed [5]. Unfortunately,
there is no news that these groups have been successful in reaching consensus on the
acceptance of these norms of conduct between nations, albeit under the aspect of a non-binding
resolution in relation to the application of sanctions, but only as an initial step toward the
institutionalization of global consensus on cyber challenges.
In the age of surveillance, this reality of regulatory uncertainty is the landscape that new
technologies are arising, and the flow of data has sharply increased [6]. A 2017 research
about internet use conducted in 30 important economies including the UK, USA and
Australia, demonstrated that citizens of the Philippines spent most time online – 8 h 59 min,
on average, per day – across personal computers and mobile devices. Brazil was second with
8 h 55 min, followed by Thailand at 8 h 49 min online [7].
In the past 25 years, the constant progress of the internet, and particularly of social
media, has briskly shifted the power balance between political groups (Mounk, 2018) and it
can be dangerous in terms of cyber domain and big data algorithms which could create
JFC digital dictatorships in which all power is concentrated in the hands of a tiny elite while
28,2 most people suffer not because of exploitation but something much worse: irrelevance [8].
Those big data files – amounts of information – are providing huge quantity of data that
might be stored in servers around the world. Those servers, though connected to a
borderless Web, all reside somewhere physically. But the international law question is:
“Who controls them and the data they contain?” (Rosenzweig, 2012), which is another issue
362 about global governance and cybersecurity.
Thus, we are in a cyber paradox as included in a good reminder in the UK Cyber security
strategy “ultimately, this is a threat that cannot be completely eliminated. Digital technology
works because it is open, and that openness brings with it risk” [9].
The following lines contain one piece of academic discussion about the challenges of
mitigating risks and vulnerabilities without violating the liberal democracy landmark:
freedom. Many initiatives are underway in different cultural realities taking into account
experiences regarding multistakeholders in cyberspace that have advocated for the
development and implementation of norms before creating new laws [10]. Furthermore, into
this mix of multistakeholders in cyberspace, to approach properly the global regulation, we
might be aware of “the differences in legal traditions are not merely formal. The common-
law tradition tends to be less interventionist and more supportive of private economic
arrangements. The civil-law tradition tends to be more dirigiste, and more focused on the
state constraining such arrangements.”
So, this chapter intends to approach not only risks and vulnerabilities on cybersecurity in
the 21st century but either good and bad experiences demonstrated by what is ongoing in
terms of regulation of internet and technologies in general into the multistakeholder
scenario.

2.1 Risks and vulnerabilities: the case of neighbourhood breach

Regardless of many other possible approaches, risks and vulnerabilities in cybersecurity
matters could be studied by different points of view.
From the business perspective, it represents operational, legal and reputational risks. On
the other hand, from the national security perspective, there are vulnerabilities in terms of
critical infrastructure services (transport, water distributions, banking, traffic control
service, energy distribution and so on). In addition, national states are worried about
political activist hackers, who would leak classified documents and secrets which could
compromise the national security of land. Finally, cybersecurity measures are impacting the
citizenship democracy belief because of possible manipulation of daily decisions, votes and
non-safety of connected products and devices. Each standpoint will be detailed and
described in this section of the paper.
From the citizen perspective, the technological development generates new ways for
performing connection, communication, sharing and – most important – consumption. This
social revolution brought a cyberspace as a “virtual environment in which economic value is
attached to ideas rather than to physical property” (Wall, 2004, p. 79).
To critically reflect on today’s world, while the internet has various positive uses, it is
increasingly being used as a tool to facilitate possibly the most significant challenge facing
individuals’ use of the internet: cybercrime. This issue was particularly addressed by Jason
R.C. Nurse, as quoted below:
Cybercrime has been defined in several ways but can essentially be regarded as any crime (traditional
or new) that can be conducted or enabled through, or using, digital technologies. Such technologies
include personal computers (PCs), laptops, mobile phones, and smart devices (e.g., Internet-connected
 cameras, voice assistants), but the scope is quickly expanding to encompass smart systems and Global
infrastructures (e.g., homes, offices, and buildings driven by the Internet of Things, IoT) (Nurse, 2018).
regulatory
Taking it into account, a practical perspective was demonstrated by a recent survey which challenges
revealed that roughly one in five Americans (21%) have experienced a ransomware attack
on a personal and/or work device. Among those who experienced an attack on a work
device, 46% say their companies paid a ransom. The survey revealed that many Americans
view cybersecurity as a priority. A large portion (87%) believes that government should 363
consider it as such. However, only 51% believe the government is effectively addressing the
issue [11].
We can say that possible benefits of this sort of connectivity are significant: real-time
monitoring and more accurate indicators, the possibility to remotely control several actions,
interconnectivity and automation, further the ease of handling different devices that can be
centralized on just one smartphone. On the other hand, this technological avalanche also
brings risks and vulnerabilities to users, and nowadays, the strongest password in the world
is not secure if you use it for every one of your secure sites. If one site is compromised and
hackers are able to crack your password and you have reused it, then they could then gain
access to your details on other websites (Kumar, 2013).
