Exam prep

Data Protection

Current issues with cloud business models (politics)

There are 3 overall business models:

1) PaaS: Provides customers with a platform to develop, run, and manage applications
without the complexity of building and maintaining the underlying infrastructure.
a) Primarily aimed at developers and programmers.
b) Examples: Google App Engine, Heroku.
2) IaaS: virtualized computing resources over the internet. The most basic and flexible
model. It provides servers, storage, networking hardware, and data center space.
a) Suitable for IT administrators and businesses that want control over thor
infrastructure without the physical burden of maintaining it.
b) Examples: Amazon web service, Microsoft Azure.
3) SaaS: delivers software applications over the internet, on a subscription basis. Users
access software applications hosted on cloud servers, usually through the web.
a) Target end-users and businesses that need to use software applications
without managing the underlying infrastructure or the platforms.
b) Example: google workplace, salesforce.

The issues of this is:

● Absolute dependency on your provider
● Providers are often oligopoly of US-based companies.
● Privacy and data security - you don’t really know where your data is (Schrem 1 and
2).
● You don’t know who actually has access to your data - governments could overrule
privacy.

Schrems 1 (2015):
● Focus: challenged the EU-US safe harbor framework.
● Key Issues: Concerns about the privacy of EU citizens’ data when transferred to
theUS particularly in light of US government surveillance (Snowden 2013).
● Outcome: The European Court of Justice (ECJ) invalidated the safe harbor
agreement, ruling that it did not provide adequate data protection for EU citizens.

Schrems 2 (2020)
● Focus: Challenged the EU-US privacy shield, which replaced the safe harbor.
● Key issues: Continued concerns over US surveillance practices and whether the US
ensures an adequate level of data protection.
● Outcome: The ECJ declared the EU-US privacy shield invalid. It emphasized the US
surveillance programs were not limited to what is strictly necessary and proportional
as required by EU law.
GDPR (2016) - summary
Main purpose: Strengthens data protection: Enhances individuals’ privacy rights in the EU
and regulates how organizations process personal data.

Key points:
● Wide applicability: Affects all organizations handling EU resident’s data, regardless of
location.
● Consent and rights: Emphasize consent for data use and grants individuals rights
over their data including access, correction, and deletion.
● Accountability: Organizations must show compliance and can face significant fines
for non-compliance.
● Data breach notification: requires immediate reporting of data breaches.

GDPR (2016) - elaborated

Main purpose:
1. Enhance privacy rights: strengthens and unify data protection for individuals within
EU, giving them greater control over their personal data.
2. Regulate data processing: set guidelines for the collection, processing, and use of
personal data by organizations.
3. Harmonize data protection laws: provide a consistent data protection framework
across all EU member states reducing regulatory fragmentation.

Key Insights:
● Broad scope: Applies to all EU organizations and all organizations outside EU that
offer goods or services to, or monitor the EU citizens behavior.
● Consent and transparency: Requires clear consent for data processing and
mandates that organizations be transparent about how they use personal data
(cookies).
● Data subject rights: Grants individuals rights such as access to their data, the right to
have data corrected or deleted, and the right to data portability.
● Data protection by design and by default: Encourages the integration of data
protection measure into the development of business processes and systems.
● Data breach notification: Mandates prompt notification to authorities and individuals
in the event of a data breach.
● Accountability and compliance: Organizations must demonstrate compliance with
GDPR principles, which may include maintaining detailed records of data processing
activities.
● Significant penalties: Non-compliance can lead to hefty fines.

Digital Platforms:
Digital platform is defined as: a software-based online infrastructure that facilitates
interactions and transactions between users.

Current issues with digital platforms (politics)

● Circumventing existing labor laws (Uber).
 ● Disrupting entire industries (Facebook vs. traditional news)
● Exclusions (Removal of users, removing a company from their website)
● Promoting surveillance capitalism (Facebook - advertising)
● Undermining democracy (Brexit)

As a result of these issues and others, the new digital laws (DSA and DMA) was created.

DSA (Jul. 2022) and DMA (Nov. 2022)

DSA Purpose: To create a safer digital space for users with greater accountability for online
platforms.
● Impose stricter content moderation rules
● Enhance transparency in algorithmic processes
● Protects user rights and freedom of expression.

DMA Purpose: To ensure fair competition in the digital market, focusing on large platforms
(gatekeepers).
● Prevents market abuses by dominant platforms
● Mandates data sharing and interoperability
● Strengthens enforcement with significant penalties for non-compliance

DSA (Jul. 2022) elaborated:

Main purpose: To create a safer and more accountable online environment for users.

Key Insights:
● Enhances responsibility for online platforms - this means greater accountability for
content management, particularly for large platforms.
● User rights and protection - ensuring freedom of expression and offering resources
against content moderation decisions.
● Transparency in operation - meaning it requires platforms to disclose algorithmic
processes, particularly those influencing content recommendations.
● Advertising transparency - this means that platforms are obligated to clearly label an
advertisement with information about the advertisers and targeting criteria.
● Illegal content management - here the DSA sets clear rules for the swift removal of
illegal content.
● Risk Management - this means that online platforms on a regular basis have to
monitor the risk of them breaking the above laws, thus checking for illegal content,
monitoring the discourse, etc. They are also required to use an independent audit.
● Crisis response mechanism: Online platforms are expected to have a plan for how to
respond to emergent threats like disinformation, this includes mitigating through a
combination of content removal, coordinating with public authorities, anything they
can do to mitigate the effect.
● Stronger enforcement - the DSA introduces a robust oversight structure with
significant penalties for non-compliance.
DMA (Nov. 2022) elaborated:
Main purpose: To ensure fair competition in the digital market, particularly concerning large
platforms known as “gatekeepers”.
Key insights:
● Regulation of Gatekeepers - meaning the DMA targets only the dominant online
platforms to prevent market abuse.
● Fair competition - meaning that the DMA seeks to level the playing field for smaller
businesses.
● Specific prohibitions and obligations - the DMA outlines clear rules for gatekeepers,
including prohibitions on certain business practices e.g. favoring their own products,
interoperability between platforms, access to data for users, etc.
● Data sharing and interoperability - mandates gatekeepers to share data and ensure
interoperability with smaller platforms.
● Increased scrutiny and penalties: Introduces stringent enforcement mechanisms and
involves national authorities in ensuring compliance.
● Promotion of innovation and consumer choice - aims to foster a more dynamic and
competitive digital market.

AI Regulation:

Current issues with AI:

● The end of civilization
● Lack of transparency
● Amplifying bias
● Restoration of copyright and privacy
● Disinformation in elections, war, and diplomacy (deepfakes, manipulating or
fabricated news.

Challenges in regulating AI:

● Speed of technological development
● Complexity of AI especially when combined with other software products
● Different approaches to regulating AI (China vs. EU)

AI act (passed 2023):

Main purpose: Regulate AI use - meaning establishing rules to ensure safe ethical use of AI
within the EU.

1) Risk management: Classify AI systems based on the risk they pose, focusing on
ensuring high-risk AI systems are safe, transparent, and compliant with fundamental
rights.
2) Innovation facilitation: encourage the development and uptake of AI across the EU,
while ensuring AI systems are ethical and trustworthy.
3) Legal clarity: Provide legal certainty for businesses and developers by establishing
clear rules on AI usage.
Key points:
● Risk-based approach: Classifies AI systems by their risk level, with stricter rules for
high-risk AI.
● Transparency and data governance: Emphasize transparency in AI operations and
mandates high-quality data to reduce biases.
● Human oversight: Stresses the importance of human control in AI decision-making,
especially for high-risk applications.
● Compliance and monitoring: sets mechanisms for ensuring AI systems comply with
the regulations.

Cybersecurity:

Cybersecurity incidents (cases):

2010 Stuxnet:
● Target: primarily Iran’s nuclear facilities, which it ended up causing significant
damage to.
● Nature of attack: sophisticated computer worm, widely believed to be state
sponsored.
● Significance: marked a new era i cyber warfare by showing how a digital attack could
cause physical destruction.

2013 Snowden revelations:

● Disclosure: Snowden leaked classified documents revealing extensive global
surveillance programs run by the NSA and its international partners.
● Scope of surveillance: The documents showed widespread collection of telephone
metadata and internet communications from various platforms and providers.
● International impact: Revealed that the surveillance extended beyond the US to
include monitoring of foreign leaders and citizens worldwide. This sparked an
international discussion about digital privacy and the balance between national
security and individual rights.

2014 Sony and Yahoo hack

● Implications: Both attacks highlighted toe vulnerabilities of major corporations to
cyberattacks and the consequences of such breaches on privacy, security, and
corporate integrity.
● Data breach: Both companies were breached and personal information such as email
addresses telephone numbers, DOB, etc. was leaked.
● Both were suspected state hackings and caused extreme reputational damage and
financial consequences for the companies.

2015 US-China cyber espionage agreement

● Context: growing concerns about cyber espionage, particularly for economic
advantages.
● Agreement: Both countries agreed to not knowingly support cyber-enabled theft of
intellectual property or trade secrets for economic gain.
 ● This marked the first formal agreement, addressing the issue of state-sponsored
cyber economic espionage.
2017 major cyberattacks

Equifax (largest credit reporting agency in the US) Data Breach:

● Cause: Exploited a vulnerability in Equifax’s website software.
● Breach: Exposed Names, social security no., DOB of 147 million people.
● Impact: one of the most severe breaches in terms of sensitivity of data compromised.

Shadow brokers, EternalBlue, and WannaCry:

● A group named Shadow Brokers leaked several NSA hacking tools, including
EternalBlue.
● EternalBlue: a cyberweapon exploiting vulnerabilities in Microsoft Windows.
Highlighting the dangers of stockpiling cyber weapons.
● WannaCry Ransomware: Used eternalblue to infect computers worldwide, encrypting
files and demanding ransom payments.

NotPetya Attack - Mærsk

● Used EternalBlue for a massive destructive cyberattack.
● Impact: Caused billions of dollars in damage across multiple multinational
companies.
● Attribution: Widely attributed to state-sponsored actors from Russia.

2020 the SolarWinds Orion cyberattack:

● Widespread impact: compromised SolarWinds’ Orion software, affecting numerous
government agencies and private organizations globally.
● The attackers used advanced methods to avoid detection, including hiding malicious
code within normal software updates.
● Detected by FireEye as they detected suspicious intrusion on their own network.
● Widely attributed to state-sponsored actors.

Cybersecurity risk management

Lockheed Martin cyber kill chain:

The Lockheed Martin cyber kill chain framework is a concept used to identify and prevent
cyber intrusions, it highlight the stages of a typical cyberattack:

1. Reconnaissance: Identify the targets

2. Weaponization: Prepare the operation and choosing attack vector
3. Delivery: Launching the operation and getting malware into the system
4. Exploitation: gaining access to the victim
5. Installation: The malware established a presence on the victim's system, often
gaining privileged access and ensuring persistent access to the network
6. Command and Control (C2): Getting remote control over the infected system
7. Actions on objective: The attacker accomplished their goal
NIST Framework:
The NIST framework provides comprehensive guidelines and frameworks for improving
cybersecurity and managing risks in organizations. The key points are:

1. Frame the risk: risk assumptions, constraints, tolerance, priorities

2. Assess the risk: specific threats, vulnerabilities, potential harm as well as the
likelihood, determination of risk.
3. Respond to risk: developing and evaluating alternative courses of action, determining
appropriate course of action, implementing risk response.
4. Monitor risk: Verify that risk response is implemented, determine ongoing
effectiveness, identify risk-impacting changes.

Incident Response Plan: NIST 800-61

The incident response plan is in essence a playbook for how to respond to a serious breach:

1. Preparation: Risk assessment and communication, role, responsibility plan

2. Detection and analysis: the org. should be able to detect deviations
3. Containment, eradication and recovery: Contain the damage, find root cause, get
back online.
4. Post incident activity: documentation

Risks in supply chain cybersecurity

Hardware: Where did the IoT come from and who can access it? Could the manufacture
access it through a backdoor (Huawei), and will the supplier be responsible for patching any
software vulnerabilities if found?

Software: Will the developer who wrote software for your company be responsible for
checking vulnerabilities and fixing them?

