applies to governments writing and
enforcing laws about cybersecurity.
Layer 10 applies where there is no
government to issue laws. Study of
layer 10 thus includes both state
and non-state actors that have
transborder effects.
In the matrix, each of the three columns refines the sorts of institutions
making the decisions. For each layer,
column A contains issues arising
within the institution—the organization or nation. Each “issue” identifies
cyber vulnerabilities or mitigating
activities. Column B contains issues
defined by relations with other actors
at that level. Column C contains issues
where other limits arise from actors at
the same layer of the stack.
This three-column approach becomes clearer as applied to layer 8, the
organizational layer. Column A includes cybersecurity activities within
a single organization. A company (or
other organization that faces cybersecurity attacks) takes numerous actions to reduce cyber-risk. It develops
incident response plans and other
internal policies, and trains its employees. One way to conceptualize cell
8A is to think of the responsibilities of
a CISO in managing cyber-risk within
the organization.
Column B in layer 8 (cell 8B) concerns the organization’s relations with
other actors. First, a company creates
data-use agreements and other contracts with vendors and other entities.
Flawed management of these relations can expose a company to risk,
such as if it hires a subcontractor to
manage systems or data and the contractor does so badly. Another much-discussed aspect of cybersecurity is
information sharing between organizations, such as through an Information Sharing and Analysis Center.
The third column, cell 8C, concerns
other limits that originate in the private sector. The PCI DSS standard is a
well-known example, governing security at the point of sale. This standard
has a powerful effect on the cybersecurity of millions of merchants. The
contractual standard originates in the
private sector, led by the PCI Security
Standards Council. If the standard is
designed and implemented well, then
cybersecurity improves; if done badly,
cyber-risks and costs increase.
1, the vulnerabilities in these new layers
are further organized by institutional
form—whether the vulnerability arises
within the organization (or nation),
between organizations (or nations), or
from other institutions at that layer.
In addition to categorizing vulner-
abilities, the PCF builds on another
aspect of the OSI model, the “protocol
data unit,” such as bits for the physi-
cal layer, packets for the network layer,
and data for the application and other
top layers. These protocol data units
“describe the rules that control hori-
zontal communications,” within a sin-
gle layer of the OSI stack.d
At layer 8, for organizations, I sug-
gest the controlling rules come from
contracts. The much-cited law and eco-
nomics scholars Jensen and Meckling
have defined corporations as a “nexus
of contracts.” 1 Contracts are the gover-
nance structure for relations between
corporations, such as data-use agree-
ments between an organization and
its contractors. Less intuitively for non-
lawyers, contracts also govern arrange-
ments within a corporation, governing
the roles and actions of the board of
directors, management, and employ-
ees. Contracts are thus the protocol
data unit for layer 8, providing the rules
within that layer.
At layer 9, the controlling rules
for government—the protocol data
units—are laws. Governments enact
and enforce laws, requiring actions
from the organizations within the government’s jurisdiction. The international realm of layer 10 operates where
no binding law applies. Actors at layer
10 interact through diplomacy (or lack
of diplomacy), such as negotiating a
cyber-related treaty, and sometimes
through declared or undeclared war.
Put another way, the traditional
seven layers concern protocols expressed in machine language; layers
8 to 10 concern protocols (contracts,
laws, diplomacy) expressed in natural
language. The layers operate in a way
familiar from the OSI stack: organizations at layer 8 select the applications
at layer 7. Governments at layer 9 set
laws to govern organizations. Actions
at layer 10 affect the governments at
layer 9, and apply when no single government can set the law.
d https://bit.ly/2x40Aoj
The 3x3 Institutional Matrix
Universities have traditionally studied
the three non-code layers in different
departments. In general, business
schools focus on managing companies and other organizations. Law
schools are the experts in law. International relations programs study
international affairs. These different
university departments are organized
based on the institutions they primarily study: companies, laws, and transnational institutions.
By contrast, my experience is that
computer scientists often group all
of these issues into the general term
“policy.” Traditionally in computer
science, this soft realm of “policy” is
the generic term for everything not
expressed in machine language. But
public policy departments do not
intensively cover all aspects of man-
agement, law, and international re-
lations, so the computer science use
of “policy” creates confusion for the
other departments that increasingly
teach and research on cybersecurity.
The proposed framework matches the
typical departmental organization in
universities, and provides a visual rep-
resentation of the key dimensions for
what computer scientists have often
simply called “policy.”
As an additional way to organize
the many non-code cybersecurity-
concerns, the PCF employs a 3x3 ma-
trix that refines which institutions
are involved in each area of cyber-
vulnerability or response. Table 2
portrays the matrix. In Figure 2, each
layer (row) is defined by the institu-
tions that make decisions affecting
cybersecurity. Layer 8 applies to orga-
nizations facing cyberattacks. Layer 9
I have often
encountered
practitioners
(and researchers)
who believe “real”
cybersecurity
involves writing code.