According to the US Department of Homeland Security [12], manufacturing is the second
most targeted industry based on the number of reported cyber-attacks. Further,
cybercriminals view small and medium-sized manufacturers as prime targets because many
of these companies do not have adequate preventative measures in place. The fear of
breaches and cyberattacks is founded in the financial cost of attacks, which is no longer a
hypothetical number. Breaches cause real economic damage to organizations, damage that
can take months or years to resolve. According to Cisco’s research [13] more than half (53%)
of all attacks resulted in financial damages of more than US$500,000, including, but not
limited to, lost revenue, customers, opportunities and out-of-pocket cost.
Disruptive costs for business data breaches are most expensive in the USA and Canada
and least expensive in Brazil and India. The average per capita cost of data breach was $225
in the USA and $190 in Canada. The lowest cost was in Brazil ($79) and India ($64). The
average total organizational cost in the USA was $7.35m and $4.94m in the Middle East. The
lowest average total organizational cost was in Brazil ($1.52m) and India ($1.68m) [14]. To
have a clear idea about business concerns on cybersecurity IBM’s chief executive officer
made a declaration on hackers: “Cyber Crime Is The Greatest Threat To Every Company In
The World” (Morgan, 2015).
Cases such as Yahoo, which was victim of two massive data breaches back in 2013 and
2014 that potentially affected more than 1.5 billion users representing at least U$350m in
losses [15], or the American health-care insurance company Anthem Inc., which was hacked
in 2014 in the largest cyberattack in the history of the health-care industry that resulted in
the theft of the personal information of over 78 million customers also in sensitive medical
information and social security numbers being compromised. The attack’s outcomes were
Anthem admitting a payment of $115m – the largest settlement a company has ever had to
pay for a data breach (Pierson, 2017). “Anthem also agreed to pay $15 million to cover the
cost of damages to those affected by the data breach. However, these were not the only costs.
Anthem also had to employ forensic experts at a cost of $2.5 million, pay $112 million for
credit card monitoring, and pay $31 million to cover the cost of informing all affected
parties” [16].
Furthermore, a global cyberattack, known as the WannaCry ransomware attack, infected
more than 230,000 computers in over 150 countries (Solon and Hern, 2017). The cyber-attack
impact hit organizations worldwide including the UK’s National Health Service (NHS),
JFC which was “unprecedented” with devastating consequences (BBC News, 2017). WannaCry
28,2 attack crashed public and private organizations globally and it shows the importance of
international cybersecurity governance frameworks.
Beyond private institutions and many ransomwares paid [17], public institutions are
being targeted by cybercriminals also; in WannaCry case, the UK’s NHS was one of the most
significantly affected organizations globally. The attack of key NHS computers meant that
364 doctors had to cancel non-critical medical appointments and operations and it also
prevented doctors from accessing important patient data stored on their internal systems.
Nonetheless, this cyber catastrophe was not happened only in her majesty’s land. It was
global spread infection, contaminating 99 countries (BBC News, 2017). Russia was one of the
worst-hit nations, having banks, government ministries, railways and mobile phone
networks attacked. In addition, Germany’s federal railway operations were disrupted,
Renault was forced to shut down operations in France, the American logistics company
FedEx had its systems compromised and schools and hospitals in South Korea, China and
Indonesia were disrupted.
The last concern for this section is related to national security of states. In effect, almost
every computer in America is a potential border entry point. This reality makes
international engagement on cybersecurity essential (Rosenzweig, 2012, p. 1) and
increasingly becoming more important is international organized cybercrime. Its impact is
globalized and in many different parts, not following economic developed countries criteria
or only technological economies.
Exactly in this sense, the Global Economic Crime and Fraud Survey is a global survey
conducted biennially by PricewaterhouseCoopers since 2001. This report compares the
survey results in Rwanda to those observed in the East African Region (consisting of Kenya,
Uganda, Tanzania, Rwanda and Zambia), Africa and globally, putting them in the context of
social, political and economic developments of the past two years. The rapid global
advancement of technology tools and solutions brings with additional opportunities for
cyber criminals to perpetrate crime. Cybercrime, as indicated by Rwandan respondents, was
only the ninth most common form of economic crime in Rwanda, with an incidence rate of
11%. However, it is perceived to be one of the biggest potential threats to Rwandan
organizations in the future; at 15%, cybercrime scored the highest among Rwanda’s
respondents as the form of economic crime likely to be most disruptive to their organizations
in the next 24 months, both monetarily and otherwise. Thus, even developing or not
developed economies are being treated by cybercrime [18].
The European reality is even worse in terms of risks and vulnerabilities. According to a
recent survey [19], at least 80% of European companies have experienced at least one
cybersecurity incident over the past year and the number of security incidents across all
industries worldwide rose by 38% in 2015. The 2007 cyberattacks on Estonia were a
sequence of cyberattacks which targeted Estonian organizations, including parliament,
banks, ministries, newspapers and broadcasters, amid the country’s disagreement with
Russia about the relocation of the Bronze Soldier of Tallinn, an elaborate Soviet-era grave
marker, as well as war graves in Tallinn (Ottis, 2008) [20]. Further, many other
cybersecurity incidents have happened in the European territory. Recently, 5 million
Bulgarians have their personal data stolen in hack [21], and extortionists have targeted
banks in Greece and Sweden (Zetter, 2016).