Cybersecurity regulation summarized:

● Cybersecurity Act (2019): Focuses on improving cybersecurity across the EU,
enhancing ENISA’s role, and introducing EU-wide cybersecurity certification
schemes.
● NIS2 Directive (2022): Expands on the original NIS Directive, broadening the scope
and enhancing security requirements for entities in critical sectors.
● Cyber resilience Act (2023): Concentrates on the cybersecurity of products with
digital elements, emphasizing security throughout the product lifecycle.
● Cyber solidarity act (2023): Aims at improving the preparedness and response to
cybersecurity incidents, including establishing a Cyber Emergency Mechanism and
EU cybersecurity reserve.
● DORA (2022): Targets the financial sector, focusing on strengthening the resilience
of digital systems against ICT disruptions and threats.
Cybersecurity regulation:

Cybersecurity Act (2019)

Main purpose: Strengthen cybersecurity across the EU, enhancing overall network and
information system security.

Key points:
● ENISA’s Role: Empowers ENISA with a permanent mandate to assist member states
in cybersecurity matters.
● EU-wide cybersecurity certification framework: Introduces a framework for
establishing EU-wide cybersecurity certification schemes for ICT-products, services,
and processes.
● Increased collaboration: Encourages cooperation and information sharing between
member states on cyber security threats and incidents.
● Risk Management and Incident Reporting: Emphasizes the need for key industries to
adopt risk management practices and report major cybersecurity incidents.

NIS2 (2022)
Main purpose: Enhancing cybersecurity of network and information systems across the EU.

Key points:
● Stricter security requirements when it comes to companies in essential and
important sectors.
● Increase reporting obligations: Mandates timely incident reporting for significant
cyber attacks.
● Enhanced enforcement: Introduces tougher penalties for non-compliance.
● Cross-border collaboration: Encourages greater cooperation and information sharing
among EU member states on cybersecurity issues.
● Divided into two maine categories: essential entities and important entities
● Introduces three key measurement areas: strategy (plan and protect), detection and
response (detect and react), and infrastructure and application security (build and
maintain security)

Digital Operational Resilience Act (DORA) (2022)

Main purpose: Strengthening the financials sectors resilience ensuring they withstand,
respond to, and recover from ICT disruptions and threats.

Key points:
● Risk management: requires financial entities to identify, categorize, and manage ICT
risks.
● Testing and reporting: Mandates regular testing for cyber resilience and incident
reporting.
● ICT third-party providers: Includes oversight and regulation of critical third-party ICT
service providers, including cloud services.
Harmonization of rules: Seeks to harmonize the digital operational resilience framework
across EU member states creating a consistent approach within the financial sector.

Cyber resilience act (2023)

Main purpose: Enhancing cybersecurity of products with digital elements, aiming to boost
overall cyber resilience across the EU.

Key points:
● Mandatory requirements for manufactures, distributors, and importers of digital
products.
● Product lifecycle: emphasizes security across the entire lifecycle of products, from
design to disposal.
● Risk Management: Requires manufactures to assess and manage cybersecurity
risks associated with their products.
● Incident response: Obligates companies to report significant cybersecurity incidents
and to provide regular updates on security of their products.
● Market surveillance: Increase market surveillance to ensure compliance with
cybersecurity standards.

Cyber solidarity act (2023)

Main purpose: Strengthening EU cybersecurity through enhanced preparedness and
response to incidents.

Key points:
● Cyber emergency mechanisms: Implements measures for preparedness and
response to incidents.
● Incident review mechanism: reviews significant incidents and provides
recommendations.
● Enhanced cooperation: focusses on mutual support between member states and
collaboration with international partners.

Example cases

Question: Why is Supply Chain Cybersecurity such a prominent

issue today when it has not been in the past?
Intro: we live in an age where everything that can be digitalised is being digitalised. With
digitalisation also comes a higher risk for cyberattacks as the attack surface gets bigger.
Combining this with companies increasingly outsourcing tasks to suppliers so they can focus
on their core value of providing products and/or services, simply creates an even bigger
attack surface that hackers can use to penetrate your network. This is especially a critical
point when it comes to critical infrastructure, as seen in the Ukraine war, where a russian
cyberattack managed to take down Ukraines internet and telecommunication services, only
saved by Elon Musk and his decision to turn on Starlink for Ukraine. Additionally, the
NotPetya attacks on Maersk in 2017 almost brought down one of the biggest companies in
Denmark, only saved by an offline server. Should Maersk not have survived the cyberattack,
it would have had severe consequences for the Danish economy.

Arg1: Digitalization, outsourcing, and responsibility → Effect on security

With a worlds in constant digitalization and organizations increasingly focusing on their core
competencies and becoming more reliant on suppliers for other functions, supply chain
cybersecurity is becoming ever more important. As more outsourcing happens, we are
becoming more reliant on software, that is not under our own supervision, hardware
produces overseas and important questions to ask here are who produced this hardware,
could they gain access to my network through a backdoor? Are they gonna ensure found
vulnerabilities are patched up? Are the developer who developed my code going to maintain
it and ensure no vulnerabilities exists? These aspects is also what makes supply chain
cybersecurity complexed, as one company may have multiple different suppliers. With the
new cybersecurity resilience act (2023), there is a bigger focus on providers to keep their
products and services secure throughout their entire life cycle. Which prompts the
companies to take more responsibility, and not leaving it up to the consumers themselves.
Furthermore, we also see a focus on supply chain cybersecurity in the NIS2 directive (2022).
Where they focus on essential and important entities to take a more risk-based compliance
approach to their cybersecurity, which includes art. 18 and 22 where they highlight these
entities in ensuring that their supply chains are secure. Thus we see that there is an
increased focus on the cybersecurity in general, but specifically supply chains as well.

Arg2: Solarwinds orion incident - security - global economy

The increased focus on supply chain cybersecurity and the adaptation of the NIS2 Directive
in 2022, seems to be a results of cyberattacks on supply chains. One of the biggest ones
being the SolarWind Orion attack in 2020. Solarwind Orion was a widely used software
product, which was attacked in 2020, in such a sophisticated manner, that it wasn’t caught,
until the cybersecurity company fireeye, detected deviations in their own network and traced
it back to solarwind. The attackers had even managed to code their malware in software
updates. This attack affected multiple governments and private entities, highlighting the risks
in software supply chains, and demonstrated the need for broad and robust cybersecurity
measures as well as advanced security strategies. The attack was attributed to state-
sponsored hackers, which makes the impact even greater. This is extremely problematic,
especially in the case of solarwind which was reportedly used by multiple US national
security agencies. Hackers could potentially have targeted critical infrastructure, or gained
access to confidential data, risking public safety.

Conclusion: Due to increased digitization and more complex supply chains, supply chain
cybersecurity is becoming ever more important. There has been an increased focus on
supply chains and cybersecurity in general when you look towards regulation, which is
probably due to the increased amount of cyberattacks and their increasing sophistication.
Question: Do we need a UN Convention regulating the use of

AI? → It has certain benefits and certain disadvantages

Intro: We see a world today where AI are exponentially growing. Which are cursing several
concerns. Here we have thought leader like Elon Musk, saying it is the end of civilization.
There are a big focus on biased tech, and how with the use of AI, this will only be amplified.
We see that there are quite some concerns when it comes to the transparency of the
algorithms and how they work, when we’re talking about decision making, especially
decisions, when it comes to decisions of importance, e.g. who can get a loan, who are called
into a job interview, self driving cars. As we currently do not understand how an AI makes
decisions, there is also no possibility for explanations. There is the ever growing concern
about disinformation, especially when it comes to elections and war. And then there is of
course the problem of copyrights, as currently AI is simply trained on all sorts of data,
copyrighted or not, creating the question of who actually has the ownership of the creations
an AI makes, suggesting that old copyright laws need to be adjusted. What is especially hard
to regulate is the algorithmic transparency, as it takes very knowledgeable experts to even
begin to understand what is actually happening, and coupling that with other systems,
makes it close to impossible. Further, it is fairly hard to regulate the ethical considerations,
as we are not sure how AI makes decisions, it makes it hard to draw the line for what is
ethical and what is not, also since it can change what the actual answer is from time to time.

Aug1: There are several challenges when it comes to regulating AI. Currently AI are in a
crazy development, the speed of how fast something changes makes it extremely hard to
regulate. furthermore, if you want to regulate AI there is also the complexity of how that
regulation applies when AI is incorporated into other products and services. Then who has
the responsibility for how it acts. What data there is drawn upon when it makes decisions.
Furthermore, if a UN convention were to be made, it would be hard to come to a common
agreement between countries, as even now when looking at the AI act being passed in EU
in Dec. 2023, it is a significantly different approach compared to how China for example is
doing it. Thus coming to an agreement is imaginably difficult.

Aug2: General pros and cons of a UN convention. When we look at having a UN convention
regulating AI. There is the pro of it being internationally agreed upon, it foster international
cooperation, and it gives the various countries a possibility to agree on how the use of AI
should be carried out. The cons of a UN convention is that it takes a long time to develop,
getting all the countries that are part of the UN to agree on regulation, seems like a task that
would take a significant amount of time, just looking at the different approaches from EU and
China. another cons is that it limits national sovereignty, not allowing member states to
decide how they want to regulate AI. Furthermore, if a UN Convention about AI is agreed
upon, there may be various levels of commitment and enforcement between the member
states. Even though a UN Convention may help set certain guiding principles, it may not
address the specific issues such as copyright issues and disinformation.

Conclusion:
There is definitely a need for regulating AI. However, the question is if a UN Convention
would be the best way. There are both pros and cons of a UN Convention, the pros being
that there is an international agreement on how to use AI, however, it might take a
substantial amount of time to get to that agreement. The pros and cons of a UN Convention
may balance against each other and going forward it would make sense that a technology
like AI that has an impact globally, and touches almost everything citizen uses everyday,
would have som general guiding principles applicable internationally.

Question: Who plays a more pivotal role in shaping the future of

cybersecurity: technology companies or national governments?
- they need each other
Intro: With the continuous digitalization and the tendency for companies to focus on their
core competencies, outsourcing other functions. The attack surface for hackers gets bigger
and bigger. Supply chains get more complex, and hackers get more sophisticated.
Therefore, the focus on cybersecurity has never before been so important. We see it in
private companies, as Maersk almost got disrupted in 2017 by the Notpetay cyberattack, as
multiple national security agencies in the US was infiltrated by malware through the
solarwinds orion attack in 2020, and how Ukraine almost lost the war before it even began
when the Russians managed to shut down their internet and communication channels in the
beginning of the war in 2022. These are only a few examples of the cyberattacks there are
happening everyday around the world. These examples simply serves as a highlighting
factor of the importance of effective cybersecurity, for nations, companies, and individuals.
There is no doubt that shaping the future of cybersecurity through regulation will be a big
task for the governmental bodies of the world, and probably cannot be done without the
insights from the big tech giants that've been fighting it for years.

Augment 1: The governmental bodies of the world, especially EU have in the recent years
started to regulate cybersecurity taking a risk-based approach. They’ve implemented the
cybersecurity act in 2019, providing the possibility for ICT products and service to get a
cybersecurity certificate as a mandate for them living up to the EU standard of cybersecurity.
They’ve adopted the NIS2 in 2022, focusing on companies within critical infrastructure and
how they can assess risk and keep their networks secure. They’ve adopted the cyber
resilience act in 2023 that focuses on the security responsibility on the manufactures side
and proposed the cybersecurity solidarity act in 2023, proposing various components for
preparedness. All these helping to secure the economic stability and public safety of the EU
and its citizens. As should hackers be able to infiltrate critical infrastructure as electricity and
water, it would harm the public. Should a hacker group manage to infiltrate a company, it
could significantly hark the economic growth in that country. However, these regulations are
made to protect countries, companies and individuals, however it also catalyse barriers for
companies, especially SME’s that do not have the resources the bigger companies possess.
So for SME’s to suddenly having all these compliance requirements because they’re a
supplier to a critical infrastructure company (NIS2) poses significant challenges for that
business. Which on an innovation level might also create barriers for innovation, as the
barriers to entry are only getting higher. So, governmental bodies have without a doubt,
shaped the future of cybersecurity, but this also plays into a bigger picture of economic
growth and innovation. Are they potentially stifling innovation limiting economic growth.
Argument 2: Though governments now have created regulation, it is not to forget the big
tech companies that have been working with cybersecurity for years. Microsoft are actively
helping preventing cyberattacks on their system 24/7, and google is helping in Ukraine
combatting russian cyberattacks. These companies possess more knowledge about
cybersecurity than any government and are also more powerful than some countries. Thus,
it is pivotal that governments involve them when creating cybersecurity regulations,
guidelines, and frameworks. The challenges of involving the big tech companies when it
comes to regulation formulation, is that they will try and influence the law to their
advantages. As we also saw at the UN Convention when Microsoft proposed several rules
for how to act in cybersecurity, mainly focused on protecting the private companies.
However, their knowledge and technological abilities are crucial, for governments to get a
comprehensive picture of the threat they’re facing.

