Ten Rules for Cyber Security - Citizen Lab · Ten Rules for Cyber Security Eneken Tikk This article was !rst published in Survival | vol. 53 no. 3 | June-July 2011 | pp. 119-132!

Ten Rules for Cyber SecurityEneken Tikk

This article was !rst published in Survival | vol. 53 no. 3 | June-July 2011 | pp. 119-132

!"#$%&'#%()*&")+,"+)-.'/*%0&'*%1'$%2#%-'3-1#*'#%'4556.'"7-'82$/*2'9-),-9"#$%'$(',:/-)'"7)-*"&'7*&'1)*&"#,*22:',7*%8-1;<'=$2#"#,*22:'*%1'#1-$2$8#,*22:'3$"#!

&-,+)#":'->9-)"&'*%1'7*?-' &7$@%' "7-)-' #&' *'9)#,-' "$'9*:' ($)'*%'*1?*%,-1'

@$)3'"*)8-"#%8'A#,)$&$("'B#%1$@&.'1-"-,"-1'#%'455CD'*%1'E"+>%-"'F*'@$)3'"*)8-"#%8'"7-'G)*%#*%'%+,2-*)'9)$8)*33-D'&7$@'"7*"',:/-)',)#3-',$%"#%+-&'"$'#%,)-*&-'#%'&$97#&"#,*"#$%;4

H-($)-' "7-' I&"$%#*%' #%,#1-%".' $)8*%#&*"#$%&' "-%1-1' "$' ")-*"' "7-#)' )#&0&'*%1'*))*%8-3-%"&'#%'#&$2*"#$%;'J:/-)'&-,+)#":'@*&'3-)-2:'"7-'&+3'$('#%1#!

,$$)1#%*"#$%'$('1-(-%,-&'->#&"-1'#%?$2?-1'1-?-2$9#%8'+%#($)3'*%1'&"*%1!*)1'&$2+"#$%&')*"7-)'"7*%'92*%&'$)',*9*/#2#"#-&'($)',$$)1#%*"-1'*,"#$%;'E#%,-'4556.'7$@-?-).'"7-'K%#"-1'L*"#$%&.'LMNO.'"7-'I+)$9-*%'K%#$%.'OEJI'*%1'$"7-)'#%"-)%*"#$%*2'$)8*%#&*"#$%&'7*?-'#%")$1+,-1'%-@',:/-)!&-,+)#":'9$2#!,#-&'$)')-?#&-1'->#&"#%8'$%-&;'N7-',$%,-9"'$(',:/-)',)#3-'7*&'/--%'->9*%1-1P'I&"$%#*.'($)'->*392-.'*3-%1-1'#"&'9-%*2',$1-'"$',)#3#%*2#&-',$39+"-)',)#3-'*8*#%&"',)#"#,*2'#%($)3*"#$%'#%()*&")+,"+)-'*&'@-22'*&',:/-)'"-))$)#&3;Q

O"7-)' *)-*&' $(' 9$2#,:' *%1' 2*@.' /-:$%1' ,:/-)' ,)#3-.' *2&$' %--1' "$' /-'!

Eneken Tikk is Legal Adviser at the NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia.

Eneken Tikk, Ten Rules for Cyber Security

!"#$%&'(#)'#( #*)( +$,$#'(%-( #*)().$'#$&/( +)/"+( -0",)1%02(-%0(3"#"(40%#)!#$%&5()+)!#0%&$!( !%,,6&$!"#$%&'( "&3( "!!)''( #%( 467+$!( $&-%0,"#$%&8( 9%0)%:)05(&"#$%&'("0)("+0)"3;(3):)+%4$&/(!;7)0<1"0-"0)(!"4"7$+$#$)'8(=*)('4)!#06,(%-(

4"#!*$&/( '%-#1"0)5( -%0( ).",4+)>( #%( 70)"!*)'( %-( +)/"+( %7+$/"#$%&'( ?'6!*( "'(&%#( 0)4%0#$&/( $++)/"+( "!#$:$#;>( #%( !0$,)( #%(&"#$%&"+<')!60$#;( #*0)"#'( #%(%6#<

0)+"#$&/(#%(!;7)0(')!60$#;(0"&/)(-0%,(#*)('%-#(?'#"&3"03'("&3(7)'#(40"!#$!)'>(#%(%0/"&$'"#$%&"+( ?!%&#0"!#'( "&3( $&#)0&"+( 0)/6+"#$%&'>( #%(&"#$%&"+( #%( $&#)0<&"#$%&"+("/0)),)&#'("&3(!6'#%,"0;(+"15(1*$!*($&-%0,(#*)(-%60(2);(+)/"+(

"0)"'( #*)( +"1( %-( &)#1%02( "&3( $&-%0,"#$%&( ')!60$#;(?"+'%(0)-)00)3(#%("'(!;7)0( +"1(%0( $&-%0,"#$%&<'%!$)#;(+"1>5( 3)"+$&/( 1$#*5( -%0( ).",4+)5( 3"#"( 40%#)!#$%&5()<!%,,)0!)5( )+)!#0%&$!( !%,,6&$!"#$%&'( "&3( "!!)''(

<#$%&5(!%%4)0"#$%&>@(&"#$%&"+<')!60$#;(+"1("&3(4%''$7+)(0)'#0$!#$%&'( #%( *6,"&( 0$/*#'( "&3( +$7)0#$)'( 0)'6+#$&/(

A(=*)('4)!<

%-(+)/"+(-0",)1%02'("&3(0),)3$)'8(B%&#),4%0"0;( !;7)0( #*0)"#'( !"&( %&+;( 7)( !%&-0%&#)3( 7;( !%,7$&$&/(

#*)(0)/6+"#$%&5(0),)3$)'("&3(+)/"+(40"!#$!)(#*)')(-%60(2);("0)"'(%-(+"18(=)&(06+)'(-%!6')3(%&($''6)'("&3(1%02$&/('%+6#$%&'("0$'$&/(-0%,(3$'!6'<'$%&'(",%&/().4)0#'(%0($&(#*)(!%60')(%-(!;7)0<$&!$3)&#(*"&3+$&/(!"&(7)(