Moreover, some evidence have proved which Russian military intelligence executed a
cyberattack on at least one US voting software supplier and sent spear-phishing emails to more
than 100 local election officials just days before past November’s presidential election [22] and
the top-secret National Security Agency document, which was provided anonymously to The
Intercept and independently authenticated, analyses intelligence very recently acquired by the Global
agency about a months-long Russian intelligence cyber effort against elements of the US regulatory
election and voting infrastructure. The report, dated May 5, 2017, is the most detailed US
Government account of Russian interference in the election that has yet come to light (Cole
challenges
et al., 2019).
The belief that Russia is using some actions against countries as a cyberwar testing
ground is being considered. This new sort of conflict needs a laboratory for perfecting new
forms of global online combat. And the digital explosives that Russia has repeatedly set off 365
in Ukraine [23] are ones it has planted at least once before in the civil infrastructure of the
USA (Greenberg, 2017).
The current scenario “Ten economies – the ‘Cyber Ten’ – appear to be most heavily
dependent on internet-based interactions: South Korea, Netherlands, Switzerland, Denmark,
Finland, Vietnam, UK, Sweden, Australia and Germany. As a group, the Cyber Ten are six
times more vulnerable to cyberattack than the ten least vulnerable Top 50 countries”
(Greenberg, 2017, p. 22).
Thus, the necessity of a multistakeholder model of cyber governance is emerging in the
cyberspace. The development of a global internet governance modality to be applicated by
governments, the private sector and civil society, in their respective roles, sharing principles,
norms, rules, decision-making procedures and programs that shape the evolution and use of
the cyberspace are indispensable.
But there are big challenges and questions about this proposition. After all, is it possible
to find consensus between different jurisdictions and legislations and achieve a global
regulation to control internet? Should we consider choosing a law of one country to prevail
over internet? Or, is it possible to maintain the nation’s sovereignty about their regulation
and territory and establish a global system of conflict resolution with a minimum
consensus? We intend to briefly clarify these questions in the following section.

3. Regulatory approach
When dealing with global governance of cyberspace, we need to take into account that this
environment has its own characteristics, architecture and functioning completely different
from the traditional social structures of nation states, based on the regulation of their
territories (jurisdiction) and the exercise of control through central authorities (command
centralization).
It is likely that global governance approaches in cybersecurity have not been successful
in finding consensus among nations until today, because of the difficulty of establishing a
new governance model consistent with the values of cyberspace, which does not require
nations to give up sovereignty over the regulation of the topic and the control of their
territories. For the structuring of a sustainable governance program, sovereignty, respect for
the government model adopted by each country, its independence from the different legal
and economic, social and cultural structures present in different jurisdictions must be
adopted as indispensable premises.
Studies on the challenge of dealing in an organized and global way with threats
generated in cyberspace in the face of so many different regulations and social structures in
the world, started in the 1990s, when the internet started to be commercially disseminated
with greater force. Since the 1990s, several theories on the need for internet regulation have
been proposed, organizing themselves into four main doctrinal currents (Leonardi, 2012).
The first current, based on the theory of self-regulation of the internet, was inspired by
the text by John Perry Barlow, published in 1996, and entitled “A Declaration of the
Independence of Cyberspace” [24]. Through this theory, it was argued that any conflicts
JFC identified on the internet would be resolved by their own means, with the creation of specific
28,2 rules for cyberspace. This environment should be understood as separate from the
environment attainable by governments based on territorial control, a kind of environment
with legal immunity and with its own social contract between users (Goldsmith and Wu, 2006).
The second doctrinal current, in turn, have been proposed by David G. Johnson and David G.
Post, and it advocated the creation of a “unique and international regulation”, specific to
366 cyberspace and, for that, governments should work together, through international
organizations, to develop dialogue and develop global standards for the internet.
The first two proposals analyzed are based on the regulation of cyberspace, with greater
or lesser control exercised by the traditional model of governments. However, both demand
the elaboration of a single rule, applicable to all territories that can be reached through the
internet and, therefore, demand the reaching of a consensus on the proposed rules for the
regulation of cyberspace. As a result, these proposals quickly prove unsustainable, given
that the world reality presents nations that have radically different social norms and values,
and common interests are not sufficient to form their own regulation based on consensus.
The third theory on the need for internet regulation defended the application of the
“analogy to traditional legal institutes,” that is, it claimed that it was not necessary to create
new legislation or complement existing legislation to resolve conflicts arising from
cyberspace. It would be enough if good customs, principles and judgments were used to
achieve the best solution in the specific case. This is a position directly opposed to the
theories previously presented, totally based on regulation. However, this proposal was also
rejected, in view of the difficulty of comparing the internet with any pre-existing physical
environment, generating the risk of mistaken comparisons. The institute of analogy could be
useful in this context, but making it a rule could lead a judge to a wrong conclusion [25].