Conclusion: We see that the governmental bodies are essential when it comes to getting
regulation in place to increase the level of cybersecurity. However, it is also necessary for
big tech companies to contribute with their expertise and knowledge on the area. Especially
if we’re looking at an international treaty like the UN Convention for cybercrime. Private
companies will have a certain interest in shaping the conversation, and the cyber norms, to
protect themselves from cybercrime, get uniform compliance standards. However, the
different countries also have a strong interest in developing playground rules that everyone
has to follow as this may increase the international cooperation, national security as it can
help in collective defense efforts, legal assistance and extradition. So both parties have a
strong interest in shaping the future of cybersecurity and bottom line is that the best result
will come if they work together, and combine efforts.

Question: How can businesses effectively conduct cyber risk

assessments?
We live in a world where the growing dependence on digital technologies and the internet for
both personal and professional activities are only getting bigger. This movement toward
digitization creates a bigger attack surface leaving companies more vulnerable to
cybercriminals. When companies fall victim to cyber attacks we see significant economical
consequences as a result. First, it could result in lost consumer trust and reputational
damage, leading to a decrease in sales. Second, it might be extremely expensive to repair
the damages and regain control. Third, there might be a ransom payment that your business
will have to address whether to pay or not. Fourth, there are the legal fines your business
may get for not living up to the regulatory requirements when it comes to cybersecurity. This
simply underlines the significant damages a company may suffer should they find
themselves in a cyberattack, highlighting the importance for companies to adapt to the cyber
threats and prepare and protect their businesses.

Argument 1: Risk assessment and regulation

One way companies can prepare for the evolving cyber threat landscape is conducting a
risk-assessment. This simply means getting an overview of your company’s vulnerabilities,
deciding what the level of risk is acceptable, and having an incident response plan should
your company be victim to a cyber attack. There are multiple frameworks that guide you
through how to do a risk assessment, one of the more popular being the American NIST
framework first proposed in 2014. This framework has four steps:

1. Frame the risk: Get an overview over your company and its vulnerabilities, what are
the priorities, the tolerance for risk, and the constraints.
2. Assess the risk: Address specific risks and vulnerabilities identified as well as the
harm and likelihood of them being used.
3. Respond to the risk: Create an incident response plan, should you get hacked.
4. Monitor the risk: verify that risk response is implemented and determine the ongoing
effectiveness.

This framework is an internationally recognised framework for risk-assessment, multiple

versions of the same steps exists, but in essence, making an effective risk-assessment of
your company, comes down to knowing your vulnerabilities, mitigating the ones you deem
not acceptable, be prepared with alternative courses of actions, should you get hacked, and
keep monitoring your identified risks, to ensure that they are not compromised.

Argument 2: By not creating an effective risk-assessment of your company, it leaves your

company in a place of ignorance. Cybersecurity breaches are happening everyday, and
companies, even nations are suffering from it. For an example we saw Maersk almost
brought to its knees doing the NotPateya attack in 2017, only saved by an offline server. In
2020 we saw the SolarWind Orian attack, which affected multiple companies, governments,
and national security agencies. This hack was so sophisticated that it was only noticed by a
cybersecurity company - fireeye, that noticed some discrepancies on their own network and
traced it back to Solarwind. Thus, cybersecurity is not just important for your company’s
sake, if your a company serving the critical infrastructure of a nation, it is about national
security. The severity, is also mirrored in the EU’s effort to create a safer cyberspace
through regulations such as the cybersecurity act (2019), NIS2 (2022), DORA (2022), the
cybersecurity resilience act (2023) and the cyber solidarity act (2023). All focusing on
network and ICT security.

Conclusion: To conduct an effective cyber risk assessment of your company, you can by
advantage follow the NIST Framework, to frame, assess, respond, and monitor the risks you
identify in your company. The important part is simply that you make a risk-assessment.
Cyberattacks are increasing everyday, hackers get more sophisticated, and get harder to
detect. The severity of a cyberattack my not only be bad for business, but potentially for
nations.
Question: Describe the current cyber threat landscape and its

implications for global businesses. How should companies

adapt their cybersecurity strategies in response? → risk

assessment, training, following regulation.

introduction: The current cyber threat landscape has never been as active and dangerous
than at the current moment in time. With hackers getting more advanced and AI that keeps
getting more sophisticated each day, it is getting harder and harder to secure your business
from an attack. However, even though you may not be able to prevent an attack, you can
control the damage a cybercriminal is able to do, by being prepared. In 2023 we saw an
increase in ransomware attacks and we saw that phishing and social engineering was
getting more sophisticated. Over the last couple of years we’ve seen regulation on
cybersecurity becoming a bigger topic, especially in the EU, but also on a global level with
the interest in the UN Convention on cybercrime. This increasingly more complex landscape
of cybersecurity poses several implications for companies. There are now bigger demands
to their security standards, there are more advanced cyber criminals trying to penetrate their
system, raising the need to be prepared.

Argument 1: The importance of being prepared

With the current globalization happening in the world, it also results in more companies and
countries being interconnected, relying more on each other, making the cyber threat
landscape even more vicious. If we take a look at the ransomware attack by WannaCry in
2017. The WannaCry attack was facilitated by exploiting a vulnerability in Windows called
eternalblue, a cyberweapon suspected to be developed by the NSA. They managed to hit
around 200.000 computers spread across 150 countries, encrypting files and demanding a
ransom to decrypt them. Additionally, in 2020 we saw a giant supply chain hack - SolarWind
Orion. Which hit multiple companies, governments and national security agencies. Only
discovered by a cybersecurity company - FireEye, that detected some discrepancies in their
own network, tracing it back to SolarWind. These cases showcase the impact a cyberattack
on one company can have on the world. Thus it is no longer about just protecting your own
business, but especially if your a global company, supplying to multiple other companies
around the word, it is about protecting them and nations as well.

Argument 2: How to be prepared

Companies needs to adapt to this more dangerous cyber threat landscape, as it is no longer
a question about if a company will get hit by a cyber attack, but more a question of when
they will be hit. One of the most important things is to make a risk-assessment of the
company’s assets and data. To do a risk-assessment the American NIST Framework is an
internationally recognised framework that provides a structural way of approaching a risk
assessment of a company. It has four stages:

1. Frame the risk: Which assets do we have, what are the vulnerabilities, what risk are
we willing to take, what are our priorities.
 2. Assess the risk: Address specific risks and/or vulnerabilities identified as well as the
harm and likelihood of those being taken advantage of.
3. Respond to the risk: create an incident response plan.
4. Monitor the risk: make sure that the response plan is implemented and determine its
ongoing effectiveness.

Increasingly regulation are also pushing company’s towards having a risk-assessment

before they can even begin to be compliant with the new regulations. This is especially true
for the companies that serve the critical infrastructure in the EU as well as the suppliers that
supply the critical infrastructure companies (NIS2, 2022). Additionally, global companies are
increasingly required to conduct a risk-assessment, and have an incident response plan, to
get insurance and for other companies to want to do business with them. Global companies
might have the resources to comply with this, but it is making it extremely hard for SME’s to
serve these global companies, as they do not possess the same resources. There is also
something to be said about investing in employees' cybersecurity training, as current
research suggests that employees are the weakest link in a company’s cybersecurity
strategy. Especially, with the more and more convincing phishing techniques facilitated by AI
technology.

Conclusion: The current cyber landscape has never been as complex and skilled as it is
today. This has caught the attention of not just companies but also regulators. A significant
amount of regulation has over the last couple of years been proposed and adopted to help
enhance the security of network and information system security. This brings along some
implications for companies, as the new regulatory requirements are high standards to live up
to, and most of them are based on self-assessments - meaning there is no one way to do it.
However, company’s should also strive for their own protection to live up to these
regulations, as it is only a matter of time, when they will be the ones under a cyber attack.

Question: Discuss the unique cybersecurity challenges posed

by cloud computing. How should businesses adapt their
cybersecurity strategies to protect data and applications in the
cloud?
introduction: When it comes to cloud computing, it has significantly changed how
businesses store and manage data. cloud-computing offers businesses scalability, flexibility,
and is cost effective. However, it also introduces new challenges, especially when it comes
to cybersecurity. Companies can typically choose between 3 business models. Platform as a
service (PaaS), Infrastructure as a service (IaaS), or Software as a service (SaaS). For each
of these business models there are various levels of autonomy. PaaS being the one with the
most control over applications, and SaaS with the least.

Argument 1: Challenges in cloud computing

One of the most prominent challenges when it comes to cybersecurity, is the shared
responsibility between the cloud service provider and the users. Here it is important to
understand the roles and responsibility each stakeholder has in keeping the data safe.
Additionally, there is the challenge of data security and privacy, as cloud storage is a remote
location it makes it attractive to cyber criminals. Due to the fragmentation of cloud storage, it
also makes it more complex to comply with regulations such as GDPR. As also highlighted
in the Schrems 1 and 2, where data was transferred from EU citizens to the US, it did not
have the same compliance rules as the EU. One of the advantages of cloud computing is its
flexibility, amongst other, you can access it from anywhere. This however, also creates
challenges when it comes to access control and identity management, making it harder to
create robust verification mechanisms preventing unauthorized access.

Argument 2: Adapting cybersecurity strategies for cloud computing

For organization to adapt their cyber strategy to cloud computing, there is a need for the
understanding of the shared responsibility of keeping the data on the cloud secure. It is
extremely important that organization are clear on their role and responsibility. This involves
regular audits and reviews of the CSP’s security practices. Another point that businesses
could think about incorporating into their cyber strategy is encrypting the data that is in
transit and at rest. This then poses the question on how that is easily done. It is extremely
important that organizations think in how to implement a robost identity and access
management (IAM) system, e.g. multifactor authentication and strict access controls based
of least privilege. It is important to have an incident respons plan as well as backup and
recovery plans ready.

Question: Discuss the challenges multinational corporations

face in balancing compliance with diverse national
cybersecurity regulations, such as the EU's GDPR (2016) and
the Cybersecurity Act (2019), with maintaining global
competitiveness. How do these regulations influence their
cybersecurity risk assessments and posture?

Intro: Being a multinational company, sets you in a position where your need to comply to
the various countries’ different regulation. Which creates certain challenges for your
business. This includes among other things, bigger investments into specialized compliance
teams which results in the challenge of taking away focus from the busines’ core
competency. It also involves evaluating if your company want to live up to the compliance
standards, it is worth continuing doing business in that region and if yes, then how.

Argument 1:

In general, it is hard on a political aspect to agree on tech regulation as the various countries
simply have very different perspectives, values, and cultures in regards to technology,
privacy, and ethics. Thus, navigating the very different regulations as a multinational
company comes with challenges. The first one being, constantly keeping up with the various
regulations and discussions and then evaluating, when a law needs to be complied with, if it
is something that the company would want to do or if it would make sense to withdraw
business from that region/country. Taking for example Meta, with the new DSA (2022)
they’re required to disclose how their algorithm world, put more effort into content
moderation, in general be more transparent about how they work. This might not be
something that Meta is particularly happy about, as most their revenue is based on
advertisement, but is EU too big a market to drop? This is the kind of challenge that
multinational companies face when it comes to regulation in different countries, as Meta do
not have this problem in their home country. What Meta solution became was that they’d
offer a subscription model, so people could pay for their membership and then get ad free.

