Last week, Tripwire published an article analyzing the ways in which the United States’ International Strategy for Cyberspace (ISC 2011) has informed the ideas outlined in the recently released 2015 National Security Strategy (U.S. NSS 2015).
In my analysis, I compared both documents’ usage of the term “cyber” and found that while they vary somewhat in their approach, both documents support the view that norms and international partnerships are crucial in addressing today’s threats in the field of information security.
I now continue our series by analyzing to what extent the International Strategy for Cyberspace’s usage of the term “cyber” compares to that of the Cyber Security Strategy for Germany (CSSG).
The Cyber Security Strategy for Germany uses the term “cyber” a total of 72 times in 15 pages.* Statistically, this equates to about five separate instances of the term occurring on each page.
My analysis reveals that the CSSG employs the term “cyber” across seven different context points, whose percentages of distribution are displayed below in Chart 1.
As illustrated above, “cyber security” is the most prominent context point at 50%, or 36 individual instances. It is followed by “cyber space,” which covers a quarter of the document’s total usage of the term “cyber.”
None of the remaining context points are individually mentioned more than 10 times in the Cyber Security Strategy for Germany. “National Response Cyber Centre” is mentioned in six separate instances (8%), with “cyber attack” and “cyber crime” both registering at 7%, or five unique occurrences.
Meanwhile, the CSSG mentions both “cyber policy” and “cyber code” only once (1.5%).
It is not surprising that “cyber security” is the most prevalent context point given its inclusion in the document’s title. The Introduction reinforces this emphasis by stating the following: “Ensuring cyber security has thus turned into a central challenge for the state, business and society both at national and international level” (2). In this regard, Germany views security as the most pressing political issue when it comes to engaging the digital space.
That is not to undermine the influence of other factors with respect to this view, however. After all, the Cyber Security Strategy for Germany upon several instances articulates the need to balance security with the preservation of those benefits that users can derive from “cyberspace.”
Therefore, Germany in this document sees its need for “cyber security” within the context of a preventive strategy, i.e. an approach that defuses and mitigates threats before they evolve into more serious risks. If Germany can confront these threats early on, it can reinforce the security of all Germans’ information while preserving their online liberties.
At the same time, Germany sees information security as a threat that extends beyond the scope of the federal government. The country therefore emphasizes the importance of creating partnerships with private industries. This is evident in its decision to create the National Cyber Response Team, an organization whose mission is to coordinate public-private information sharing along with the country’s National Cyber Security Council.
Finally, the CSSG emphasizes the importance of international partnerships as means to address today’s shared “cyber” threats, the most pressing of which include cybercrime and attacks against critical infrastructure.
The United States
As a refresher, the International Strategy for Cyberspace uses the term “cyber” 141 times across 30 pages. (This excludes 14 separate occurrences in page headers.) Though the German document is half the length of the ISC 2011, both security strategies employ “cyber” with the same average frequency, or approximately five occurrences per each page.
A closer look reveals that the International Strategy for Cyberspace employs three different context points: “cyber space,” “cyber security,” and “cyber crime.” Their relative distribution percentages are 62%, 26%, and 14%, respectively, as is conveyed in Chart 2 below.
It is apparent that the Cyber Security Strategy for Germany employs a more diversified vocabulary than the ISC 2011. More than half of its context points—“National Cyber Response Centre,” “cyber attack,” “cyber policy,” and “cyber code”—do not appear in the United States’ security strategy. The absence of these terms reflects the overriding focus of the ISC 2011 on building international partnerships that, among other objectives, upholds a variety of norms, including privacy and the free flow of information.
By contrast, the German document mentions norms only a few times, and even then, it does not divulge what these norms should be. Instead the CSSG upholds the importance of creating a code of conduct for how states engage their digital space, which reflects Germany’s contributor status (as opposed to the United States’ self-assumed leadership status) regarding “cyber” norm promotion.
Another significant difference is the United States’ mention of military “self-defense” in the event of a significant security incident. This concept is not found in the German document. In fact, although it emphasizes the fact that “cyber attacks” can be part of military operations, the CSSG falls short of militarizing “cyber space,” thereby elevating “cyber crime”—an economic issue that is the concern of law enforcement—as one of the most significant “cyber” threats today.
These differences notwithstanding, both documents emphasize the importance of international partnerships and of balancing security with the need to preserve the benefits of “cyberspace.”
The Cyber Security Strategy for Germany recognizes “cyber security” as one of Germany’s most central challenges. As such, it spends considerable time discussing the importance of leveraging domestic resources, such as the National Cyber Response Centre and the National Cyber Security Council, as means to protect German users. It then recognizes that security threats today transcend state borders and thus require active international partnerships.
By contrast, the International Strategy for Cyberspace for the most part links every “cyber” threat to challenges that the international community must confront together under the leadership of the United States. The ISC 2011 is also more willing to militarize “cyberspace,” whereas the German document practices restraint in this regard.
*NOTE: This sum pertains to the main text of the security document only. Both the Abbreviations and Definitions sections of the Cyber Security Strategy for Germany are excluded in an attempt to analyze the context in which the term “cyber” is used.