The fourth doctrinal current portrays a mixed approach, formulated by Joel Reindenberg
(Reidenberg, 1997), through the creation of the “Lex Inform
atica” concept, inspired by the Lex
mercatoria. In other words, guidelines could be developed about the new environment that has
its own characteristics and peculiarities, but these should be considered as a source of best
practices capable of supporting countries in interpreting their own laws, never replacing or
overlapping them. In this way, traditional regulatory mechanisms would be a priori sufficient
to resolve conflicts originating from the internet and, if they were not shown to be sufficient,
they could demand the creation of complementary rules capable of filling any existing gaps.
This would be the most adopted aspect in the world (Leonardi, 2012, p. 149), because of its
structures allowing greater flexibility to adapt to the current legal system.
It turns out that none of the above proposals proved to be sufficient to accommodate the
global challenges presented by the rapid spread of internet use and the advancement of
cybercriminals, which continue to generate conflicts between nations. The creation of global
guidelines and guidelines on the theme to complement local laws and harmonization of the
principle basis for dealing with such crimes does not solve the lack of dialogue between
countries, the main factor for the strategy to combat cybercrime to be aligned and effective
globally, as well as for countries to reduce rework by sharing important information for
investigations and collaborating with the absorption of lessons learned to increase maturity
in the topic.
The challenges of the digital environment demand a closer and less hampered [26] global
governance format on the part of states. It is necessary to structure an interaction model that
encourages dialogue, trust, egalitarian political participation and is flexible, allowing greater
adhesion by signatories. It is necessary to accept that processes of transformation of the
models of society demand time, stability and the promotion of initiatives capable of
culturally transforming the rooted structures.
 A model that can serve as inspiration for this scenario has been supported in the Global
European Union (EU) for decades with regard to the regulation of personal data protection. regulatory
General rules and good practices regarding the processing of personal data were already
formalized among all member countries of the EU, through the European Directive on the
challenges
Protection of Personal Data (Directive 94/46/EC). Such general guidelines did not prevent
each member country from regulating its territory according to its political, economic, social
and cultural characteristics, nor did it have the power to demand compliance with
obligations or to impose sanctions for non-compliance with the guidelines. For many years, 367
the guidelines have served to align expectations between EU member countries regarding
the rules on the processing of personal data, to encourage them to adopt formalized best
practices, to create a culture of personal data protection and to maturing of international
relations on the topic.
It took almost a decade of adopting this more flexible model, for the countries of the EU
to have a higher and equivalent level of maturity in relation to the topic, and to feel safe to
take the next step, initiating the discussion on a general regulation protection of personal
data more harmonious and consensual. In 2018, after two years of debate, the General Data
Protection Regulation came into force, legislation with binding power between nations and
with enforcement power. To make possible the resolution of eventual conflicts between the
data protection authorities of each EU member country, this general legislation created an
international body called “European Data Protection Board,” responsible for continuing the
process of cultural transformation of international governance and supporting local
authorities in creating the necessary cooperation mechanisms. A neutral Arbitral Chamber
was also established, composed of representatives and experts from all EU member
countries, and prepared to arbitrate any conflicts between authorities.
A similar strategy could be studied by the UN in a resumption of discussions initiated in
the 2000s, to build a more flexible and phased structure of global governance in
cybersecurity. The adoption of confidence-building measures, based on transparency, the
creation of a cyber-culture, an increase in countries’ maturity in relation to the theme and the
reaffirmation of respect for countries’ sovereignty, could contribute to the alignment of
expectations and to initiatives of collaboration, helping to increase confidence and
generating the necessary stability so that, in the future, more advanced proposals in terms of
regulation could be considered.
International cooperation is very important to protect and sustain the digital
environment and all the benefits generated by it globally, mainly social and economic.
Although the first global initiatives are timid and flexible, although focused only on sharing
information (to enable investigations or to monitor the evolution of cyber threats, allowing
the creation of recommendations on best practices), these are important as the initiatives
governance in cybersecurity come out of inertia and promote dialogue for countries to share
experiences.
Next, we will discuss some positive cyber governance initiatives already adopted,
planned or articulated by countries around the world.

4. Positive initiatives and near future

An important example of international cooperation on cybersecurity governance is the
agreement made between the private sector and public EU cybersecurity authorities in the
form of PPPs. PPPs have been considered an effective tool to ensure close cooperation
between public and private stakeholders across different issues. Around 12 EU member
states are currently using this instrument to incentivize the private sector to contribute to
the protection of critical infrastructures. A good example is the UP KRITIS PPP in Germany,
JFC a national initiative between the state and local carriers for the protection of critical
28,2 information infrastructures in Germany [27].
Further, EU is enacting many regulations ruling cybersecurity high standards of product
safety and infrastructure protection [28] to fulfill the EU vision presented the EU
cybersecurity strategy, which is articulated in five strategic priorities, which address the
following challenges:
368 (1) achieving cyber resilience;
(2) drastically reducing cybercrime;
(3) developing cyber-defense policy and capabilities related to the Common Security
and Defence Policy (CSDP);
(4) developing the industrial and technological resources for cybersecurity; and
(5) establish a coherent international cyberspace policy for the EU and promote core
EU values.