Argument 2:

Another challenge that multinational companies face are the heavy investment in then
actually complying with these regulations. First there’s the investment in a compliance team
specializing in the various jurisdictions. Then there’s the actual investment in being
compliant. Here, again taking Meta as an example, they need to heavily invest in content
moderation, external audits, reconfiguration in their business model and platform. there is
also in terms of cybersecurity act, that they would now need to get a certification that
approves they’re a safe company. All to be compliant in EU, and without necessary any use
outside the EU. This happening on multiple different jurisdictions, simply makes it challenges
even bigger. Coupled with the exponential tech regulation that is happening at the current
moment. There was the GDPR 2026, the cybersecurity act 2019, DORA, NIS2, DMA, and
DSA in 2022, and now also the cybersecurity resilience act and cybersecurity solidarity act in
2023, as well as the AI regulation that was passed in 2023. This just stands to showcase
how the tech regulation in just EU are exponentially growing and becoming more complex
for multinational companies to manage.

Conclusion: Multinational companies, don’t just face the need to be compliant within one
jurisdiction, but within multiple, which have very different views on tech, privacy, and ethics.
Making it very challenging to create similar regulation across the various jurisdictions. Thus
multinational companies are forced to determine which jurisdictions that it pays off to be in,
adapt their business model, investing in compliance teams, and investing in actually be
compliant. These are simply just a few of the challenges multinational companies face.

Question: In the context of increasing cybersecurity threats,

how can artificial intelligence (AI) be effectively utilized to
enhance cybersecurity measures in both private and public
sectors?
Intro:
● Mention various cyber threats
● AI capabilities (process large amounts of data, pattern recognition)

In recent years cybersecurity incidents have significantly increased with the evolution of
technology. There is especially an increase in ransomware attacks, with roughly estimated to
be a $265 billion business by 2031. With the evolution of AI, this may help companies
defense, but it will also help bad actors offense. However, some ways it might help both
public and private companies in their defense is through threat detection and analysis, as
well as response and mitigation. This is especially due to AI’s ability to process large
amounts of data and its ability to recognize patterns, thus its ability to recognize when there
is something different in the pattern as well.

Argument 1: Threat detection and analysis

Using AI for threat detection and analysis could include automated threat detection, anomaly
detection, and predictive analysis.

This is based on AI’s ability to process and analyze vast amounts of data, which creates a
baseline for the AI, to recognize the normal patterns in terms of a behavioral analysis. This
assists companies in automated threat detection as AI then are able to detect any anomaly
in the network. As AI are able to process vast amount of data, and recognize patterns, it can
also be used for predictive analysis, by analyzing previous cyberattacks, and what patterns
and trends there were. Leveraging this knowledge, AI may be able to predict potential future
cyberattacks, strengthening companies cyber defense.

Argument 2: Response and mitigation

As a follow up on threat detection and analysis another area that AI could enhance
cybersecurity measure is when it comes to response and mitigation. Specifically in
automated response and incident prioritization. Thus, when a company is under a
cyberattack, AI can help responding by immediately reacting , isolating affected systems, or
blocking suspicious traffic. Additionally, it can help prioritize the infected systems, by
analyzing which systems would has the biggest severity should they not regain access, and
in that way help with streamlining decision making under the incident, and optimizing efforts.

However, as this might enhance companies cybersecurity efforts, there are also several
ethical considerations that in practical terms needs to me calculated into the equation. As
having AI constantly monitoring a network might go against certain privacy issues, as the AI
would essentially train on that data. Further, there is some ethical considerations when we’re
talking about automated response, again there is not currently a lot of transparency in how
AI actually makes decisions, thus who is responsible for the decisions AI take?

Conclusion:

Question: Analyze the impact of the EU AI Act (2023) on global

technology companies' cybersecurity strategies. How does this
regulation influence the development and deployment of AI
systems, and what challenges does it present in terms of
international compliance and maintaining a competitive edge in
the AI sector?
Intro: AI Act, what does it include
The EU AI Act (2023) is made to ensure ethical and responsible use of AI technologies. The
various different AI technologies are divided into multiple categories, based on their risk. The
act in general takes a risk-based approach. It stresses the importance of risk identification,
transparency, human oversight, and compliance and monitoring.

Argument 1: Influence the development and deployment of AI and cybersecurity

practices
This act specifically has to purpose to shape the development and deployment of AI going
forward. It has to purpose to ensure the safe use of AI,

Argument 2: Challenges in terms of international compliance and competitive edge

Question: Considering the rapid evolution of cyber threats and

the increasing reliance on cloud computing in digital business,
evaluate the effectiveness of current cybersecurity frameworks
like NIS2 (2022) and the Cyber Resilience Act (2023). Discuss
how these frameworks address the unique challenges posed by
cloud technologies and the potential gaps that might need to be
addressed for future-proofing cybersecurity strategies in
multinational corporations.

Intro:
NIS2:
The purpose of NIS2 (2022) is to ensure the highest level of cybersecurity when it comes to
companies within critical infrastructure. This means companies such as water, gas,
electricity, etc. There are different categories of critical infrastructure companies, there is the
essential entities and important entities. What is specifically interesting about the NIS2
directive, is that supply chains are also factored in (Art. 18 and 22). Meaning if you’re
supplying to a company that is within the scope of NIS2, you as a supplier should also live
up to the NIS2 requirements. The three areas that NIS2 introduces measure in is in strategy
(plan and protect), detection and response (detect and react), and infrastructure and
application security (build and maintain security).

Cyber Resilience act (2023):

The cyber resilience act was adopted in 2023, and serves as a framework for ensuring the
overall cybersecurity of digital products, including both hardware and software. Thus the
primary objectives is enhancing product security, in terms of making it more secure by
design and throughout its lifecycle. This should help reducing the cybersecurity risks, by
enhancing the overall baseline of requirements, which should lead to an increase in
consumer trust. The mandatory requirements involves secure by design, ongoing vigilance,
testing and updates, inform and guide, and report incidents.

Current issues with cloud computing:

There are multiple issues with cloud computing, the fact that you are absolute dependent on
your provider, most of the providers are US or China based, it is hard to manage privacy and
security, and you do not know who exactly has access to your data.

Argument 1: NIS2 and cloud computing

If you’re a company in the scope of NIS2 and are using cloud computing, there is a potential
that you will have to build a private cloud, or put your data on prem. As there with the limited
control over your data, access management, and the complete dependency on your cloud
provider. It does not seem like using the cloud and being compliant with NIS2 is an option.
By living up the the cyber resilience act there is a bigger opportunity for the cloud to be safe.
However, there is still limited access control as well as limited control over your data. This
was highlighted by Schrems 1 and 2, that specifically addressed the problem of data
handling. That data from EU, was transferred to the the US and then the US did not live up
to the requirements of GDPR which citizens in EU are entitled to.

Additionally, there is certain things neither of these regulations take into account. For
example, neither of these take into account of access management, data management, and
the oligopolies that are in control of the cloud services.

Argument 2: Cyber resilience act and cloud computing

Conclusion

Exam notes

Lecture 2: Legislation I need to know about:

Cybersecurity is a part of a larger Big Tech regulation in the EU

General principles that inform digital regulation in EU:

Why platforms get regulated and not just information:
Two problems:
● Business Model
○ Ease of doing business
○ Competition/dominance
○ Ability to regulate speech
○ data-based BM - used and abused
○ IP rights protection
○ cybersecurity
● Discrimination
○ Transparency
○ Paid dominance
○ App store ranking
○ Search engine results handling
 ○ ad-blocking
○ own-product promotion

New platform regulation is designed to address these issues. Platforms will be regulated
based on how much power they have (economic, social) and how important it is (critical get
access to).

● Resulting in sector-specific laws

● Use of asymmetric regulation
○ symmetric meaning it applies to all services equally
○ Assymetric for different tiers, categories
● Use of ex ante regulatory method
○ Regulate some platforms in advance by anticipating posible violations they
might engage in.
● use of delegated acts
○ Within the main framework directive, meant to make the main act more
precise.
● A number of enforcement agencies at both EU and national level

Platform regulation - The new framework for e-commerce:

E-Commerce Directive 2001:
● Home country control
○ Only subject to the home country’s laws
● Protection of intermediaries
○ Intermediaries are not liable for what is shown on the platforms (e.g. if you’re
hosting a platform for someone else), if you’re acting in good faith.

New platform laws:

Digital Service Act (DSA) - Regulation (2022)

General purpose: Make platforms safer for everybody and limit the abuse of fundamental
rights. It is introducing:
● Due diligence for platforms → the larger the platform the more regulation (asymmetric

regulation)
● Main focus on procedure, NOT content - only illegal content NOT harmful content
○ Harmful content is only regulated in national law
● Splits due diligence from liability for underlying content
○ In other words, a platform can be compliant with due diligence requirements
but still not be liable for every instance of illegal content posted by its users.

Business pros:
● Help businesses reach customers
● enable platforms to protect users
 ● promote safety and trust.

Business cons:
● Lost business opportunities - too regulated
● Removal of platforms features
● Putting online revenues at risk

Scope: Businesses that has services that target EU citizens or have a significant number of
users in the EU.

Enforcement:
● National authorities (Digital service)
● The commission → large platforms
● Private actions
● Consumer organizations also given standing
○ for due diligence obligations

Obligations:
● Universal → apply to all intermediaries (point of contact, ToC, Transparency

reporting)
● Hosting (notice & action, statement of reasons for removals)
● Online platforms (internal redress, out of court disputes, trusted flaggers, deceptive
design, measures against misuse of notices)

Businesses are responsible for assessing risk and then mitigating those risks.

Contains a powerful set of sanctions and gives a lot of power to the commission.

Digital Market Act (DMA) - 2022

Why have competition law?
● Conclusive practices - two or more companies comes together and agree on prices
● Abuse of dominance
● Mergers - reduce number of competitors on the market

DMA - what is the method:

● DMA uses the ex ante technique (pose sanctions before the crime is comitted)

When does the DMA apply: 1) intermediary service and you have to be a gatekeeper (art. 3):
● significant impact on the internal market
● Provides CPS which is an important gateway for business users to reach end users
● Enjoys an entrenched and durable position or it is foreseeable that it will do so in the
future

They are automatically classified as a gatekeeper if above is true, and then businesses have
a chance to argue for why they are not.
Example of Art. 5: Apple cannot prohibit you from getting a subscription outside of the apple
store - as apple store is more expensive.

Example of Art. 6: Google cannot treat their own google shopping more favorable than third
party services.

Summary of DSA (Jul 2022) and DMA (Nov 2022) each targeting different aspects of the
digital economy:
DSA Purpose: To create a safer digital space for users with greater accountability for online
platforms.
● Impose stricter content moderation rules
● Enhance transparency in algorithmic processes
● Protects user rights and freedom of expression.

DMA Purpose: To ensure fair competition in the digital market, focusing on large platforms
(gatekeepers).
● Prevents market abuses by dominant platforms
● Mandates data sharing and interoperability
● Strengthens enforcement with significant penalties for non-compliance

Working with EU Digital law

● Always look at the EU sources first - as most is always regulated by the EU
● Understand the relation between EU sources
● Then move to national law
● Understand which enforcement agencies are in charge at either level
○ More often than not there will be several.

Hierarchy
Regulations - Directives - Delegated Acts deriving from the above - Official interpretative
documents (guidelines, issued by enforcement or comission) - CJEU judgment - national
sources.

Sector-specific laws:
● Transparency on P2B Platforms Regulation (2019)
○ The regulation aims to ensure that online platforms and search engines treat
businesses fairly and make their terms and conditions transparent.
● Copyright in the DSM (2019)
○ Makes sure video content is not illegally shared
○ NIS2 directive

Other laws that applies to platforms

● Contracts
● E-commerce
● Copyright & trade secrets
 ● Trade marks / domain names
● cybercrime
● speech regulation
● ISP liability
● Payment
● Technical standards
● Competition law

Laws rarely stands alone, businesses will have to address multiple regulatory efforts when
encountering an issue. The reason for all these new platform regulations is that the old
regulation are not able to address the challenges of platforms based on advertising business
models neither are the adequate to address the problem of large platforms.