C

/)&)0"+5("&3(*$/*+$/*#( #*)(3$'4"0$#;(7)#1))&(+)/"+( #*)%0;("&3(40"!#$!)8(=*)(06+)'("0)($&#)&3)3(#%(-%!6'($&#)0&"#$%&"+(3)7"#)(%&(#*)(D6"+$#;("&3($&#)040)#"#$%&(%-().$'#$&/(+"1(0"#*)0(#*"&(#*)(&))3(-%0(&)1(+)/"+(-0",)<

4%+$#$!"+( %0( #)!*&$!"+( "'4)!#'( "&3( &))3( #%( 7)( !%&'$3)0)3( -0%,( #*)( 4)0<'4)!#$:)(%-(!%&'#06!#$:)('%+6#$%&'8(E):)0"+( $''6)'('))&("'(!*"++)&/)'(-%0(&)1(+)/$'+"#$%&5(-%0().",4+)(3"#"(40%#)!#$%&(%0(F&#)0&)#(')0:$!)<40%:$3)0(

Cyber attacks test the limits of existing law

!"#$%& '()*('(+,-& .)/-& 01231432-& *3& 51'436& +721897& (/+32:23+)+(1/& 1;& 12&

5(0:'3&3<.3:+(1/5&;210&3<(5+(/9&'39)'&.1/5+28.+5&(/5+3)6&1;&)&=71'',&/3=&

'39)'&)::21).7>&

The Territoriality Rule

"/;120)+(1/& (/;2)5+28.+823& '1.)+36&=(+7(/&)& 5+)+3?5& +322(+12,& (5& 58*@3.+& +1&

+7)+&5+)+3?5&+322(+12()'&514323(9/+,>&

"/&4(3=&1;&+73&9'1*)'&/)+823&1;&.,*32&+723)+5-&+7323&(5&1/A91(/9&63*)+3&1432&

=73+732&+322(+12()'(+,A*)536&'39)'&;2)03=12B5&.)/&.1:3-&*8+&+73&'3551/5&1;&

C5+1/()-&D3129()&)/6&1+732&0)@12&.,*32&(/.(63/+5&571=&+7)+&/)+(1/5&.)/&)/6&

A

.1008/(.)+(1/5-& .2(0(/)'& 5)/.+(1/5-& (/435+(9)+(43& )8+712(+,-& .11:32)+(1/&

=(+7& "#$5& )/6&0)/,&1+732& 3553/+()'& 3'303/+5& 1;& 58..355;8'& .,*32&63;3/53&

63:3/6&1/&+73&E8)'(+,&1;&+73&/)+(1/)'&')=>&F/+('&+73&1:+(1/5&;12&(0:'303/A

+)+(1/&)/6&(/+32:23+)+(1/&1;&/)+(1/)'&'39)'&(/5+2803/+5&)23&3<7)85+36-&(+& (5&

(/+32/)+(1/)'&'343'>

(5&58*@3.+&+1&+73&514323(9/&:23219)+(435&1;&+7)+&5+)+3>&C432,&91432/03/+&

+322(+12,-& ;12& 3<)0:'3& *,& 3/582(/9& +73& )4)(')*('(+,& )/6&E8)'(+,& 1;& '195-&

0)(/+)(/(/9&)/&14324(3=&1;&+73&:214(6325&1;&3'3.+21/(.&.1008/(.)+(1/5-&

6343'1:(/9&)/&8/6325+)/6(/9&1;&+723)+5&)/6&.):)*('(+(35&3<(5+(/9&=(+7(/&

(+5& @82(56(.+(1/& +1& .1:3&=(+7& )/6&0)/)93& (/.(63/+5-& )/6& *)')/.(/9& +73&

6343'1:03/+& 1;& +73& (/;120)+(1/& 51.(3+,& =(+7& +73& (/+3235+5& 1;& /)+(1/)'&

53.82(+,>

G73&+322(+12()'(+,&:2(/.(:'3&30:1=325&/)+(1/5&+1&(0:153&+73(2&514323(9/+,&

1/& (/;120)+(1/& (/;2)5+28.+823& '1.)+36& =(+7(/& +73(2& +322(+12,& 12& 1+732=(53&

58*@3.+&+1&+73(2&@82(56(.+(1/>&G73&235:1/5(*('(+,&1;&)&5+)+3&;12&53.82(/9&(+5&1=/&

/3+=12B5& (5&58::12+36&*,&+73& (/+32/)+(1/)'',&23.19/(536&.1/.3:+5&1;&/1/A

(/+3243/+(1/&)/6&514323(9/+,>H&


The Responsibility Rule

!"#"$%&

'(&#&)*+$,&-.$,#"/-0&1#!&+$$0&2#30)1$4&-,&-"1$,5/!$&-,/6/0#"$4&(,-7&6-8$,09

/0&:3$!"/-0&/!&#!!-)/#"$4&5/"1&"1$&-.$,#"/-0%&;#"/-0!&"1$,$(-,$&0$$4&"-&)-09

#)"/8/"/$!&"1#"&7#<$&3!$&-(&"1$/,&/0(-,7#"/-0&/0(,#!",3)"3,$%&=1$*&5/22&(#)$&.3+2/)&)-04$70#"/-0&#04&5/22&+$&$>.$)"$4&"-&,$!.-04&#04&#!!/!"&5/"1&/08$!9

-,&#+-3"&"1$&.$,.$",#"-,!?&7$"1-4!&#04&"--2!&/08-28$4?&#04&$8$0&#)"/8$&2#59

,$#!-0#+2*&+$&$>.$)"$4&(,-7&"1$!)-30",/$!&51-!$& /0(,#!",3)"3,$&1#!&+$$0&/08-28$4%&

),/"/)/#2& @!"-0/#0& 6-8$,07$0"& #04& .,/8#"$& /0(,#!",3)"3,$& 0$"5-,<!%& =1/!&

9A&B1/0#&

"1$&C0/"$4&D"#"$!E&#04&-"1$,&0#"/-0!E&/0(-,7#"/-0&!*!"$7!%F&B-30",/$!&7#*&#2!-&+$&$>.$)"$4&"-&,#/!$&"1$/,&-50&2$8$2!&-(&)*+$,&!$)39