Moreover, the Japanese cybersecurity strategy is been considered a paradigm shift brought
about by cyberspace which no human have experienced before and increasing seriousness
of threats with cyberspace and real space unification, necessity of new strategy far-seeing
the Tokyo 2020 Games [29]. China’s cyber policy emphasizes the protection of critical
information infrastructure in public communications and information services, energy,
finance, transportation, water conservation, public services and e-governance, as well as
other critical information infrastructure that could cause serious damage to national
security, the national economy and public interest if destroyed, functionality is lost or data
are leaked [30]. Chinese law also mandates that core information technology, critical
infrastructure and important systems and data must be “secure and controllable” to protect
Chinese sovereignty over its cyberspace. China’s efforts to collaborate on cyber defense
include an agreement. India’s bilateral cyber initiatives include the US-India Cyber
Dialog [31], which discussed cyber issues including cyber threats, enhanced cybersecurity
information sharing, cyber incident management and norms of state behavior in cyberspace.
The dialog identified a variety of opportunities for increased collaboration on cybersecurity
capacity-building.
Additionally, South Korea is doubling the size of its cyber command and is reported to
have increased spending on cyber-related defense by 50% since 2009 (Kim, 2015). “Canada
has undertaken to develop a joint US-Canadian strategy for strengthening the security and
resilience of the North American electricity grid against the growing threat from cyber
attacks and climate change impacts. Poland has established a new Ministry of Digital
Affairs to improve the overall government approach to cyber and related information issues,
and to improve the financing of required investments in cyber capability. France announced
a comprehensive cyber strategy in October 2015, focusing on training, international
cooperation and expanded investments in cyber defense capabilities” [32].
Many (if not most) cyber norms depend, however, on bases other than law for their
propriety. Among states, various political agreements offer a basis for cyber norms, such as
the G-20’s recent endorsement of a prohibition on cyberespionage for commercial purposes,
the Organization for Security and Co-operation in Europe’s Parliamentary Declaration and
Resolution on Cybersecurity and the Shanghai Cooperation Organization’s Code of Conduct
for Information Security. Multistakeholder processes such as NETmundial (which involved
non-governmental organizations, firms and individuals) or the Montevideo Statement
(which was signed by the major internet institutions) suggest that the political basis of
propriety can also arise among actors other than states (Finnemore and Hollis, 2016, p. 442).
 How will military and civilian cyber response teams collaborate in the event of a Global
cyberattack on US critical infrastructure? It is not clear yet, but the maturing US Cyber regulatory
Command does not currently entertain ideas of going it alone in defense of critical
challenges
infrastructure [33]. The Commission today launches a new public–private partnership on
cybersecurity that is expected to trigger e1.8bn of investment by 2020. This is part of a
series of new initiatives to better equip Europe against cyber-attacks and to strengthen the
competitiveness of its cybersecurity sector [34]. 369
Many European countries are under the obligations provided by the NIS Directive, which
is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost
the overall level of cybersecurity in the EU [35]. Put in force by the National Strategies and
Cybersecurity Plan outlining long-term priority areas (in infrastructure, content and human
resources) together with specific tasks and timetables. They are approaching protection of
human rights and freedoms, building awareness and competence in information security,
creation of a secure environment, improving effectiveness in information security
management, ensuring sufficient protection of the critical (information) infrastructure,
national and international cooperation and enhancement of national competence [36].
Further, cybersecurity in the EU CSDP regarding challenges and risks for the EU [37]
approaches the delicate balance between sovereignty and central powers and
responsibilities, cyberspace as a separate domain of operation and application of existing
law of armed conflicts, hybrid technologies – drones used in conflicts, the issue of commonly
agreed definitions and taxonomy, the number and diversity of the actors involved in cyber
defense, military and civilian overlaps in cyber defense – a blurry borderline technological
innovation and the need for cybernorms and international efforts on cybernorms and the
role of the EU.
The cybersecurity certification framework is in line with the EU’s Cybersecurity
Strategy and the Commission’s Digital Agenda. These aim to harmonize the EU’s digital
ecosystem so as to better exploit the potential of ICT to foster smart, sustainable and
inclusive innovation, economic growth and progress in Europe.
Recently, the Brazilian Government published a decree on the National Cybersecurity
Strategy that demonstrates the country’s total openness to international cooperation on the
subject [38]. This norm determined that the national leadership is attentive to manage
international changes and to establish strategic alliances, with the largest possible number
of countries, in a transparent manner, aiming to expand the cybersecurity cooperation
agreements and expand the use of international mechanisms to combat cybercrimes.

5. Conclusion
Michael Zurn describes global governance as a multi-level governance system that goes
beyond national sovereignty and it also permits a huge competition between different
institutions, from domestic to international perspective (Zurn, 2010).