Lecture 3: Politics of digital platforms

Digital platforms: is a software-based online infrastructure that facilitates interactions and
transactions between users.
● google
● amazon
● tinder
● wikipedia
● facebook
● X
● Instagram
● Whatsapp
● Linkedin

Issues with digital platforms

1. Platforms designed to circumvent existing labor law → uber offering a taxi service

without being a taxi service

a. In the middle of the gig economy - short-term contracts and freelance.
b. This result in participants now are not protected + liberating vs exploiting
labor.
2. Disrupting entire industries
a. E.g. getting news via facebook instead of a traditional newspapers
b. Pro: increasing ad income, con less money to the people actually doing the

work → what does this mean for the future of journalism mean.
3. Exclusions
a. Platforms can remove users without reason
b. Online market places - removing a company from their website could cause

bankruptcy → now need to provide a reason for removal.

4. Promoting surveillance capitalism
a. It describes the creation of “free” services where all aspects of user behavior
is monetised through targeted advertising.
 b. Relying on cross-platform user profiles.
5. Undermining democracy
a. Brexit and Donald Trump were partially due to illegal use of data and russian
interference.
b. Democratic decision shaped at least partially by digital platforms, what
happens, you can’t reverse the decision.

Lecture 4: The politics of the cloud

What is cloud computing: On-demand availability of computer system resources,
especially data storage (cloud storage) and computing power, without direct active
management by the user.
● On demand self service, giving the business the ability ti run smooth services in peak
periods.
● Data can be accessed from all kinds of devices and at all times

Cloud business models

● Infrastructure as a Service (IaaS) is a cloud computing business model where
providers offer virtualized computing resources over the internet, such as servers,
storage, and networking capabilities, on a pay-as-you-go basis. This model allows
businesses to scale resources flexibly and cost-effectively, without the need for
significant investment in physical infrastructure.
● Platform as a Service (PaaS) is a cloud computing model that provides customers
with a platform, including hardware and software tools, typically for application
development and hosting, accessible over the internet. This model enables
developers to build, test, deploy, and manage applications without the complexity of
maintaining the underlying infrastructure.
● Software as a Service (SaaS) is a cloud computing model where software
applications are hosted by a service provider and made available to customers over
the internet, typically on a subscription basis. This allows users to access and use
software without the need for installation or maintenance on their own hardware.

Issues with cloud computing

1) Absolute dependency on your provider
2) Provider often oligopoly of US-based providers
3) Privacy and data security - how do you know where the data is?
4) You need encryption, but how is this done easily?
5) Ultimate question → who has access to my data, can governments overrule privacy

policies?
Maximilian Schrems 1 and 2
● Background: Maximilian Schrems filed a complaint with the Irish Data Protection
Commissioner regarding the transfer of his personal data by Facebook from its Irish
subsidiary to the United States.
● Concerns Over US Surveillance: Schrems argued that the laws and practices of the
United States did not offer sufficient protection against surveillance by public
authorities, particularly in light of the revelations made by Edward Snowden
regarding the NSA's surveillance activities.
● Invalidation of Safe Harbor: In 2015, the European Court of Justice (ECJ) ruled in
favor of Schrems, finding that the Safe Harbor agreement, which many companies
used to transfer data from the EU to the US, did not adequately protect EU citizens'
data. The ECJ declared the Safe Harbor framework invalid because it failed to
ensure European data protection standards for EU citizens’ data when transferred to
the US.
● Impact on Data Transfers: The ruling had significant implications for thousands of
companies that relied on the Safe Harbor agreement to facilitate transatlantic data
transfers legally.
● Resulting Actions: The invalidation of the Safe Harbor agreement led to the need for
a new framework to regulate data transfers between the EU and the US, which
eventually led to the creation of the Privacy Shield framework.

Schrems I was a pivotal case in international data privacy law, highlighting the complexities
and challenges in reconciling different privacy standards and surveillance practices across
jurisdictions, especially between the EU and the US.

● Background: After the invalidation of the Safe Harbor agreement in the Schrems I
case, the EU and the US negotiated a new agreement called the EU-US Privacy
Shield. Meanwhile, Schrems continued to pursue legal challenges, focusing on the
standard contractual clauses (SCCs) used by Facebook and other companies for
data transfers.
● Concerns about US Surveillance Laws: Schrems argued that the United States'
surveillance laws, particularly those allowing access to transferred data by American
intelligence agencies, were not compatible with EU privacy rights. He contended that
the mechanisms used for data transfer, including the Privacy Shield and SCCs, did
not provide sufficient protection against this surveillance.
● European Court of Justice Ruling (2020): In July 2020, the European Court of Justice
(ECJ) ruled in the Schrems II case. The Court invalidated the EU-US Privacy Shield
framework, agreeing that US surveillance laws did not ensure an equivalent level of
protection for EU citizens' data as required by EU law.
● Standard Contractual Clauses (SCCs): The ECJ did not invalidate the use of SCCs
outright but emphasized that companies must evaluate on a case-by-case basis
whether the data protection provided by SCCs in the context of data transfers to a
third country is adequate. If the laws in the recipient country undermine the
effectiveness of SCCs, additional safeguards must be implemented, or data transfers
should cease.
 ● Global Impact: This ruling had a profound impact on international data flows,
particularly affecting companies that transfer personal data from the EU to the US. It
increased the complexity and legal uncertainty surrounding such data transfers.
● Need for New Solutions: The invalidation of the Privacy Shield has led to calls for
new arrangements or mechanisms to ensure the lawful and protected transfer of
personal data from the EU to the US.

In essence, Schrems II has reinforced the importance of protecting personal data transferred
internationally and highlighted the ongoing challenges in aligning US surveillance laws with
EU data protection standards.

Result: October 2022 Biden signed an executive order on enhancing safeguards for
US Signals Intelligence Activities:
● This is meant to direct the steps that the US will take to implement the US
commitments under the EU - US Data Privacy framework.
● This means further safeguards on US signals intelligence activities and a new legal
process where EU citizens can sue if they believe their personal data was collected
through US Signals in a manner that violated applicable US law.
● Executive order - meaning a new president can simply change this.

Will Schrems 2 be seen as a milestone in raising global standards or will it simply end up
contributing to the fragmentation of the internet by creating limited and exclusive data
sharing zones.

Big picture:
● The cloud market is an oligopoly of a handful of huge US and chinese companies.
● This clashes with the official EU vision of digital sovereignty
● In the NIS2 Directive it says that critical infrastructure companies may only use cloud
providers that have been awarded the highest level of a future EU cloud security
certification.

Lecture 5: Regulating AI
● Consensus that AI should be regulated in some way.
● If AI get excessively regulated in this state, only big companies will be able to play
with it.

Why AI should be regulated - thought leaders

● The end of civilization - Stephen Hawking and Elon Musk
○ As AI networks may reach the point where the become sentient (conscious of
themselves), thus may use to further their own goal
● Regulate, to increase transparency when AI makes important decisions
○ Public administration (eligible for certain benefits)
○ Banking (loan)
○ HR and recruitment (who will get the interview)
○ Pushing to explainable AI - how did it arrive to this decision
● Prevent it from amplifying bias and doing social harm
 ○ Identify cancer can differ based on skin color.
● Restore some kind of copyright and privacy
○ The AI models have simply been trained on all types of content, with no
regards to copyright
○ Images of illness from everyone has been used to trained - privacy?
● Disinformation in elections, war and diplomacy
○ need to have AI systems to counter this.

Challenges in AI regulation
1. Speed of technological development
2. Complexity of AI, especially combined with existing software processes
a. explainable AI → can that be done when multiple AI services have been

added on?
3. When and how do you move on with your legislation: legislative strategy
a. China passing one act for each AI-related problem. Pros is that agencies can
gather experience before regulating. Con AI instruments launched at different
times can easily become a lega and compliance nightmare.
b. EU making a comprehensive law on AI regulation. Pro establish AI as a
leader in ethical AI primciples. Con, knock Europe out of contention for the
further development and commercial exploitation of AI.

Potential solutions to AI regulation

● Licensing AI operators - regulator being able to withdraw the license in case of
prolonged malpractice.
○ Pro, experience to build on - similar approaches used in e.g. airplanes and
mining.
○ Con, experience suggest licensing is not the perfect regulatory tool. Attracting
corruption in all but the most transparent societies, especially when huge
profits.
○ Strengthens the market power of the big license holders, as formal
requirements may be a barriers for new players.
● Like in financial service - regulators take a highly prescriptive approach and can
make quite detailed demands on what a new service or product should look like if
they think existing one violates key principles.
○ Requires that financial regulators have a certain independence from direct
government control.
● Define basic principles - experiment to build fairness into algorithms to ensure they
are correct for biases.
○ Basic principles hardwired into the AI models (transparency, fairness, non
discrimination, respect, etc.)

EU AI regulation
● Proposed April 2023 - passed to EU parliament in June 2023 - implemented
December 2023
 ● Categorizing based on 4 categorize (unacceptable, high, limited and low risk)
● Relies on self-assesment - which category do you think you belong under and how
did you mitigate the risk - pass to regulator
● Unacceptable risk:
○ Harmful/manipulative
○ exploit specific vulnerable groups
○ Used on behalf of public authorities
○ Real-time biometric identification
● High risk:
○ part of a product that falls under EU safety regulation (car, toys, medical
devices) or is within one of the eight specified areas such as education, law
enforcement, or public administration.
● Limited:
○ AI systems that interact with humans
○ Emotion regulation systems, biometrics, and ai systems that generate iage or
video content.
○ Limited to a set of transparency
● Low risk
○ No legal obligations whatsoever

Lecture 6: Introduction to cybersecurity

Why did cyber become such an important topic?

● 2003: Blaster worm
○ The Blaster Worm, also known as Lovsan or MSBlast, was a notable
computer worm that spread in 2003. It targeted computers running Microsoft
Windows XP and Windows 2000.
● 2010: Stuxnet
○ Stuxnet, discovered in 2010, was a highly sophisticated and targeted
computer worm that is often cited as one of the first instances of cyber
warfare. Stuxnet was specifically designed to target supervisory control and
data acquisition (SCADA) systems, which are used to control and monitor
industrial processes. Its primary target was believed to be the Iranian nuclear
program, specifically the uranium enrichment facilities at Natanz.
● 2013: Snowden revelations
○ In June 2013, Snowden began releasing a large trove of documents to
journalists from various media outlets, including The Guardian and The
Washington Post. These documents contained detailed information about
widespread surveillance programs conducted by the NSA and its international
partners.
● 2014 Sony and Yahoo hack
○ Both incidents were landmark events in the cybersecurity landscape,
highlighting the growing sophistication of cyber attacks, the potential
involvement of state actors, and the enormous impact such breaches can
have on businesses, individuals, and international relations.
● 2015: US-China cyber espionage agreement
 ○ Key Provisions of the Agreement:
■ Prohibition of Cyber Theft: Both countries agreed not to conduct or
knowingly support cyber-enabled theft of intellectual property,
including trade secrets or other confidential business information, for
commercial advantage.
■ Commitment to Cooperation: The agreement included a commitment
to cooperate with requests to investigate cybercrimes, collect
electronic evidence, and mitigate malicious cyber activities emanating
from their territory.
■ Regular High-Level Meetings: The two countries agreed to establish a
high-level joint dialogue mechanism on fighting cybercrime and related
issues.
○ Significance:
■ Attempt to Set Norms: This agreement was seen as a significant step
in trying to set norms and rules for state behavior in cyberspace,
especially in the context of economic espionage.
■ Reduction in Cyber Espionage Activities: Following the agreement,
some cybersecurity firms reported a reduction in Chinese cyber
espionage activities against American companies.
○ Challenges and Criticisms:
■ Enforcement and Verification: Critics of the agreement pointed out the
challenges in enforcing and verifying compliance, given the
clandestine nature of cyber espionage.
■ Continued Suspicion: Despite the agreement, there remained a level
of suspicion between the two countries regarding cyber activities.
○ Broader Context:
■ Cybersecurity as a Global Issue: The agreement underscored the
importance of international cooperation in addressing cybersecurity
threats.
○
● 2017: Equifax and shadowbrokers, eternal blue and wannacry, NotPeya
○ Equifax and shadowbrokers: Both the Equifax breach and the Shadow
Brokers' leaks had profound implications, highlighting the vulnerabilities in
both private and governmental cybersecurity practices. These events
underscored the importance of robust security measures, regular updates,
and ethical considerations in cyber operations.
○ WannaCry utilising eternalblue: Cybersecurity Wake-Up Call: The WannaCry
attack highlighted the dangers of nation-state cyber weapons falling into the
wrong hands and the importance of keeping software systems up to date with
security patches. Public Awareness: It raised significant public awareness
about ransomware and the importance of cybersecurity in both personal and
professional contexts. Policy Implications: The incident prompted discussions
about the responsibility of government agencies in managing their cyber
arsenals and the ethics of developing and stockpiling cyber exploits.
○ NotPaya: Although initially thought to be a form of ransomware similar to
WannaCry, it was later identified as a more destructive cyber weapon. Unlike
typical ransomware, NotPetya's primary purpose wasn't to extort money but
 to cause disruption and damage. Seen as one of the most costly attack,
costed Maersk and FedEx significant amounts.