,/"*& +*& $!"#+2/!1/06& !",-06$,& )-0",-2& -8$,& "1$&3!$& #04& $>.2-/"#"/-0& -(& "1$&/0(-,7#"/-0& /0(,#!",3)"3,$& 304$,& "1$/,& G3,/!4/)"/-0"& =1$& +#2#0)$& +$"5$$0&$)-0-7/)&#04&!$)3,/"*&/0"$,$!"!&5/22?&-(&)-3,!$?&0$$4&"-&+$&!",3)<&-0&#&)#!$9+*9)#!$&+#!/!%

-,6#0/!/06?& ",#/0/06?& !3..2*/06& #04& $:3/../06& #!&5$22& #!& "1$& !$2$)"/-0&-(&"#,6$"!&#04&"1$&.2#00/06&-(&"1$&51-2$&-(&#0&-.$,#"/-0H&/!&0-"&$0-361&"-&7$$"&


!"#$!"%#&"'()*+$,-$!"#$.//0$12)34$42&#5$3!$62&$4'-4(7)#)$!"2!$'8#%2(($4'-!%'($

9

3:2!3'-$3-$!"#$:(2--3-;$2-)$&7:#%83&3'-$'<$=3(3!2%>$':#%2!3'-&*?/$@'-&!%74!&$

A-'6-$3-$3-!#%-2!3'-2($#-83%'-=#-!2($(26*

The Cooperation Rule

('42!#)$ 3-$2$&!2!#B&$ !#%%3!'%>$4%#2!#&$2$)7!>$ !'$4'':#%2!#$63!"$ !"#$834!3=$

&!2!#*$

1"#$3-!#%4'--#4!#)-#&&$'<$;('C2($3-<'%=2!3'-$3-<%2&!%74!7%#$=2A#&$3!$3=:'&9

6#(($ 2&$ C#!6##-$ -2!3'-2($ ;'8#%-=#-!&$ 2-)$ 3-!#%-2!3'-2($ '%;2-3&2!3'-&*$

@%'&&9)3&43:(3-2%>$4'':#%2!3'-$C#!6##-$(#;2(5$:'(34>5$=3(3!2%>$2-)$!#4"-342($

#D:#%!&$3&$2(&'$-#4#&&2%>*

E"3(#$ !"#$ 82&!$ =2F'%3!>$ '<$ 3-<'%=2!3'-$ 3-<%2&!%74!7%#$ 3&$ :%382!#(>$

9

=2!3'-$ &#%834#&$ 2-)$ -#!6'%A&$ !"2!$ !"#$ :%382!#$ &#4!'%$ &7::'%!&$ '-$ 2$

4'-!%24!72($C2&3&*$@'':#%2!3'-$=2>$!2A#$!"#$<'%=$'<$4'-&7(!3-;5$3-<'%=29

!3'-$#D4"2-;#$2-)$%#2(('42!3'-$'<$%#&'7%4#&5$2&$6#(($2&$&7::'%!3-;$&#%834#&$

:2%!-#%&"3:&$2&$6#(($2&$4'2(3!3'-$2;%##=#-!&$63(($&7::'%!$!"#$(#;2($<%2=#9

6'%A$<'%$4'':#%2!3'-*$1"#$@>C#%$@%3=#$@'-8#-!3'-$3-83!#&$!"#$:2%!3#&$!'$

4'':#%2!#$ !"%'7;"$ !"#$ 2::(342!3'-$ '<$ %#(#82-!$ 3-!#%-2!3'-2($ 3-&!%7=#-!&$

'-$ !"#$ C2&3&$ '<$ 7-3<'%=$'%$ %#43:%'42($ (#;3&(2!3'-5$ 2-)$)'=#&!34$ (26&5$ !'$

!"#$63)#&!$#D!#-!$:'&&3C(#$<'%$!"#$:7%:'&#&$'<$3-8#&!3;2!3'-&$'%$:%'4##)9

??$

1"#$4'':#%2!3'-$:%3-43:(#$42-$2(&'$C#$<'7-)$3-$!"#$G'%!"$H!(2-!34$1%#2!>5$


!"#$#%&'("#')*$(+#,'!+--'./0,1-('(/2#("#$'!"#0#3#$4'+0'("#'/)+0+/0'/5'*0&'

/5'("#64'("#'(#$$+(/$+*-'+0(#2$+(&4')/-+(+.*-'+07#)#07#0.#'/$',#.1$+(&'/5'*0&'

/5'("#')*$(+#,'+,'("$#*(#0#789:

The Self-Defence Rule

;3#$&/0#'"*,'("#'$+2"('(/',#-5<7#5#0.#8'

="#'./0.#)('/5',#-5<7#5#0.#'+,')*$('/5'%/("'.$+6+0*-'*07'+0(#$0*(+/0*-'-*!8'>0'

)$+0.+)-#4'#3#$&/0#'"*,'("#'$+2"('(/',#-5<7#5#0.#4',1%?#.('(/'("#')$/)/$(+/0*-<

+(&'*07'0#.#,,+(&'/5',1."'*.(+/08

>0' .$+6+0*-' -*!4' +5' 3+.(+6' $#*,/0*%-&' %#-+#3#,' ("*(' 10-*!51-' 5/$.#' +,'

*%/1('(/'%#'1,#7'*2*+0,('"+64'("#$#'+,'0/'-+*%+-+(&'5/$'!"*('!/1-7'/("#$<

!+,#' %#' !$/0251-' *.(,' +0' ,#-5<7#5#0.#8' ="+,' +,' 0/(' ,*&' ("*(' #3#$&' .&%#$'

-*,('$#,/$(8

@0'("#'+0(#$0*(+/0*-'-#3#-4'("#'.$+(#$+*'5/$'+03/A+02'+07+3+71*-'*07'./-<

-#.(+3#',#-5<7#5#0.#'*$#'%*,#7'/0'.1,(/64'("#'BC'."*$(#$'*07'+0(#$0*(+/0*-'