Cybersecurity is one of those transnational complex issues that challenge state capacity
to answer in a good manner. Otherwise international cooperation poses as one of the most
important tools that can reduce the tension within different levels of interaction. There are
many legal arrangements that provide good standards, but not good governance at all. Good
governance on international cooperation imposes coordination, management, consciousness,
maturity, common proposal, high-level commitment, professional and institutional
incentives, autonomy and independence. The problem is that the institutional design is
becoming politicized, and this increases the risk of ineffectiveness, despite all efforts in
development legal tools.
JFC Therefore, considering the most recent attempts in the EU on the cybersecurity agenda,
28,2 one factor plays a very essential role in advance to build up mutual trust: harmonization.
Harmonization is one of the keys to foster cooperation, but also good governance as well. In
fact, it brings all actors to the same page, they recognize themselves with the same concerns
and they respect their differences.
The complexity on cybersecurity matters is connected to other transnational agendas,
370 such as money laundering, corruption and organized crime, and successful policies
presupposes cooperative efforts on monitoring, investigating, prosecuting and controlling
the same enterprise. This seems to be utopic, but it should be pursuit if countries,
international organizations, private sector and civil society really want to be global
“citizens” operating beyond the reach of many national laws (Rose-Ackerman and Palifka,
2016).

Notes
1. The technical opening occurs, because the network uses protocols that allow the free integration
of different systems and the development of applications based on their structure, without the
need to submit the project or idea for approval, free of charge. In the same sense, the internet is
fully socially accessible, as it has a universal language, and is also inclusive, allowing anyone,
regardless of nationality, territory, creed, ethnicity, gender or income to access and interact with
the network. Institutionally, its architecture is open, as it allows access without the need to
approve it before an intermediary or control authority. It is an architecture that does not offer
traditional entry barriers for natural persons or organizations, based on a configuration that
provides the transfer of data directly between two computers connected to the World Wide Web
(Castells, 2003).
2. Named freelosofy by Franco Bernabé, in his book Liberdade Vigiada (Bernabè, 2013).
3. In Section 3.2 all of those examples will be detailed.
4. Microsoft Report. From articulation to implementation: enabling progress on cybersecurity
norms. June, 2016. p. 1.
5. Detailed information on the issued reports can be found on the UN’s website. As an example, it is
suggested to read the studies published after the 12th United Nations Congress on Crime Prevention
and the Global Challenges of Justice Systems in a world of constant change. Available in: www.
unodc.org/unodc/en/organized-crime/open-ended-intergovernmental-expert-group-to-conduct-a-
comprehensive-study-of-the-problem-of-cybercrime.html, with access on May 26, 2020.
6. According to the Internet World Stats, in 1995, only 0.4% (16 millions) of the global population
were internet users. In June 2019, 58.8% (4.53 billions) are using internet. More information
available at: www.internetworldstats.com/emarketing.htm
7. We Are Social: Digital in 2017 global overview: A collection of internet, social media and mobile data
from around the world. https://wearesocial.com/blog/2017/01/digital-in-2017-global-overview (2017).
8. Harari, Yuval Noah. 21 lições para o século 21. Companhia das Letras. Kindle Edition.
9. The Rt Hon Philip Hammond MP, Chancellor of the Exchequer. National cyber security strategy.
2016-2021. HM Government. p. 6.
10. Microsoft Report. From articulation to implementation: enabling progress on cybersecurity
norms. June, 2016.
11. Most voters to consider candidates’ cybersecurity records in future elections. Anomali Harris
Poll: Ransomware Hits 1 in 5 Americans. available in: www.anomali.com/blog/anomali-harris-
poll-ransomware-hits-1-in-5
12. Available in: www.nist.gov/blogs/manufacturing-innovation-blog/5-frequently-asked-questions- Global
among-manufacturers-about regulatory
13. Full report available at: www.cisco.com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdf challenges
14. 2017 Cost of Data Breach Study Global Overview Benchmark research sponsored by IBM
Security Independently conducted by Ponemon Institute LLC June 2017.
15. “In July 2016, before Yahoo publicly revealed the 2013 and 2014 breaches, Verizon reached a deal 371
to acquire Yahoo for $4.8 billion. While the deal was thrown into doubt after Yahoo’s breach
revelations, the two companies maintain that the deal will be completed. However, closing of the
sale has been pushed back and the deal has been reduced by $350 million.” In: Yahoo Data
Breaches: A Lesson in What Not to Do, byte back law. Meghan Rohlf, March 2, 2017. www.
bytebacklaw.com/2017/03/yahoo-data-breaches-a-lesson-in-what-not-to-do/
16. Harvard, HarvardX. Cybersecurity: Managing Risk in the Information Age. Module I.
Coursebook, p. 16.
17. In 2016, Last year, cybersecurity researchers estimate that criminals made over $1bn through
ransomware, with victims ranging from the chief executives of Fortune 500 companies to mom-
and-pop businesses and private individuals. NYT, Mystery of Motive for a Ransomware Attack:
Money, Mayhem or a Message? Available at: www.nytimes.com/2017/06/28/business/
ramsonware-hackers-cybersecurity-petya-impact.html
18. www.pwc.com/ug/en/assets/pdf/gecs-2018-report.pdf
19. European Commission - Press release. Commission signs agreement with industry on
cybersecurity and steps up efforts to tackle cyber threats. Brussels, July 5, 2016.