Which people wants to hack companies?

● State hackers: steak business secrets (china), use your network to works towards
juicy targets (russia), try and steal cryptocurrency (north korea).
● Proxy state actors: (private/state distinction can be blurred as these groups might use
their work tools to hack for private gain.
● Hacktivists: Private hackers motivated by political or other motives. This kind of
activity has seen a huge increase since the beginning of russia-ukraine.

Why companies really need to be prepared for cybercrime

● Cybercriminals: using mostly ransomware and CEO frauds - pose the biggest risk to
western companies.
● Cyber mercenaries: refer to individuals or groups who engage in cyber activities for
hire, often involving hacking, espionage, or other forms of cyberattacks. They differ
from typical hackers in that they operate more like contractors, offering their skills to
the highest bidder, which could be governments, corporations, or other entities.

Ransomware:
Went from targeting individuals to companies - currency is cryptocurrency.
● Some target for specific sectors or industries with the biggest payout
● Organized as professional companies - hack through phishing, exploiting unpatched
vulnerabilities, or buy access credential on the dark web.
● When they’re on the network, they do a reconnaissance, spread laterally and try to
identify and encrypt any backups.
● When you know you’ve been breached, you need to decide whether or not to shut
down the entire network, when to communicate to stakeholder, if you want to pay or
not.

CEO fraud:
● Forms of social engineering - get someones email and impersonate them via email to
their employees.
● AI will have a massive impact on this

Internal attackers:
● Very important to manage access control, so if an employee gets mad, they do not
have access to everything on your network.

Terms you need to know:

● APT: Advanced persistent threat (basically state hackers) - identified by number
when we don’t know where they’re from.
● TTP: Tactics, techniques and procedures (what hackers do) - overview of how they
work so we can recognise their tracks.
 ● Zero day: A vulnerability with a working exploit that was not previously known -
become known because it was used in an attack.
● Attack surface: The sum of possible entryways for hackers into a company network -
everything that faces the internet (main server, printer)
● Attack vector: The entryway into a network chosen by hackers in a particular attack -
this was the route in.

CIA Triad:
● Integrity - now one has messed with your data, it is in the same form as saved
yesterday.
● availability - The data is available and can be used when they need it.
● Confidentiality - only those who should have access to the information cna access
the information.

You want all three to be in balance.

Lockheed Martin cyber kill chain:

A way in understanding cyberattacks to make them comparable:
● Reconnaissance - identify the targets
● Weaponization - prepare the operation, choosing attack vector
● Delivery - launch the operation, getting the malware into the system
● Exploitation - gain access to victim
● Installation - establish beachhead at the victim
● Command and control (c2) - remotely control the implants
● Actions on the objective - achieve the mission’s goal

To defend yourself you just need to interrupt the kill chain once. Stopping The hackers in
one of their steps at a reasonable cost, os they do not get to their objective.

Lecture 7: EU Cybersecurity regulation

EU cybersecurity laws also include DSA, DMA, AI Act, GDPR - so it is needed to look at all
of them and understand how they belong together (session 2).
Overview of all EU cyberspace

Look at legislation (DORA, Cyber resilience act)

All of them regulates at different levels:

NIS2 (2022): The essential entities/services - obligations in member states for

having a better system in response.
● By Oct. 17 2024: Member States must adopt and publish the measures necessary to
comply. As of Oct. 18 2024 NIS2 is applicable.

Why have it?

● Increased level of cyberattacks
● NIS1 made us realize what we need to do better
● NIS2 will force companies and public sector in critical areas to do better
● NIS2 Introduces risk-based compliance
○ Part of a new wave of EU laws demanding this also present in GDPR, AI act,
Digital service act, DORA, DSA.
○ Traditional compliance: a close list of demands, not risk-based, e.g, GDPR.
○ New approach: Risk assessment built into compliance models, inherent
uncertainty, national enforcement based on risk-based approach.

Company impact of NIS2:

● Better training
● better incident reporting
● improving overall security
● funding of cybersecurity
Three areas that NIS2 introduces measures in:
● Strategy - strategic decisions that need to be made and taken care of in order to
achieve the NIS2 goals.
● Detection and response - obliged the companies to have this.
● Infrastructure and application security

Scope and Triggers

● Member States are responsible for (like NIS1: strategies, response teams, points of
contact, etc.) but also supervision and enforcement obligations, which means
they are now responsible for monitoring and compliance.
● Entities (companies) in Annex 1 (highly critical sector) and Annex 2 (other critical
sectors): For these companies the importance lies within cybersecurity risk
management and reporting - identify, manage, assess and mitigate risks.
● Trigger 1: If your company is within either Annex 1 or 2 AND carry out activities in
EU AND meet the threshold for medium-sized enterprises, then they’re obligated to
follow NIS2.
● Trigger 2 - irrespective of size:
○ Telecommunications: Companies involved in providing telecommunications
services.
○ Sole Provider of a Critical Service: Entities that are the only providers of a
service deemed critical. E.g. electrical or water.
○ Impact on Public Safety, Security, or Health
○ Significant Systemic Risk
○ Regional or National Importance
○ Importance to a Specific Sector or Service: Entities that are crucial for a
particular sector or service.
○ Designated in Resilience of Critical Entities Directive: Companies that are
specifically named in directives focusing on the resilience of critical entities.
● Trigger 3: Always applies to
○ Public administration entities of central governments (not judiciary, parliament
and central banks)
○ Public administration entities at regional level based on risk assessment
○ States may decide to apply to education (e.e.g. critical research)
● Does not apply to:
○ Public administration entities: Defense, national security, public security, law
enforcement
○ Private entities in the above, can be at the state’s discretion be excluded.

Annex 1: They are categorized into two main groups: essential and important entities
Essential Entities:
● Energy (electricity, heating & cooling, oil, gas, hydrogen)
● Transport (air, rail, water, road)
● Banking and financial market infrastructures
● Health
● Water
 ● Digital infrastructures (internet backbones, Content Delivery Networks (CDN), cloud,
etc.)
● ICT Management
● Public admin - judiciary, parliaments, central banks
● space

Important entities
● Postal and courier
● waste management
● chemicals
● food
● manufacturing (medical, computer, electrical, machinery, motor vehicles, other
transport)
● digital providers (platforms, search engines, social networks)
● research

Risk management and reporting - one of the most important roles the member states play
● Art. 21: Member states must ensure compliance and can hold entities liable -
member states are supposed to induce methods that can be measured against.
● “All hazards” approach - must prepare for all conceivable attacks - should at least
include:
○ risk analysis, incident handling, continuity (backups and disaster recovery),
supply chain security, security in acquisition, development and maintenance,
policies for assessing effectiveness, hygiene and security practicesm
cryptography and encryption practices, HR security (access control policies
and management, the use of MFA.
● Must have infrastructure in place to enforce and oversee

Risk management - entities

● Art. 21: Risk management measures are: technical, operational, and organisational.
They are meant to manage the risk, prevent and minimize impact on recipients of
own and other services.
● Factors to take into consideration:
○ Mandatory: state of the art → thus need to find out what that is and implement

it.

○ Where applicable: european standard, international standards, cost of

implementation (you can choose a cheaper, but similar system)→ if there are

a EU standard it has to be taken into consideration when doing risk

management, same for the other.

○ Measures must always be appropriate to risk in relation to: exposure, size,
likelihood, and impact.
● Auto-policing - where you’re not in compliance, you need to implement mechanisms
that monitor your performance.
 ● implementing acts → needs to be adopted in the commission, which equals ectra

compliance and uncertainty.

Reporting Obligations: Obligation to communicate

● The incident to authorities and recipients
● Communicate the measures that can be taken by the recipients
● shall communicate - of significant impact (severe operational disruption or financial
loss OR is affecting or may affect others by causing material or non-material loss)
● Where appropriate communicate - if adverse effect

Supply chain risk management Art. 18 and 22

● Essentially managing 3rd parties
● Including direct suppliers or service providers
● vulnerabilities specific to each supplier must be considered
● Art. 22: coordinated supply chain risk-assessment for critical supply chains
○ Coordination group, Commission, ENISA.

NIS2 and supply chain cybersecurity:

● NIS2 requires that all companies in scope demonstrate an appropriate and effective
supply chain cybersecurity risk management, at least of their direct suppliers.
○ Companies do this by by reference to the ‘international and european
standards’
● How NIS2 will enforce this, is still to be announce. but especially for a country like DK
where the economy relies on a few big players that are supplied by various of SMEs
it is extremely important to figure out how SMEs can keep up with this documentation
in a scaleable way.

Cybersecurity certification schemes art. 24

● Article 49 of Cybersecurity Act (2019) deals specifically with this
● Member states may require a particular certification scheme
● The commission may use delegated acts to force use of certain products and
services.

Supervision and enforcement

● Jurisdiction → E.g. if you’re based in DK it is the Danish lawenforcement

○ Under the state of establishment - except telecoms (state of provision of
services)
○ ENISA needs to keep record of all national entities subject to obligation →

basically keep a list of entities in charge of cybersecurity.

National supervision 1: What does it include?

● On-site inspections, random checks
● independent security audits
● ad-hoc audits (if security breached or non-compliance) → spot check
 ● Powers of national authorities
○ Issue warnings
○ Binding instructions
○ Order non-compliant companies to stop
○ Monitor in a certain period or continuously
○ Make public
○ Fine (in addition and not instead of the above)

National supervision 2: If National supervision 1 does not give results

● They have the power to temporary suspend or ban an entity or manager (not from
public entities)

Fines - very high fines compared to previous digital regulation.

Essential entities: Up to 10 million EUR or 2% of worldwide turnover
Important entities: Up to 7 million EUR or 1.4% of worldwide turnover

Who in the company are taking the action?

In accordant to NIS2 it needs to be:
● Board and senior management (art. 20)
○ Needs to implement strategy and governance that will result in proper risk
assessment and mitigation.
● Management bodies
○ Risk ownership - have the right strategy in compliance in place.
● Member states
○ enforcement

Key Takeaways:
● Risk ownership is at company management level
● Fines are significant
● Measures at state-of-the-art or recognized standard level
● Supply chain security
● Incident reporting
● Companies within the scope of NIS2 MUST NOT WAIT!

Cybersecurity Act (2019): Products and certification

● Gives ENISA the permanent mandate
● Introduces EU cyber framework
● Certification: EU-wide parameters on
○ technical requirements, standards, and procedures
○ surrounding risk-based certification schemes
○ different categories of ICT products, processes, and services
● Valid across the EU
● Supersedes member states’ individual certification schemes
● CSA certification is voluntary unless otherwise specified.
● Three levels of security (each level designating how resilient a product or a service
has to be)
 ○ Basic, substantial, high

Cyber resilience act proposal (2022): Products and services

● Proposal for cybersecurity requirements for hardware and software placed on the EU
market. Purpose is to establish cybersecurity requirements for hardware and
software markedet in the EU. Everybody who places digital products in the EU
market will be responsible for additional obligations around reporting and compliance,
such as fixing discovered vulnerabilities, providing software updates, and auditing
and certifying the products.
○ It shifts the security responsibility from the user to the producer of software.
○ PROBLEM: Puts obligations on the open source software development
community, especially since the definition of ‘non-commercial’ activity is
unclear and might exclude public foundations or those who accept donations.
● Covering those who places digital products in the EU market
● Additional obligations on: Reporting and compliance
● Scope: Manufactures of devices and publishers of software
● Obligations based on categories: 1 + 2 heeds to risk assess, document,
conformity asses, vulnerability report.
○ Non-critical products
○ Critical 1: Web browsers, password managers, VPNs, network management
systems, firewalls, identity management systems.
○ Critical 2: Desktops and mobile operating systems, container runtime
systems, public key infrastructure, digital certificate issuers, hardware security
models.