%&'+0(#$0*(+/0*-')*$(0#$,'D("#'C/$("'E(-*0(+.'F/10.+-'+03/A+02'E$(+.-#'G'/5'

*2*+0,(' /0#'/$'6/$#'/5' ("#')*$(+#,' +0';1$/)#'/$'C/$("'E6#$+.*' ,"*--' %#'

#*."'/5'("#64'+0'#H#$.+,#'/5'("#'$+2"('/5'+07+3+71*-'/$'./--#.(+3#',#-5<7#5#0.#'

$#./20+,#7'%&'E$(+.-#'I9'/5'("#'BC'F"*$(#$4'!+--'*,,+,('("#')*$(&'/$')*$(+#,'

9J


The Data Protection Rule

!"#$%&'()$"* )"#%'+(%,-(,%.* &$")($%)"/* 0'('* '%.* 1.%-.)2.0* '+* 1.%+$"'3*

,"3.++*1%$2)0.0*#$%*$(4.%5)+.*6(4.*1%.2'3."(*)"(.%1%.('()$"*)"*(4.*789:

;4.*"..0*#$%*".(5$%<*&$")($%)"/*'"0*)"#$%&'()$"*.=-4'"/.*4'+*($*>.*-'%.#,33?*

'++.++.0*'/')"+(*)"0)2)0,'3+@*%)/4(*($*1%)2'-?:*;4.%.*)+*-,%%."(3?*'*-$"+)0.%'>3.*

0)2)0.*>.(5.."*(4.*3./'3*'"0*(.-4")-'3*'11%$'-4.+*($*0'('*'"0*(4.)%*+.-,%)(?:AB*

C4)3.*(4.*&$")($%)"/*$#*".(5$%<*0'('*+..&+*($*>.*5.33D.+('>3)+4.0*'"0*%$,()".*

./'3*.=1.%(+:

E--$%0)"/*($*(4.*78*F'('*G%$(.-()$"*F)%.-()2.HAI*'"?*)"#$%&'()$"*%.3'()"/*

;4.*1%.2'3."(*$1)")$"* )"* (4.*-$,"(%).+* )&13.&."()"/* (4.*0)%.-()2.* )+* (4'(*

!G*'00%.++.+*'%.*1.%+$"'3*0'('*'"0*+,>J.-(*($*1%$-.++)"/*%.+(%)-()$"+*,"0.%*

"'()$"'3*3./)+3'()$":AK*L,-4*%.+(%)-()$"+*)"-3,0.*%.M,)%)"/*(4.*-$"+."(*$#*(4.*

0'('* +,>J.-(* #$%* 1%$-.++)"/* (4.+.* 0'('H* 1%$4)>)()$"+* $"* (%'"+#.%%)"/* (4.+.*

0'('* ($* (4)%0* -$,"(%).+H* '"0*1$(."()'3* )"'0&)++)>)3)(?* '+* .2)0."-.*$#* +,-4*

0'('*$>(')".0*)"*'"*,"3'5#,3*&'"".%:*E--$%0)"/*($*(4.*78*F'('*G%$(.-()$"*

F)%.-()2.H* (4.* (%'"+#.%* ($*'* (4)%0*-$,"(%?*$#*1.%+$"'3*0'('*&'?* ('<.*13'-.*

$"3?*)#*(4.*(4)%0*-$,"(%?*."+,%.+*'"*'0.M,'(.*3.2.3*$#*1%$(.-()$":AN

!>,(*(4.*0)%.-()2.*'33$5+*#$%*.=-.1()$"+*)"*

(4.*1,>3)-*)"(.%.+(*'"0*#$%*"'()$"'3*+.-,%)(?:*;4.%.*'%.*'3+$*.=-.1()$"+*#$%*

-%)&)"'3*1%$-..0)"/+:*O3.'%3?*)0."()#?)"/*(4.*"..0*#$%*'"0*&.(4$0+*$#*0'('*

'"0*1'-<.(*)"+1.-()$"*5)33*4.31*.+('>3)+4*(4.*%)/4(*>'3'"-.*>.(5.."*1%)2'-?*

'"0*&$")($%)"/:

The Duty of Care Rule

72.%?$".*4'+*(4.*%.+1$"+)>)3)(?*($*)&13.&."(*'*%.'+$"'>3.*3.2.3*$#*+.-,%)(?*

)"*(4.)%*)"#$%&'()$"*)"#%'+(%,-(,%.:*

;4.*-$"-.1(*$#*0,(?*$#*-'%.*)+*5.33*.+('>3)+4.0*)"*&'"?*'%.'+*$#*3'5P*'"*)"0)D

2)0,'3*)+*,"0.%*$>3)/'()$"*($*/,'%'"(..*(4.*1%$(.-()$"*$#*1.%+$"'3*0'('*4.*


!"#$%&&%&'()*+(+,%-+./.0%*$%(+,1.%&()".&%(2"#3(14%(/%0)/(2")3%5#"6(#2(+)1)(

!"#1%$1.#*'(.*2#"3)1.#*-&#$.%17(&%"8.$%&'($#*&,3%"(!"#1%$1.#*()*+(&#(#*9

:*+%"( 14%( ;:( <)1)( ="#1%$1.#*( <."%$1.8%'( 2#"( %>)3!/%'( )( $#*1"#//%"( #2(

!%"&#*)/( +)1)( 3,&1( .3!/%3%*1( )!!"#!".)1%( 1%$4*.$)/( )*+( #"0)*.&)1.#*)/(

3%)&,"%&(1#(!"#1%$1(&,$4(+)1)()0).*&1()$$.+%*1)/(#"(,*/)52,/(+%&1",$1.#*(#"(

)$$.+%*1)/( /#&&'()/1%")1.#*'(,*),14#".&%+(+.&$/#&,"%(#"()$$%&&'( .*(!)"1.$,/)"(

54%"%(14%(!"#$%&&.*0(.*8#/8%&(14%(1")*&3.&&.#*(#2(+)1)(#8%"()(*%15#"6'()*+(

)0).*&1()//(#14%"(,*/)52,/(2#"3&(#2(!"#$%&&.*09(?,$4(3%)&,"%&(&4)//(%*&,"%(

)(/%8%/(#2(&%$,".17()!!"#!".)1%(1#(14%(".&6&("%!"%&%*1%+(@7(14%(!"#$%&&.*0()*+(

14%(*)1,"%(#2(14%(+)1)(1#(@%(!"#1%$1%+'(1)6.*0(.*1#()$$#,*1(14%(&1)1%(#2(14%()"1(

)*+(14%($#&1&(#2(.3!/%3%*1)1.#*9

2#"( 14%( ="#1%$1.#*( #2( A*+.8.+,)/&(5.14( "%0)"+( 1#(B,1#3)1.$( ="#$%&&.*0( #2(

=%"&#*)/(<)1)( CDEFDG9(B"1.$/%( H( "%I,."%&( )!!"#!".)1%( &%$,".17(3%)&,"%&( 1#(

)0).*&1()$$.+%*1)/(#"(,*),14#".&%+(+%&1",$1.#*(#"()$$.+%*1)/(/#&&()&(5%//()&(

)0).*&1(,*),14#".&%+()$$%&&'()/1%")1.#*(#"(+.&&%3.*)1.#*9

B&($7@%"(14"%)1&(5.14(!#/.1.$)/(+.3%*&.#*&!@%$#3%(3#"%(!"%8)/%*1'(14%(

+,17(#2($)"%($#*$%!1($)*(@%(%>1%*+%+(1#(+%8%/#!(&%$,".17(&1)*+)"+&(2#"($".1.-

$)/( .*2#"3)1.#*( .*2")&1",$1,"%( )*+( 0#8%"*3%*1)/( #"(3./.1)"7( .*2#"3)1.#*(

&%"8.$%&9

The Early Warning Rule

J4%"%(.&()*(#@/.0)1.#*(1#(*#1.27(!#1%*1.)/(8.$1.3&()@#,1(6*#5*'(,!$#3.*0(

A*(KLLF'(MLL(N.14,)*.)*(5%@&.1%&(5%"%(+%2)$%+(5.14(14%(4)33%"()*+(&.$6/%(

&73@#/()21%"(14%(N.14,)*.)*(=)"/.)3%*1(!)&&%+()(/)5(@)**.*0(C)3#*0(#14%"(

"!4)8.*0(-

1#3%"&()*+(.*2#"3%+(14%3()@#,1(14%(.*$.+%*19DF(A2(.3!/%3%*1%+(5.+%/7'(14.&(

)!!"#)$4($#,/+($#*&.+%")@/7(.3!"#8%($7@%"(&%$,".179


!"#$%&'($("&($)*+#,-.#-(&/$&)#-'0#1$2#,#$)0+#-$&3+&-'#$2&,-0-)$*%$("#$

4

#,-.#-(&/$0-%*,.&(0*-$0-%,&1(,5'(5,#$&-3$("#$-##3$%*,$&$-*-4301',0.0-&(*,6$

35(6$ (*$ 0-%*,.$7*("$857/0'4$&-3$8,0+&(#41#'(*,$ 9:;1$&-3$2#7$"*1(1$&7*5($

<-*2-$(",#&(1=

*,$'*-(,&'(1=$>*,$?0("5&-0&$&1$2#//$&1$*("#,$@5,*8#&-$A-0*-$.#.7#,1B$("#$

*7/0)&(0*-1$*%$1#,+0'#$8,*+03#,1$(*$#-15,#$1#'5,0(6$*%$1#,+0'#1$3#,0+#$%,*.$

("#$#;,0+&'6$C0,#'(0+#$@DEFGGFEHI=JK$!"01$30,#'(0+#$0-+*<#1$&$)#-#,&/$*7/0)&4

(0*-$(*$(&<#$&88,*8,0&(#$(#'"-0'&/$&-3$*,)&-01&(0*-&/$.#&15,#1$(*$1&%#)5&,3$

("#$1#'5,0(6$*%$&$8,*+03#,L1$1#,+0'#1=$9%$-#'#11&,6B$("#$1#,+0'#$8,*+03#,$.51($

'**,30-&(#$ %5,("#,$ &'(0*-$20("$ ("#$ 8,*+03#,$ *%$ &$ 857/0'$ '*..5-0'&(0*-1$

-#(2*,<$ (*$ 2"0'"$ 0($ '*--#'(1=$ M''*,30-)$ (*$ ("#$ @4D*..#,'#$ C0,#'(0+#B$

.#.7#,$ 1(&(#1$ .&6$ #1(&7/01"$ *7/0)&(0*-1$ %*,$ 0-%*,.&(0*-41*'0#(6$ 1#,+0'#$

8,*+03#,1$8,*.8(/6$(*$0-%*,.$("#$'*.8#(#-($857/0'$&5("*,0(0#1$*%$&//#)#3$

0//#)&/$&'(0+0(0#1=FG

The Access to Information Rule

!"#$857/0'$"&1$&$,0)"($(*$7#$0-%*,.#3$&7*5($(",#&(1$(*$("#0,$/0%#B$1#'5,0(6$

&-3$2#//47#0-)=$

!"#,#$ 01$&$ 1(,*-)$ (,#-3$ 0-$@5,*8#$ (*2&,31$ (,&-18&,#-'6$*%$)*+#,-.#-(&/$

&'(1$&-3$,#'*,31B$)0+0-)$("#$857/0'$("#$,0)"($(*$7#$0-%*,.#3$&7*5($(",#&(1$

&-3$3#'010*-1$,#/&(#3$(*$("#0,$/0%#$&-3$2#//47#0-)=$M$"*/3#,$*%$0-%*,.&(0*-$

01$,#N50,#3$(*$301'/*1#$#O01(0-)$0-%*,.&(0*-$(*$3&-)#,$(*$("#$/0%#B$"#&/("$&-3$

8,*8#,(6$*%$8#,1*-1=FJ

!"#$ 8,#15.8(0*-$ 01$ ("&($ 857/0'41#'(*,$ 0-%*,.&(0*-$ 1"*5/3$ 7#$ 857/0'/6$

&''#1107/#$5-/#11$ ("#,#$&,#$'*.8#//0-)$,#&1*-1$*("#,201#=$P"0/#$&''#11$ (*$

&2&,#-#11$&7*5($'67#,$1#'5,0(6B$0($.&6$&/1*$,#15/($0-$5-2&-(#3$857/0'0(6=

&)&0-1($("#.B$&-3$("#0,$,#15/(1B$.0)"($,#35'#$(,51($0-$("#0,$7510-#11$.*3#/$


!"#$%&'$()*'$&+),-*./#*!%&!"&0).1&*%"!'2/#*!%3&4&,/-/%.$&%$$50&#!&,$&0#').6&,$#7$$%& #1$0$&+),-*.&/%5&+'*8/#$90$.#!'& *%#$'$0#03&:+$%&5*0.)00*!%&!"& #1$&

9

;1$& -$</-& "'/2$7!'6& "!'& /..$00& #!& *%"!'2/#*!%& 7*--& ,$& /%& *2+!'#/%#&/0+$.#& !"& .=,$'& 0$.)'*#=& *%& #1$& .!%#$>#& !"& 0#'/#$<*.& .!22)%*./#*!%& /%5&+),-*.&/7/'$%$003

The Criminality Rule

?8$'=& %/#*!%& 1/0& #1$& '$0+!%0*,*-*#=& #!& *%.-)5$& #1$&2!0#& .!22!%& .=,$'&

;1$&.'*2*%/-*#=&')-$&*0&/&'$2*%5$'&'/#1$'&#1/%&0!2$#1*%<&()/-*#/#*8$-=&%$73&9

@#& *0& #1$'$"!'$&+'/.#*./--=& *2+!00*,-$& "!'& #1$& 0#/#$& #!& 0/%.#*!%& 0!2$!%$&9

.=,$'&.'*2$3;1$& A*#1)/%*/%& ./0$& 01!7$5& #1/#& '/%5!2& +'*8/#$90$.#!'& #/'<$#0& ./%&

01!7$5&#1/#B&*%&/&.!)%#'=&7*#1&/&'/#1$'&-!7&'/#$&!"&.=,$'&.'*2$B&+!-*#*./--=&

5*0')+#&.!22)%*./#*!%0&7*#1*%&/%5&7*#1&#1$&<!8$'%2$%#&/%5&-$/8$&%/#*!%/-&

*%8$0#*</#!'=&+!7$'03&;1$&C$!'<*/%&./0$&01!7$5&1!7&0$/2-$00&.!%%$.#*!%0&,$#7$$%&+/#'*!#*.&1/.6$'0&/%5&/&<!8$'%2$%#&.!%5).#*%<&6*%$#*.&7/'"/'$&./%&

?>*0#*%<& *%#$'%/#*!%/-& /<'$$2$%#0B& 0).1& /0& #1$& D!)%.*-& !"& ?)'!+$&D!%8$%#*!%&!%&D=,$'.'*2$BEE&/'$&/&<!!5&0#/'#*%<&+!*%#&"!'&$%1/%.*%<&/%5&1/'2!%*0*%<&%/#*!%/-&-$</-&'$0+!%0$0&#!&.=,$'&.'*2$3&?/.1&+/'#=&2)0#&/5!+#&


!"#$% &'()!&*+),'% *-.% /+$'0%1'*!"0'!% *!%1*2% 3'% -'#'!!*02% +/% '!+*3&)!$% *!%

*##'!!%+/%+$'%4$/&'%/0%*-2%5*0+%/6%*%#/15"+'0%!2!+'1%4)+$/"+%0)($+789

The Mandate Rule

:-%/0(*-)!*+)/-;!%#*5*#)+2%+/%*#+%<*-.%0'("&*+'=%.'0),'!%60/1%)+!%1*-.*+'7%

0'*&1%/6%.','&/5)-(%-'4%/0%0',)!)-(%'>)!+)-(%#23'0?!'#"0)+2%*('-.*!7

:-*&2!)!%/6%'>)!+)-(%&'(*&%*-.%5/&)#2%)-!+0"1'-+!%0'&*+'.%+/%#23'0%!'#"?

0)+2%0','*&!%/,'0&*5!%*-.%(*5!%)-%)-+'0-*+)/-*&%#//0.)-*+)/-78@%A/0%'>*15&'B%

)-+'0-*+)/-*&% #23'0?#0)1'% $*01/-)!*+)/-% $*!% 3''-% *% 6/#"!% /6% *+% &'*!+% !)>%

1*C/0% )-+'0-*+)/-*&% /0(*-)!*+)/-!7% A/0% !+*+'!% 5*0+2% +/% *% -"13'0% /6% !"#$%

/0(*-)!*+)/-!B%+$)!%0*)!'!%+$'%D"'!+)/-%/6%+$'%*550/50)*+'%)-5"+%/6%'*#$%+/%*%

-*+)/-*&%#23'0?!'#"0)+2%60*1'4/0E7

F/%C"!+)62%(/,'0-1'-+*&%)-,'!+1'-+!%)-%+$')0%#23'0%#*5*3)&)+)'!B%)-+'0-*?

1'#$*-)!1!%6/0%#/&&'#+),'%!'&6?.'6'-#'B%)+%!+)&&%-''.!%*-%60*1'4/0E%6/0%$*-?

+*0('+'.% *(*)-!+% +$'% /0(*-)!*+)/-% )+!'&6% /0% *-% )-.),)."*&% 1'13'0% !+*+'!7%

*-.%*!%(/,'0-1'-+*&%)-6/01*+)/-%)-60*!+0"#+"0'%3'#/1'!%*%1/0'%60'D"'-+%

+*0('+B% .','&/5)-(% -*+)/-*&% *-.% )-+'0-*+)/-*&% #*5*3)&)+)'!%4)&&% 3'#/1'% *-%

)-,'!+1'-+%)!!"'7%G:FH;!%-)#$'%#/"&.%3'%(*+$'0)-(B%'>#$*-()-(%*-.%.','&?

#/-!'D"'-#'!%/0%)!!"'!%/6%#//5'0*+),'%.'6'-!'%*-.%!'#"0)+27

* * *

F$'!'% +'-% 0"&'!% /"+&)-'% E'2% #/-#'5+!% *-.% *0'*!% +$*+%1"!+% 3'% )-#&".'.%/0%

*..0'!!'.% )-%*%#/150'$'-!),'% &'(*&%*550/*#$% +/%#23'0%!'#"0)+27%F$'2%*0'%


!"#$"%$%& #'& ()!*$& )+)($"$**& ),'-#& $.!*#!"/& 0$/)0& 1'230!1)#!'"*& !"4'045!"/&16,$(&*$1-(!#6&)"%&#7$&+)6*&#'&'4$(1'2$&#7$28&#'&*$(4$&)*&)&9'1-*&9'(&%$,)#$&)"%&1''(%!")#!'"&+!#7!"&)"%&)1('**&%!*1!30!"$*8&)"%&#'&!"9'(2&+$005/('-"%$%&3('3'*)0*&9'(&)%%!#!'")0&0$/!*0)#!'"&'"&#7$&!"#$(")#!'")0&0$4$0:&

Notes;&

#7$&0$/)0&1'"*!%$()#!'"*&!"4'04$%8&*$$&<"$=$"&>!==8&?)%(!&?)*=)&)"%&@!!*&A!7-08&!"#$%"&#'("&)*+,-$%*!".'/$"#01*2$3&)*+("0'/$%&#'("0&B>)00!""C&DDE&DF<&G-,0!*7!"/8&HI;IJ:&

H&+++:%)2,)00):1'2K($*$)(17K

32+!=!:373KL)!"KM'2$G)/$N&9'(&&O#-."$#&*$$&P!1'0)*&Q)00!$($8&@!)2&F&L-(17-&)"%&<(!1&D7!$"8&45678#9:"$#*;(00'$%8&A$(*!'"&;:R&BP'4$2,$(&

1'"#$"#K$"K-*K$"#$(3(!*$K2$%!)K*$1-(!#6S($*3'"*$K+7!#$3)3$(*K+RHS*#-."$#S%'**!$(:3%98&3:&T:

R& Q'(&%$#)!0*&),'-#&#7$&<*#'"!)"&0$/)0&0$**'"*&0$)("$%&)"%&)2$"%2$"#*&#'&")#!'")0&0)+*8&*$$&?)%(!&?)*=)8&U"")5L)(!)&>)0!7V(2&)"%&<"$=$"&>!==8&;$<$)(=>$"#0*'"*#?$*2$3'0)&#'<$@*A()'.,*&"/*B%3&"'0&#'("&)*2&"/0.&=$0*'"*C0#("'&*0'".$*6DDE8&W"#$(")#!'")0&D6,$(&O$1-(!#6&@$/)0&)"%&G'0!16&G('1$$%!"/*&B>)00!""C&DDE&DF<&G-,0!*7!"/8&HI;IJ8&33:&TIXYZ:

T&G'0!16&D'"9$($"1$&'(/)"!*$%&,6&DDE&DF<:&>7$&)/$"%)&'9&#7$&D'"9$($"1$&

0$/)01'"9$($"1$K:[&

D'"9$($"1$8&9'-(&0$/)0&)($)*&X&%)#)&

$.17)"/$8&*#)#$&($*3'"*!,!0!#68&1(!2!5")0&1''3$()#!'"&)"%&#7$&)330!1),!0!#6&'9&!"#$(")#!'")0&0)+&X&+$($&)%%($**$%&,6&0$/)0&$.3$(#*&9('2&)#&0$)*#&#+'&=$6&)($)*&B%)#)&$.17)"/$&9('2&#7$&16,$(&0)+&)"%&1(!2!")0&0)+&3$(*3$1#!4$8&1(!2!")0&1''3$()#!'"&9('2&#7$&1(!2!")0&0)+&)"%&")#!'")05*$1-(!#6&0)+&3$(5*3$1#!4$8&)"%&*'&'"J8&+!#7&#7$&!"#$"#&#'&!%$"#!96&/)3*&,$#+$$"&#7$*$&)($)*&'9&0)+&)"%&1'2$&-3&+!#7&3('3'*)0*&'"&7'+&#'&!23('4$&#7$&$.!*#!"/&0$/)0&9()2$+'(=:&>7$&)/$"%)&'9&#7$&1'"9$(5

'(/K1'"9$($"1$HI;IK)/$"%):7#20:&Y& \P&]$"$()0&U**$2,06&^$*'0-#!'"&

;[;T8&)#&YZ8&\P&]UF&^8&;[#7&O$**:8&O-33:&P':&;Y8&\P&E'1:&UKTY_TU8&;T&E$1$2,$(&;`YI:

Z& >!==&$#&)0:8&!"#$%"&#'("&)*+,-$%*!".'/$"#0:_& O$$8&9'(&$.)230$8&E)"&]''%!"8&

aW"%!)&)"%&b$0/!-2&E$1(6&D7!"$*$&F?$*G$3'0#$%8&_&

1':-=KHII_KI[KI_K,$0/!-2S!"%!)S17!")S+)("!"/*N&c'7"&@$6%$"8&aQ()"1$&

F?$*G$3'0#$%+++:#7$($/!*#$(:1':-=KHIIZKI`K;HK

c'")#7)"&^!17)(%*8&c)2$*&^'**!#$(&)"%&^!17)(%&b$$*#'"8&aLW[&U0$(#&'"&D7!")d*&D6,$(*3)1$&O36&>7($)#d8&F'>$0 5"$**:#!2$*'"0!"$:1':-=K#'0K,-*!"$**K


!"#$%&'()*%+,&-'%.&+,/"-0-1(.)

2'&!,0+34563768+,+84) 945:);<=)>?@8)A43B)3C)=$"+)945D896) ) <2%+)E-8);FG4:G9)H;"&+'"2&!-"20)

<'!I!"20)F'!J$"20)K-')&/+)K-'I+')

L$1-%02M!2B)9447N899) <(J+')<'!I+)<-"M+"&!-"B)O'&!,0+)3A893) O'&!,0+);P)-K)&/+)E-'&/)O&02"&!,)F'+2&(89A) O'&!,0+)P)-K)&/+)E-'&/)O&02"&!,)F'+2&(89:) Q++)?"+R+")F!RRB)!"#$%%&'(('(#)*+,'-.#./#"'&(/012#31.1#4'5*21.6/07);"&+'"2&!-"20)<(J+')Q+,$'!&()S+120)

2"#)@-0!,()@'-,++#!"1%)HF200!""T)<<U)

<V?)@$J0!%/!"1B)3696NB)WW8)3:XA4897) U!'+,&!M+)47.:D.?<)-K)&/+)?$'-W+2")

@2'0!2I+"&)2"#)-K)&/+)<-$",!0)-K)3:)

V,&-J+')9447)-")&/+)W'-&+,&!-")-K)!"#!G

M!#$20%)Y!&/)'+12'#)&-)&/+)W'-,+%%!"1)

-K)W+'%-"20)#2&2)2"#)-")&/+)K'++)I-M+G

S)359B)3A.99.9447)@8)66A9)X)66768)

S+Z['!Q+'M.S+Z['!Q+'M8#-\$'!])

<?S?^TA9447S66:DT+"T_F`S89D) Q++)F!RRB)!"#$%%&'(('(#)*+,'-.#./#"'&(/012#31.1#4'5*21.6/08)

9C) ?[)U2&2)@'-&+,&!-")U!'+,&!M+)47.:D.

?<8)O'&!,0+)37H9N895) a-')2")-M+'M!+Y)2"#)0+120)2%%+%%I+"&)

-K)&/+)S!&/$2"!2")!",!#+"&B)%++)F!RR)+&)

208B))!0.'&01.6/012#89+'&#!0-6%'0.(894) U!'+,&!M+)3663.75.?<)-K)&/+)?$'-W+2")

@2'0!2I+"&)2"#)-K)&/+)<-$",!0)-K)93)

=$0()3663),-",+'"!"1)&/+)W'-,+%%!"1)

-K)W+'%-"20)#2&2)2"#)&/+)W'-&+,&!-")

-K)W'!M2,()!")&/+)+0+,&'-"!,),-II$G

"!,2&!-"%)%+,&-')HU!'+,&!M+)-")W'!M2,()

2"#)+0+,&'-"!,),-II$"!,2&!-"%N8)

+$'-W28+$.S+Z['!Q+'M.S+Z['!Q+'M8#-\

$'!]<?S?^TA3663S6675T?ET_F`S8

36) ?[)?G<-II+',+)U!'+,&!M+B)O'&!,0+)97)

H3N839) ?%&-"!2")@$J0!,);"K-'I2&!-")O,&B)W2'28)

35H9N)C833) F/+)<-$",!0)-K)?$'-W+)<-"M+"&!-")

-")<(J+','!I+)H?FQ)957B)%!1"+#)-")

3A)E-M+IJ+')3669B)+"&'()!"&-)K-',+)

-")9)=$0()366:NB)2!I!"1)&-)K2,!0!&2&+)

!"&+'"2&!-"20),--W+'2&!-"B)#+&+,&!-"B)

!"M+%&!12&!-")2"#)W'-%+,$&!-")-K)

,(J+'),'!I+)2"#),200%)K-')+%&2J0!%/G

!"1)2),-II-")J2%!%)K-')%$J%&2"&!M+)

2"#)W'-,+#$'20)02Y)2"#)K-')b$'!%#!,G

&!-"B)!%)-W+")K-')%!1"2&$'+)J()&/+)

I+IJ+')%&2&+%)2"#)&/+)"-"GI+IJ+')

%&2&+%)Y/!,/)/2M+)W2'&!,!W2&+#)!")!&%)

+02J-'2&!-")2"#)K-')2,,+%%!-")J()-&/+')

"-"GI+IJ+')%&2&+%8)O%)-K)U+,+IJ+')

3696)&/+)&-&20)"$IJ+')-K)%!1"2&$'+%)

2,,+%%!-"%)Y2%)A6)HO0J2"!2B)O'I+"!2B)

Oc+'J2!b2"B)d-%"!2)2"#)_+'c+1-M!"2B)

d$012'!2B)<'-2&!2B)<(W'$%B)U+"I2'RB)

?%&-"!2B)a!"02"#B)a'2",+B)e+'I2"(B)

_$"12'(B);,+02"#B);&20(B)S2&M!2B)

S!&/$2"!2B)`-0#-M2B)`-"&+"+1'-B)

E+&/+'02"#%B)E-'Y2(B)@-'&$120B)

>-I2"!2B)Q+'J!2B)Q0-M2R!2B)Q0-M+"!2B)

QW2!"B)`2,+#-"!2B)[R'2!"+)2"#B)2%)

2)"-"GI+IJ+'B)&/+)["!&+#)Q&2&+%N8)

!"&.F'+2&(.<-II$".f$+P-$0+cP-$%8

2%W\EF]957g<S]?Ee83A) <-$",!0)-K)?$'-W+)<(J+')<'!I+)

<-"M+"&!-"B)O'&!,0+)383:) a-')2")-M+'M!+Y)-K),$''+"&)!"&+'"2G

&!-"20)0+120)2"#)W-0!,()!"%&'$I+"&%)

-"),(J+')%+,$'!&(B)%++)?"+R+")F!RRB)

:&1;'</&=(#>/&#!0.'&01.6/012#89+'&#)'-*&6.9?#@1<#10%#"/26-9#!0(.&*;'0.()HF200!""T)<<U)<V?)@$J0!%/!"1B)3696N8


Documents

Ten Rules for Cyber Security - Citizen Lab · Ten Rules for Cyber Security Eneken Tikk This article was !rst published in Survival | vol. 53 no. 3 | June-July 2011 | pp. 119-132!