20. In response to such attacks, NATO conducted an internal assessment of their cyber security and
infrastructure defenses. The assessment resulted in a report issued to the allied defense ministers
in October 2007. Because of the attacks, the Tallinn Manual on the International Law Applicable
to Cyber Warfare was also developed. This report outlined international laws which are
considered applicable to the cyber realm. The manual includes a total of 95 “black-letter rules”
addressing cyber conflicts.
21. 5 Million Bulgarians Have Their Personal Data Stolen in Hack – The New York Times. By Marc
Santora. July 17, 2019.
22. BBC News. Technology. Russian hackers cloak attacks using Iranian group. Gordon Corera.
Available at: www.bbc.com/news/technology-50103378
23. “Since the 2015 attack on Ukraine’s power grid—which temporarily shut down 30 substations,
interrupting power supply to 230,000 people48— evidence has been mounting of further attempts
to target critical infrastructure. In 2016, for example, an attack on the SWIFT messaging network
led to the theft of US$81 million from the central bank of Bangladesh. The European Aviation
Safety Agency has stated that aviation systems are subject to an average of 1,000 attacks each
month.49 Last year saw reports of attempts to use spear-phishing attacks (stealing data or
installing malware using individually targeted email scams) against companies operating
nuclear power plants in the USA.50 Most attacks on critical and strategic systems have not
succeeded – but the combination of isolated successes with a growing list of attempted attacks
suggests that risks are increasing. And the world’s increasing interconnectedness and pace
heightens our vulnerability to attacks that cause not only isolated and temporary disruptions, but
radical and irreversible systemic shocks.” World Economic Forum. The Global Risks Report
2018. 13th Edition, p. 15.
24. Whole content available in Eletronic Frontier Foundation (1996).
25. In this sense, Leonardi points out that “it is exactly at this point that the analogy represents
several risks when applied to legal issues arising from the internet,” because of the creation of
JFC mistaken comparisons between concepts of the virtual world and the physical world. The author
cites as an example a judicial decision of the North American Court, the Reno v ACLU, in which
28,2 the internet would have been compared to the following physical environments: public library,
telephone, corner, park, private shopping center, radio, television, newspapers and magazines
(Leonardi, 2012, p. 144).
26. Through agile governance, regulators must find continuous ways to adapt to a new and rapidly
changing environment, reinventing themselves to better understand what they are regulating. To
372 do this, governments and regulatory agencies need to collaborate closely with business and civil
society to successfully shape the necessary global, regional and industrial transformations. Agile
governance does not imply regulatory uncertainty or frantic and unremitting activity by
policymakers. We must not make the mistake of thinking that we are caught between two
equally unpalatable legislative frameworks – on the one hand the outdated, but stable and, on the
other, the updated, but volatile (Schwab, 2016).
27. European Parliamentary Research Service Scientific Foresight Unit (STOA). Cybersecurity in the
EU Common Security and Defence Policy (CSDP) Challenges and risks for the EU. Study EPRS/
STOA/SER/16/214N, P. 28
28. Regulation (EU) 2019/881 on ENISA (the EU Agency for Cybersecurity). Directive (EU) 2016/1148
concerning measures for a high common level of security of network and information systems
across the Union. Directive 2013/40/EU on attacks against information systems.
29. Summary of the Japan’s Cybersecurity Strategy (July 27, 2018 Cabinet Decision). Available at:
www.nisc.go.jp/eng/pdf/cs-senryaku2018-shousaigaiyou-en.pdf
30. KPMG Report. Overview of China’s Cybersecurity Law. Available at: https://assets.kpmg/
content/dam/kpmg/cn/pdf/en/2017/02/overview-of-cybersecurity-law.pdf
31. The US-India Cyber Dialogue reflects our nations’ broad engagement and long-standing
cooperation on important bilateral and global issues. The Cyber Dialogue is a forum for
implementing the framework for the India–US cyber relationship, in particular exchanging
and discussing international cyber policies, comparing national cyber strategies, enhancing
our efforts to combat cybercrime and fostering capacity building and research and
development, thus promoting cybersecurity and the digital economy (The White House,
2016).
32. Delloite Development. Report Global Defense Posture, 2016. Shifting Postures, Emerging Faulty Lines. p. 21.
33. Sean Lyngaas. The thin line between military and civilian cyber defense. FCW. October, 2015.
34. European Commission – Press release. Commission signs agreement with industry on
cybersecurity and steps up efforts to tackle cyber threats. Brussels, July 5, 2016.
35. European Commission – Press release. Digital Single Market. The Directive (EU) 2016/1148
on security of network and information systems (NIS Directive) was adopted by the
European Parliament on July 6, 2016 and entered into force in August 2016. Chapter two
outlines National Frameworks on the Security of Network and Information Systems.