Cyber resilience act: Risk assessment:

● The developer must perform a cybersecurity risk assessment that ensures the
following about the product (Annex 1):
○ Delivered without any known exploitable vulnerabilities
○ Delivered with a secure by default configuration
○ Minimize processing of data
○ Limit attack surfaces
○ Provide security updates (either automatic updates or notifying users)
○ Address and remediate vulnerabilities without delay
○ Perform regular tests and security reviews
○ Enforce a coordinated vulnerability disclosure policy
○ Securely and timely distribute vulnerability patches to users

Cyber resilience act: Documentation

The product documentation must have the following:
● A description of the design, development, and vulnerability handling process.
● Assessment of cybersecurity risks
● A list of harmonized EU cybersecurity standards the product meets
● A signed EU declaration of conformity that the above essential requirements have
been met.
 ● A software bill of materials (SBOM) documenting known vulnerabilities and
components in the product

Cyber resilience act: Conformity

● For non-critical products the producer can affirms compliance themselves
● For specified ‘critical’ or ‘Class 1 or 2’ products such as web browsers, VPNs or
remote access tools this has to be by an independent authority that is also a ‘notified
body’.
● All found vulnerabilities have to be reported to ENISA within 24 hours.
● This requiremet is valid for the entire ‘life cycle’ of a product.
● PROBLEM: ENISA becomes the single point of failure.

Dora (2022): Specifically cybersecurity for finance providers

● Purpose was to push financial institutions to follow certain cybersecurity measures
● Financial institutions must follow rules for the protection, detection, containment,
recovery and repair capabilities against Information and Communication Technology
(ICT)-related incidents.
○ ICT risk-management
○ incident reporting
○ operational resilience testing
○ ICT third-party risk monitoring
● Scope: Applies to all financial institutions in the EU
○ Traditional: banks, investment, credit.
○ Non-traditional: crypto, crowdfunding platforms
○ third-party service providers that supply financial firms with ICT systems:
cloud.
● Deadline: Must be implemented by Jan 2025
○ Enforced by national regulators
○ ICT providers deemed “critical” will be directly supervised by lead overseers,
from the EU Supervisor Authorities (financial authorities).

Cyber solidarity act (2023): Early alarms systems and warning

● Proposal - NOT law yet!
● Proposing a EU cyber shield - a network of security centers and Security Operations
Centres (SOCs), which are entities that monitor and analyze insights on cyber
threats.
● Mechanisms:
○ Cyber Emergency Mechanism: preparedness and response to cybersecurity
incidents.
○ Cybersecurity incident review mechanism: Assess and review specific
cybersecurity incidents.

ENISA (2004) - European Agency on Cybersecurity

● strengthened in the 2019 CSA Act
● Mostly advisory role, as national agencies have more power
● It has the power of:
 ○ Advice, support to member states, cooperation, coordination, research
education, policy development

What do non-cybersecurity acts do to cybersecurity?

● Some non-cybersecurity acts will have to an impact on cybersecurity measures and
vice-versa.
○ Cybersecurity demands can be made in non-cybersecurity acts
○ Demands made in cybersecurity acts may affect non-cybersecurity acts

GDPR and Cybersecurity

● Cybersecurity is a key component in GDPR compliance
● Art. 5 “Organizatioins must maintain “appropriate security of the personal data, taking
into account the state of the art, and implementing appropriate technical and
organizational measures to ensure a level of security appropriate to the risk”
● The measures taken in NIS2 compliance will be similar to the above, but the above is
needed even where one is not under NIS2.

Platform regulations
● DSA and DMA obligations are in addition to NIS2, cyber resilience act, etc. but some
sector-specific laws impose additional cybersecurity obligations

AI Act Art. 15:

● High-risk AI systems should perform consistently throughout their lifecycle and meet
an appropriate level of accuracy, robustness and cybersecurity in accordance with
the generally acknowledged state of the art.
● If a company have a CSA certification there is a presumed compliance.
Lecture 8: Introduction to cybersecurity risk management

Risk Management and Incident response

The foundation of modern cybersecurity are the NIST control family. However, there are so
many controls that not even the largest companies implement them all. To understand what
is necessary you need risk assessment and management skills.

Framework:
1) Identify: Develop the organizational understanding to manage cybersecurity risk to
systems, assets, data, and capabilities.
2) Protect: Develop and implement the appropriate safeguards to ensure delivery of
critical infrastructure services
3) detect: Develop and implement the appropriate activities to identify the occurrence of
a cybersecurity event.
4) respond: Develop and implement the appropriate activities to take action regarding a
detected cybersecurity event.
5) recover: Develop and implement hte appropriate activities to maintain plans for
resilience and to restore any capabilities or services that were impaired due to a
cybersecurity event.

Assessing and Managing Cyber risk

Managing risk is a complex, multifaceted activity that requires the involvement of the entire
organization. They must:
● Frame risk (establish the context for risk-based decisions)
○ Risk assumptions (about threats, vulnerabilities, consequences, likelihood of
occurrence)
○ Risk constraints (on risk assessment, response, monitoring alternatives)
○ Risk tolerance (levels of risk, types of risk, degree of risk uncertainty that are
acceptable)
○ priorities and trade-offs (relative importance of business functions, trade offs
amongst different types of risk, frames in which organizations must address
risk, and any factors of uncertainty that organizations consider in risk
response)
● Assess risk - the purpose is to identify:
○ Threats specific to your org. (operations assets, or individuals) or threats
directed through organizations against other organizations or the nation.
○ Vulnerabilities internal or external to organizations
○ The harm (consequences/impact) to organizations that may occur given the

potential for threats exploiting vulnerabilities. → quantifying the harm

○The likelihood that harm will occur
○The end result of all this together is a determination of risk (the degree of
harm and likelihood of harm occurring)
● Respond to risk once determined and implement the controls you think you need
○ developing alternative courses of action → how could you do certain things?
 ○ evaluate the alternative courses of action → risk tolerance, chances you can

take, etc.
○ determining appropriate courses of action consistent with organizational risk
○ implementing risk response based on selected courses of action.
● Monitor risk on an ongoing basis to see if situations change
○ verify that planned risk response measures are implemented and information
security requirements derived from/traceable to the organizational business
functions, federal legislation, directives, regulation, policies, standards,
guidelines, are all satisfied.
○ determine the ongoing effectiveness of risk response measure following
implementation
○ Identify risk-impacting changes to organizational information systems and the
environments in which the systems operate.

Incident Response plan purpose:

● Minimize the impact of cybersecurity incidents to the confidentiality, availability, and
the integrity of the institutions’ services, information assets, and operations.
● Mitigate threats and vulnerabilities as cybersecurity incidents are occurring,
● Improve cybersecurity incident coordination and management within the investment
industry.
● Reduce the direct and indirect costs caused by cybersecurity incidents.
● Having a framework makes in possible to Report findings to executive management.

To create an incident response plan, one might use NIST 800-61 Framework: Four stages
1) preparation
a) Perform a risk assessment as noted above (most sensitive assets, critical
security incidents).
b) Create a communication plan, document roles, responsibilities, and
processes and recruit members to the cyber incident response team (CIRT)
2) detections and analysis
a) The team should be able to effectively detect deviations from normal
operation in organizational systems, and when an incident is discovered,
collect additional evidence, divide on the severity of the incident, and
document the “who, what, where why, and how”.
b) Here cyber maturity of org matters: if you don’t use monitoring or have a close
eye on your logs, will you even notice that you have been breached -
Ransomware is the obvious exception
c) An area where AI is already at work as it is amazing at spotting patterns.
3) containment, eradication and recovery
Containment
a) Once identified, immediate goal is to contain the incident and prevent further
damage;
b) Short-term containment - isolating network segments or taking down infected
production servers.
c) Long-term containment - applying temporary fixes to affected systems to
allow them to be used in production, while rebuilding clean systems.
 Eradication
a) Identify the root cause of the attack, remove malware or threats, and prevent
similar attacks in the future. Fix vulnerabilities immediately if exploited.
b) This can be hard with sophisticated hackers, and you might never find out.
Usually involve external help especially with good hackers there might have
built multiple backdoors
c) Always document this process
Recovery
a) The team brings affected production systems back online carefully, to ensure
another incident does not take place. Important decisions at this stage is to
determine to which time and date to restore operation, how to verify that
affected systems are back to normal, and monitoring to ensure activity is back
to normal.
b) This is the point where control and decision=making slowly moves back to
management as they take control of their restored business.
c) This stage must be completed as quickly as possible to minimize losses but
also should not be rushed.

4) post-incident activity
a) Complete documentation of the incident, investigate further to identify its full
scope, understand where the response team was effective, and areas that
require improvement.
b) Quite often, this means management talking staff through the IR forensics
report and hope they do not leak it.
c) The last point it usually quite an extensive list, and post-breach is the moment
where you will have full board attention and a chance to get the necessary
budget.

Missing a communication section is these frameworks

● Who do you inform of what and when?
● Who handles this, who speaks to staff and external contacts, who has the authority to
approve company statements? Do you prioritize certain customers?
● Which regulator requires what information when
● Prepared statements can help - best companies have these statements ready they
can adjust.
● Do you talk to the press or not?

What is an incident response plan?

The incident response plan is in essence a playbook for how to respond to a serious breach:
● Under what conditions, and whose authority, internet connectivity disabled
● Who ensures that computer virus infections are identified and removed?
● Increasingly, customers and insurers will ask companies for documentation on their
cybersecurity risk management practices.
● Having a business continuity plan is not enough:
○ A Business Continuity Plan (BCP) outlines procedures and instructions an
organization must follow in the face of disaster, covering business processes,
 assets, human resources, business partners, and more. It aims to ensure the
continuous operation of an organization during and after a disaster.
○ An Incident Response Plan (IRP), on the other hand, is focused specifically
on responding to cybersecurity incidents. It outlines the steps to detect,
respond to, and recover from network security incidents, aiming to minimize
the impact of such events.
● Most organizations have two separate documents for each.

How you write an incident response plan:

1) Detail the organization’s incident response strategy and how it supports business
objectives.
a) Make sure that staff member noticing an IT incident know how to report and
to whom, and what information to include.
b) The IT team needs clear policies on how to escalate various scenarios, and to
whom.
c) It needs to be clear who activates the response plan
d) The plan needs to be available to you when you need it (NCCC recommends
a printed version in a backpack with a clean laptop).
2) Roles and responsibilities involved in incident response (including backup staff)
a) All needs to know their role and the limits of their role
b) Everybody needs to know who is in charge and can make the decisions
c) All needs to know contact details and have them readily available even in
case all company communication tools are down.
d) Assign a backup fro each tole in case a staff member does not pick up the
phone.
3) Procedures for each phase of the incident response process, including appropriate
documentation.
a) Establish clear procedures for all sages of the incident response
b) preparation, identification, containment, eradication, recovery, lessons
learned.
c) You can write a general plan for all cyber attacks, or you can develop plans
for different attacks
4) Communication procedures within the incident response team, with the rest of the
organization and external stakeholders.
a) It needs to be clear who makes the decision what to reveal to which
stakeholder (staff, customers, suppliers, regulators, journalists)
b) Have prepared statements fir the most common scenarios ready and adapt
as needed.
c) Have a clear overview of the regulatory requirements regarding incident
reporting: how, when, to whom, how much detail
d) This can be cybersecurity regulation but also GDPR or certain industry
standards.

Writing an incident report to a regulator

1. When was the problem first detected and by whom
2. The scope of the incident and how you know
 3. How it was contained and eradicated
4. What work was performed during recovery and by whom
5. Optional: areas where the computer incident response teams were effective
and areas that need improvement.