36. Mencionar os países: . . ..
38. Decree n. 10.222, of February 5, 2020.

References
BBC News (2017), “World. Cyber-attack: Europol says it was unprecedented in scale”, available at:
www.bbc.com/news/world-europe-39907965
Bernabè, F. (2013), “Liberdade vigiada: Privacidade, segurança e mercado na rede”, Translation: Davi
Pessoa Carneiro, Sinergia, Rio de Janeiro.
Castells, M. (2003), A Gal
axia da Internet: Reflexos Sobre a Internet, os Neg
ocios e a Sociedade, Global
Publishing Company Zahar, Rio de Janeiro, p. 28.
regulatory
Cole, M., Esposito, R., Biddle, S. and Grim, R. (2019), “Top-secret NSA report details Russian hacking
effort days before 2016 election”, The Intercept,
challenges
Eletronic Frontier Foundation (1996), “A declaration of the independence of cyberspace”, available at:
www.eff.org/cyberspace-independence (accessed 11 November 2018).
Finnemore, M. and Hollis, D.B. (2016), “Constructing norms for global cybersecurity”, American Journal 373
of International Law, Vol. 110 No. 3, pp. 425-479.
Goldsmith, J. and Wu, T. (2006), Who Controls the Internet? Ilusions of a Borederless World, Oxford
University Press, New York, NY, p. 19.
Greenberg, A. (2017), “How an entire nation became Russia’s test lab for cyberwar. Wired”, available
at: www.wired.com/story/russian-hackers-attack-ukraine/
Kim, S. (2015), “The independent. South Korea enlists cyber warriors to battle Kim Jong-Un’s regime”,
available at: www.independent.co.uk/news/world/asia/south-korea-enlists-cyber-warriors-to-battle-
kim-jong-un-s-regime-a6753041.html
Kumar, M. (2013), “Cracking 16 character strong passwords in less than an hour”, available at: https://
thehackernews.com/2013/05/cracking-16-character-strong-passwords.html
Leonardi, M. (2012), “Tutela e privacidade na internet”, Saraiva, São Paulo, pp. 130-148.
Lessig, L. (2000), “Code is law: on liberty in cyberspace”, Harvard Magazine.
Morgan, S. (2015), “IBM’s CEO on hackers: Cyber crime is the greatest threat to every company in the
world”, Forbes, available at: www.forbes.com/sites/stevemorgan/2015/11/24/ibms-ceo-on-
hackers-cyber-crime-is-the-greatest-threat-to-every-company-in-the-world/#3e03163373f0
Mounk, Y. (2018), The People vs. Democracy, Kindle Edition, Harvard University Press, p. 16.
Nurse, J.R.C. (2018), “Cybercrime and you: How criminals attack and the human factors that they seek
to exploit”, School of Computing, University of Kent, p. 2.
Ottis, R. (2008), “Analysis of the 2007 cyber attacks against Estonia from the information warfare
perspective”, Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia.
Pierson, B. (2017), “Anthem to pay record $115M to settle lawsuits over data breach”, Available
at: www.nbcnews.com/news/us-news/anthem-pay-record-115m-settle-lawsuits-over-
data-breach-n776246 (accessed 9 November 2017).
Reidenberg, J. (1997), “Lex informatica: the formulation of information policy rules through technology.
Texas law review”, p. 553. available at: https://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?
article=1041&context=faculty_scholarship (accessed 1 December 2018).
Rose-Ackerman, S. and Palifka, B.J. (2016), Corruption and Government. Causes, Consequences and
Reform, Cambrigde University Press, New York, NY, p. 518.
Rosenzweig, P. (2012), “The international governance framework for cybersecurity”, Canada-United
States Law Journal, Vol. 37 No. 2, p. 421.
Schwab, K. (2016), “A quarta revolução industrial”, Translation by Daniel Moreira Miranda. Edipro,
São Paulo, pp. 74-75.
Solon, O. and Hern, A. (2017), “Petya’ ransomware attack: what is it and how can it be stopped?”,
available at: www.theguardian.com/technology/2017/jun/27/petya-ransomware-cyber-attack-
who-what-why-how (accessed 8 November 2017).
The White House (2016), “Office of the press secretary. September 29”, available at: https://
obamawhitehouse.archives.gov/the-press-office/2016/09/29/joint-statement-2016-united-states-
india-cyber-dialogue
Wall, D.S. (2004), “The internet as a conduit for criminals”, in Pattavina, A. (ed) Information Technology
and the Criminal Justice System, Sage, Thousand Oaks, CA, pp. 77-98.
JFC Zetter, K. (2016), “What are DoS and DDoS attacks?. Hacker lexicon”, available at: www.wired.com/
2016/01/hacker-lexicon-what-are-dos-and-ddos-attacks/
28,2
Zurn, M. (2010), “Global governance as multi-level governance”, in Enderlein, E., Wälti, S. and
Zurn, M. (Eds) Handbook on Multi-Level Governance, Edward Elgar Publishing,
Northampton, pp. 94-95.

Corresponding author
374 Fabio Ramazzini Bechara can be contacted at: [email protected]

For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: [email protected]