5) How to learn from previous incidents to improve the organization's security posture.
a) Formalize evaluation and analysis procedure since not everybody might be
keen to do this after a messy incident.
b) Assign responsibilities for implementing any necessary improvements
identified in the process.
c) This process must be managed carefully as it might name specific staff
members or sections and how their negligence or flawed decision-making
exposed the company to huge damage.

Lecture 9: Supply chain cybersecurity

Supply chian cybersecurity is a political risk assessment rather than a purely technological
one, and it involves looking into these 3 elements:

Hardware: Where did your IoT come from and who can access it - could
your manufacture access it through a backdoor (Huawei), and will the
supplier patch the software if vulnerabilities are found?

How do you assess this risk?

● More a political question than a technical one, it is technical possible, but the
question is whether or not China would use commercial products to tempts strategic
targets into buying tech products that exposed their network.
● New German law allowed the exclusion of a provider based on the perceived risk
associated with the political system in the country of origin. Based on this EU
developed the 5G risk assessment toolbox as it is on the member states to protect
their network.

Software: Will the developer that wrote software for my company, did
they check for vulnerabilities?
1) If they were using a lot of open source code elements and one of them is found
problematic, will they alert you, will they fix the vulnerability?
2) Examples are the SolarWinds and NotPetya attacks, where both involved malicious
software.

How do you stay alert?

● Acting early is the best defense but it means taking measures based on a risk
analysis, not on proven facts.
 ● Currently you can buy any security software you want, even though you’re a critical
infrastructure company. Therefore, a licensed model has also been requested, so
critical infrastructure companies only can by licensed software.
● There are EU efforts to create a software certification system run by ENISA - but
here the current focus is on the cloud services and GDPR.

This is also where the cyber resilience act proposed in 2022 is extremely important, as it

purpose is to ensure requirements for secure software and hardware on the EU market →

see lecture 7 notes.

Monitoring the cybersecurity standard of suppliers: What do you know

about your suppliers cybersecurity maturity and practices, especially if
you either grant them physical access or access to your network.

This is where NIS2 will change the scene dramatically. See note form Lecture 7.

Lecture 10: Cyberwar in Ukraine

Before the war:

● Belarussian cyber partisans disabled the railway service that brought Russian

soldiers to the border → Russia said it had to stop the railways as it was used for

military purposes.
● Russian campaigns against Ukrainian critical infrastructure haven’t stopped since
2014, but increased and just before the war a new Wiper malware ‘Industroyer 2.0’
was deployed.
● There was an attack on Viasat satellite communications (used by the Ukrainian
military) just hours before the war began.

What did the Russian hackers try to achieve in Ukraine

● Steal data necessary for corruption, e.g. car registration data
● Disrupt government functions - websites, communication
● Disable infrastructure, in particular broadcasting and internet
○ Why the decision by Elon to switch on Starlink was so important.

When the war began

● Ransomware gangs discovered patriotism – less worried about earning money and
more interested in supporting the Russian war effort. The conti gang is a
Ransomware group, who were willing to help Russia without getting paid, some were
Ukrainian and leaked all communication.
● Ukraine set up an IT army including:
 ○ Elite hacking unit recruited from private cybersecurity companies - we know
almost nothing about what they’re doing.
○ Telegram channel coordinating volunteers willing to take part in daily DDoS
campaigns against Russian websites (esp. banks and the media)
● The Russian cyberwar on critical infrastructure continued although not on the scale
anticipated.

Why were there no spectacular success with cyberwar?

● Cyberwar was less of a priority for the Russian side than assumed - they expected
the war to be over in days.
● Ukrainian defenses of government servers and critical infrastructure worked better
than expected.
● Ukraine have been preparing for this since 2014 and received substantial training in
cyber defense from NATO countries.
● Since the beginning of the war Ukraine received IT support form western
governments plus huge support from the private cybersecurity industry (Microsoft,
Google) (and Elon Musk’s starlink).

Nothing to worry about?

● In addition to the attacks against Ukraine, the US has also reported the discovery of
new malware specifically designed to attack industrial IT systems in the US energy
sector.
● For that reason, the US President issued a warning on 21st of March urging
companies in US critical infrastructure to improve their defenses immediately.
● This was followed by the the 5 eyes intelligence alliance on 21st of April, stating that
critical infrastructure companies in countries supporting Ukraine were at a high risk of
cyberattacks and should take urgent steps.

Rules for civilian hackers during war:

Eight rules for civilian hackers in war:

1. Do not direct cyber attacks against civilian objects
2. Do not use malware or other tools or techniques that spread automatically and
damage military objectives and civilian objects indiscriminately
3. When planning a cyber attack against a military objective, do everything feasible to
avoid or minimize the effects your operation may have on civilians.
4. Do not conduct any cyber operation against medical and humanitarian facilities.
5. Do not conduct any cyberattacks against objects indispensable to the survival of the
population or that can release dangerous forces. (Energy, water)
6. Do not make threats of violence to spread terror among the civilian population
7. Do not incite violations of international humanitarian law.
8. Comply with these rules even if the enemy does not.
Four duties for states (due diligence) to go after hackers that act in their state
1. If civilian hackers act under the instruction, direction or control of a state, that state is
internationally legally responsible for any conduct of those individuals that is
inconsistent with the state’s international legal obligations, including international
humanitarian law.
2. States must not encourage civilians or groups to act in violation of international
humanitarian law.
3. State have a due diligence obligation to prevent international humanitarian law
violations by civilian hackers on their territory.
4. States have an obligation to prosecute war crimes and take measure necessary to
suppress other IHL violations.

Lecture 11: Cybersecurity policy: Big Tech, UN, and

Cybernorms

Who rules cyberspace?

● cyberspace is a peculiar domain challenging established notion of geography
● states still claim control of their networks, but the decentralized nature of the internet
has posed unique challenges for policy makers.
● The UN has first discussed the need to secure cyberspace in 1998 but we are still
trying to establish the fundamental framework for how to do that.
● There is no other foreign policy domain where so much of the technology, data,
knowledge and skills is in (very few) private hands.

Cyberspace public or private?

● Much of cyberspace belongs to big tech, who have grown accustomed to making
their own rules and creating their own exclusive user environments.
● Facebook is now deciding the limits of free speech on the internet and where hate
crime or terrorism begins
● Google and Alibaba are developing their own concepts of AI ethics.
● Microsoft has its own Digital Crimes unit going after cyber criminals globally using US
law.
● Elon Musk’s brief tenure at Twitter has shown that entire ethics approaches (and the
ethics and compliance teams) can be abandoned overnight.

What was this ‘cyber norms’ debate Microsoft tried to shape?

● UN established ‘group governmental experts’ to study cyberspace in 2004
● second round established that international law is applicable to cyberspace
● fourth round issues consensus report including recommendations for norms in
cyberspace.
● However, there are ‘voluntary, non-binding norms, rules or principles’
Microsoft came up with a tech accord consisting of bgi tech companies, when their first try in
affecting the cyber norms failed (2017).

Along with the french government, Microsoft presented the 9 principles when it
comes to Trust and Security in cyberspace:
● Protect individuals and infrastructure
● Protect the internet
● Defend electoral processes
● defend intellectual property
● non-proliferation
● lifecycle security and cyber hygiene
● no private hack-back

Cyber peace institute, was set up in Geneva (2019) - highly sponsored by Microsoft.
They do:
● Cyber Peace builders: corporate volunteers to work with NGOs around the world to
improve their cybersecurity.
● Publish report on impact and harm of cyberwar Ukraine every quarter
● Cyber incident tracer #Health, tracking attacks on the health sector
● Strong focus on securing immunity from cyberattacks for the healthcare sector
● Together with the Techaccord issues a Multistakeholder manifesto on 30 September
2021 on the principles that should guide the UN cybercrime convention talk.

What cyber regulation do we have?

● States should no knowingly allow their territory to be used for internationally wrongful
acts using ICTs
● state should not conduct or knowingly support ICT activity that intentionally damages
critical infrastructure
● state should encourage responsible reporting of ICT vulnerabilities and share
associated information
● PROBLEM: none of this is well-defined or ratified

UN Cybercrime convention
● could be the first UN treaty on a cyber issue with real teeth
● Established framework for cooperation against cybercrime for all UN member states
● However, effort led by Russia and China who were unhappy with some of the rules
in the Council of Europe’s Budapest convention against Cybercrime which has 70
signatories who have modeled thor legislation on it. Russia and China has not signed
it and won’t.
● Working Group established in 2019, but when the talks started in 2022 they were
overshadowed by the Ukraine war. A tense discussion about what to do about
cybercrime.
● China has led call to ‘criminalize dissemination of false information that could lead to
social disorder’. However, many states find the option of using this framework to
share information on cybercriminals attractive.
How can we describe the relationship between big tech and diplomacy
today?
● While much thought has been put into cyber policy since 2017, there is still no clear
and distinctive model of cyberspace governance that takes the enormous role of the
private sector into account - the closest we have come is the idea of ‘multi-
stakeholderism’.
● PRO: Actors like Microsoft are rightly worried about some of the information sharing
duties discussed at the cybercrime convention working group and feel they have too
little input.
● CON: To what extent should unelected private businesses be given a formal say in
UN discussions or other international fora?

Hybrid role of big tech

● We have seen them as the villains at the beginning of the course, US and EU now try
to regulate them or even break them up.
● We have seen them as saviors in the second part, savin Ukraine’s critical
infrastructure, and they would be just as important for us in a real conflict as they are
for Ukraine right now.
● While we blame Facebook for undermining democracy, Microsoft runs its global
defend democracy programme to protect political campaigns and help organize the
fight against disinformation

Last lecture: Techdiplomacy

Techplomacy - Casper Klynge and Nikolaj Wædegaard:
● What worked well and what didn’t work? Why is it currently falling apart?
● Where do you see the future of danish cyber?
● How do you see the intense regulation in EU, advantage or not?
● Govern affair/public affairs
 ○ Focus on the next decade earning compared to quarterly earnings
● How is europe going to survive, when we are so dependent on the technology that is
not in europe?

Big tech - Nemanja Malisevic:

● always deals within a geopolitical perspective
● Make regulation from geopolitical
●

MFA Jeppe:
● international politics → the same as geopolitics?

Lecture 9: cybersecurity and supply chain

What makes the guidance (ENISA, NIST, UK National cyber security

center) different and similar?
● All taking a similar approach but differentiating in terms of wording of steps.
● All suppliers should be treated the same → Unrealistic with a limited budget
○ Should be differentiated based on how much access they have to your
systems and physical location.

Exam
● Best way to prepare: Practice essay style answers.
● Work with the powerpoint on a first layer and decide where you wanna go deeper.
● good to cite in a general way, if there is a specific person saying something specific.
● Whether the student can think → convincing structure.
○ The intro need a structure saying where this intellectual effort is going.
● Whether the student has read
○ Many arguments, good references
● Whether the student has expert knowledge
○ dates, examples (could be real life, could be illustrative), be specific and
detailed.
● Around 3 essays

How to answer impossible large question?

● focus on the question, is there multiple
● Define key terms, use this to narrow the scop
● Explain your choice of examples
● Build the structure that aligns with my interpretation of the question - last sentence
should directly answer the question
Structure the essay answer:
● Start: one sentence answer which is going to frame your interpretation
● Build on your variables and elaborate why those are your variables
● Conclusion: refer to your arguments and provide som examples again.

Test question: Why is SCCS (supply chain cyber security) such a

prominent issue today when it has not been in the past

● Start one sentence answer: Increasingly companies are outsourcing

Starlink:
● Starlink should be equally available to everyone and support everyone in the UN
● UN will financially support states in the UN that is in wartime and in need of starlinks
services.
● Starlink cannot be used support military attacks
● Starlink should not be targeted as it is so important for local communities.
● Fair usage contract
○ information
○ pollution

Exam format

What due diligence duties do states have in cyberspace

One sentence answer: They are responsible for ensuring the confidentiality, integrity, and
accessibility of the technologies in space.

introduction: General in cybersecurity there is a need for more due diligence, especially
when it comes to networks, and other states using your network to commit a cybercrime in
another country. Then it is the states whose network is compromised that had the
responsibility of ensuring their network beforehand.

Argument 1: No one else than the stat that is in control of their network is able to secure it.

Argument 2: Being used as a facilitator does not give you the pass card

Conclusion: