ABSTRACT
The inevitable evolution of technology has made it possible for many to become a power beyond other countries, especially in the information economy, and the information warfare1 that have emerged with this evolution and the ever-growing cyber warfare. In this direction, the critical infrastructure systems carried out by the government or the private sector have begun to adapt to information technologies as a necessity. From medicine to economy, defense systems to vital resources, many areas have begun to be controlled on the internet, and threats have increased in the same way in the cyber world. This study examines the role of cyber security, the steps to be taken in the name of cyber security, the emerging national and international cyber security legislation, and the functions of cyber insurances.
I. INTRODUCTION
In parallel with the changing security perceptions with globalization, the relations of correlativity and dependency have increased rapidly in the cyber sense. Cyber field services, servers, web pages, etc. the tools are interconnected and each section is located in a different physical region. Yet, these instruments work together because they are mutually dependent on each other. However, each area has different inconveniences and dominance over each area requires a different technology. As a result of the fact that cyberspace is not a physical space in large proportions, the result is that cyberspace dominance is significantly different. Because the physical tools of the cyber lane lose important dominance and it takes the place of different strategy and technology. This increased correlativity has brought about many dangers. The information dissemination brought by globalization has increased the likelihood that another state will follow the military superiority that a state has earned and that it will win the same in a short period of time2. All these developments bring the global world order to face the threat of cyber security. This is the way to combat the threat with conventional politics, economics and security passes to get away from identifying and providing security in cyberspace effectively meaning.
The subject we will discuss in this article, respectively; the development of cyber security, cyber especially in the international area and objective elements of the security and cyber security legislation. Afterwards, we will point out cyber security insurances and in this direction, we have opinions and evaluations about the types of cyber threats and insurance coverage and collateral.
II. CYBER SECURİTY
A. Cyber security concept and purpose
According to the definition of the United States Department of Defense, cyber space is a global field of information that is formed by a network of connected networks, which is composed of infrastructures of information technology, including Internet communication networks, embedded processors and control units.
The concept of cyber security which emerges to create safe cyber spaces for all users and to create a safe human rights environment on the cyber field means, according to the definition made by the ICTA, policies, security Technologies and Communication Authority (ICTA) in 2014; policies, security concepts, security guarantees, guidelines, risk management approaches, activities, trainings, best practices and technologies used to protect the institutions, organizations and users’ assets in the cyber environment. It covers the assets of institutions, organizations and users, information processing equipment, personnel, infrastructures, applications, services, telecommunication systems and information that is transmitted and/or stored in cyber environment.
The definition of the cyber security concept is mostly based on information which is the basic material of information systems. Accordingly, in order for cyberworld to be safe, the confidentiality, integrity and accessibility of information must be ensured3.
Cyber attacks; when it comes to the point where all the life in a country can stop, it is understood that the security of the cyber is significant. In cyber security strategies in general; it is aimed to make the infrastructure of IT safe and resistant to attack and to provide reliable cyber space, to control the economic and social welfare through information systems, to encourage safe working environment and economic growth, to control the risks of information and communication technologies and to make knowledge infrastructures resistant. At the point where cyber threats are increasing rapidly and jeopardizing security, many states are investing heavily in building security staffs, creating quality staff and providing infrastructure services. The areas that states need to secure primarily in the cyber area are; information technology, energy, financial affairs, food, health, water, transportation, public security, defense, nuclear biological and chemical facilities4. These areas are based on basic critical infrastructures, and the need to ensure effective safety of cyber security differs from other security measures, and the possibility of critical infrastructures being considered as a possible result of a cyber attack may be damaged. Critical infrastructure systems; deterioration of the confidentiality and integrity of the information contained therein is a system that can cause loss of life, economic harm and deterioration of public order.
Today, almost all critical infrastructures contain little or no information and communication technology and intersect with these technologies in different ways. Dams are controlled and monitored by critical infrastructure information technologies such as power generation and distribution plants.
Critical infrastructures such as telecommunication are all made up of information and communication technologies. Critical infrastructures are constructs with a large number of complex dependencies. Information and communication technologies have initiated dependencies between some critical infrastructures and have significantly increased some existing dependencies. For example, a failure in the dams, a stoppage of electricity production, problems with electricity generation cause the functionality of the Internet infrastructure to deteriorate; the interruptions on the internet will affect many critical infrastructures, being in the first place banking. For this reason, one of the most important goals of cyber security is to ensure the safety of the vital and critical infrastructures in question on a national basis.
In addition, the types and methods of crime committed with the developing technology of globalization have developed and the developing technology will continue to increase in parallel. All these show that; provision of cyber security is not only nationally limited, it is also animportant element in the protection of personal data and privacy, in ensuring the safety and reliability of networks and in fighting cyber crime. Cyber security are aimed to minimize cyber threats and attacks, as well as information and communication systems (BIS) within the scope of the security vulnerabilities.
B. Components of Cyber Security
The studies carried out on the national and international level show that; certain elements need to be completed in order to ensure full security of cyber security. These are development of national policy and strategy, establishment of legal framework, development of technical measures, determination of institutional structure, provision of national cooperation and coordination, development of capacity, awareness raising, international cooperation and harmony.
While all these efforts are being made in the provision of cyber security, it is necessary to consider the protection of fundamental rights and freedoms, compliance with the requirements of a democratic society, observance of the principle of proportionality, the involvement of all stakeholders in decision-making processes, the handling of legal, technical, administrative, economic, political and social dimensions through a holistic approach, the balance between security and usability, to take into account the legislation of other countries and to ensure compatibility as much as possible and to ensure international cooperation.
1. Domestic policy and the development of the strategies
On the national flat, there are plans for make provisions for the construction of corporative and individual cyber safety. There are many studies in our country for avoid the cyber war and safety.
Cyber warfare, in essence; digital and technological means of war, as in a physical fight in cyber warfare concept disabling infrastructure, including the notions of intelligence gathering and propaganda distribution. The cyber warfare scenarios described as conspiracy theories or myths are now becoming real. The cyber war has become a serious danger that should be taken seriously because the cyber-attacks made over the internet are carried to the virtual world.
Turkey’s transition to an information society has started on the 1960s with the use of e-systems. As an example; one of the 12 systems in the world, the first computer can be given at the General Directorate of Highways (October 30, 1960). In addition to that it is to understand from different sources when the internet comes into use: that in 1963 the Directorate General for State Hydraulic Works (DSI) and Is Bank had computers; the Istanbul Technical University and Middle East Technical University have arranged the first cours; that the Ministry of Interior has started the population and citizenship and the General Director started the central population project in the 1970th, the computer boom occured in 1980th, 1993 between the Middle East Technical University and the US granted Internet about a leased line and about the different employments in 1995.
Until today, three national cyber security exercises have been done in Turkey. In 2008 TR-BOME was organized by TUBITAK and ICTA in 2001 and 2013. Participants included participants in the fields of finance, education, health, law and defense, as well as those working in the field of information technology.
Along with the process of transition to all information society in our country and in the world, a great increase in the proportion of harmful software that contains personal, commercial and political motivations against this process has occurred; the institutions and institutions of the countries have been the targets of the cyber attacks. The National Cyber Safety Strategy and the 2013- 2014 Action Plan, which were published in the Official Gazette No. 28683 dated June 20, 2013 in accordance with the decision taken by the Council of Ministers, aimed to make the necessary regulations in the field of national cyber safety. The aim of the said action plan is to ensure the security of all infrastructure, information systems operated by the public or private sector, ensuring the security of all services, processes and data provided by public institutions and organizations through the use of information technology and the systems used in their presentation, to determine the strategic cyber security actions aiming at returning the systems to normal operation as soon as possible after the events, and to establish an infrastructure for the more effective investigation of the crimes committed by judicial authorities and law enforcement.
Off to 2016 the National Strategy for Cyber Safety become established and entered into force in 2016-2019. This plan comprises all components of cyber safety, inclusive the small and middle industry, all private and juristic persons, as well as public information systems and critical infrastructure information systems, which are pursued bye public or private sectors. The preparations for the strategy are fulfilled with the participation of 73 public institutions and 126 experts of public institutions, amongst others user from critical infrastructures, from the information sector, univercities and civil persons fulfill a mind platform5.
2. Creation of the statutory framework
There have been a number of attempts by state institutions and individuals to take precautions against the threats of cyber space. However, in order for these initiatives to produce real solutions, legal legislation and regulations need to be created and put into practice.
In this context, the US, Austria, Denmark, France, Germany, Greece, Finland, Italy, Turkey, Sweden, Switzerland, Australia, Canada, India, Japan, Spain, Portugal, England, in countries such as Malaysia and Singapore cyber security-related stringent sanctions and regulations that contain restrictions have begun to be established.
In Turkey also increased awareness of cyber security, various studies have been done recently with intensive exposure to cyber attacks and take the state needs to engage in initiatives related to cyber security measures. These activities include; Cyber Security Action Plans, National Information Security Program, National Information Security Gate, Legal Works, Cyber Security Intervention Teams and Units, Cyber Security Exercises, Conferences and Workshops and activities and formations carried out within TSK6.
The statutory framework of the studies build an important role in the cyber safety. Although there are not laws in matters of cyber safety, our country starts with studies in this sector and enhanced. In this case in the turkish criminal law numbered 5237 there are provisions about individual-related data and informatics space pain. The law numbered 5651, which is about the regulation of publication and the abatement of the crime in the internet and the law numbered 5070 contains the electronic signature law.
3. Improvement of technical measures
Some of the important cyber attacks and incidents which took place in Turkey are as following: the explosion which happened after the cyber attack to BaküTiflis-Ceyhan pipeline in 2008, an hazardous software affecting the computers of Atatürk Airport in 2009, the site of the Ministry of Telecommunicitaions has been deactivated in 2011 after cyber attacks, power cut in 2015 affecting 79 provinces apart from Van and Hakkari which take their electricity from Iran, not getting access to the websites of banks, notaries and the government and to mobile applications after 10 days of cyber attacks in 2015, the cyber attack made to the hospitals of the Ministry of Health and the information in the database being stolen and erased in 2016. It is quite easy to conclude that by the usage of various technics, tactics and strategies that the cyber power provide, it is possible to create many dangers, damage and loss to the security of the country by the cyber attacks which may be realised, only by examining the given ones among thousands of cyber attacks and incidents including the ones which haven’t been noticed yet or haven’t been declared because of reasons such as privacy, loss of prestige etc. and haven’t been reflected to open sources.
The cyber attacks which took place indicate that the legal measures for ensuring the cyber security are necessary but they are not sufficient. Expecting everything from law, jurisdiction and law enforces is not a right approach. For this reason, the softwares, equipments and business processes should be more secured by increasing their quality. For that, it should be ensured that the security standards such as ISO/IEC 15408 and TS ISO/ IEC 27001 and technical guides are developed, applied and used. It should be taken into consideration that ensuring the security of the softwares, equipments and business processes can create a dissuasive effect and also create preventiveness in fights against crimes7.
4. Determining the institutional structuring
In the direction of applying and supervising the security measures, firstly there are the measures which should be provided by institutions and organizations to individuals and nongovermental organizations. In order to realise the mentioned measures and to solve the problems which can occur, firstly the state structuring should be ensured.
The Judgement with regard to the Conduct, Management and Coordination of the National Cyber Security Work made by the Council of Ministers on 11/06/2012, (decision no:2012/3842) has been entered in force by being published in the Official Gazette no:28447, on 20/10/2012. According to this judgement, Cyber Security Council has been formed, duties and authorities in the field of cyber security are given to the Ministry of Transport, Maritime Affairs and Communications and it has been decided that working groups and temporary commissions about cyber security can be formed.
The content of the mentioned Judgement of the Council of Ministers has been legislated by Annexe-1 added to the Electronic Communication Law no:5809 dated 5/11/2008 by the Code no: 6518 published on 06/02/2014 and new duties about cyber security are given to the Institution of Information Technologies and Communication, by the clauses added to the Electronic Communication Law no:58098.
USOM has been established within the scope of the Ministry of Telecommunications according to the National Cyber Security Strategy mentioned above and the 4th article of the 2013-2014 Course of Action titled “The Establishment of the Center of Intervention to National Cyber Incidents (USOM) and the Formation of the Intervention Teams to Sectoral and Corporate Cyber Incidents (SOME)”9.
USOM is established in order to ensure the national and the international coordination in interventions to cyber security incidents in our country. The communication and coordination between the internet agents, law enforcers, international organisations, research centers and the private sector is realised by USOM. USOM is doing the alarm, warning and notice activities regarding the cyber security incidents and also ensuring the national and the international coordination in the subject of preventing the cyber attacks made to critical sectors10.
5. Providing national cooperation and coordination
In the national platform, anyone and any institution who has a liability in the subject of cyber security shall be conducting a work. In this regard, it is important that people should also ensure their individual cyber security besides the measures taken by ensuring the security of the information in the private institutions and organisations and governmental agencies.
Taking into consideration that, all systems and infrastructures are related to each other, it is not possible to talk about the total security without ensuring seperately the security of each system. Because of that, success of efforts and works within this field can only be obtained through cooperation and coordination.
6. Development of the capacity
New technological threats should be combatted by technical as well as legal and administrative products and solutions. Empowering of the protection of critical infrastructures and the cyber security should be provided by the new and practical solutions and the regulations of the legislation. The technical staff, lawyers and legislators should be aware of the technology in order to develop their knowledge the changing types of cyber crimes.
7. Cyber security awareness
In order for the cyber security work to succeed, awareness augmentation work should be conducted throughout the country within the private and public institutions and organiations. Accordingly, all institutions should accept the cyber security as a part of their working process and they should be conscious enough to protect their employees against the current risks and to protect the valuable properties of the company. While the chief actors of cyber security are malicious hackers, the states are now in a serious battle with cyber military forces in this business and worldwide. Especially, the document leaking activities which took place in the recent years and which created a big impact arund the world and the risks created by the world’s giants reveal that the individuals and the companies are under serious risk. For this reason, collaborating with the IT Security, taking responsibility for cyber security, creating a cybersecured environment, obliging the employees to act cyberly secured, sharing the values of cyber security and collaborating with people and institutions which have the IT knowledge for acting cyberly safe are important steps in order to increase the cyber security awareness.
8. Providing international cooperation
With the rapid development of the world, globalization and the influence of industrialization, remote control and access systems have started to be used for the management of geographically dispersed and large area infrastructures. In this respect, cooperation and integration studies of countries in international studies are facilitated and accelerated by computer systems. ENTSO- E (European Synchronous Region Network ) that Turkey integrated its electrical critical infrastructure to Europe in 2010 can be given as an example. Under the roof of ENTSO-E, 41 Transmission System Operators from 34 European countries have been connected to each other by Supervisory Control and Data Acquisition (SCADA) Systems. Thus, the need to protect the information systems that control all the infrastructures of the countries has emerged11.
Cyber crime is an international problem that has no national boundaries and that will adversely affect many countries in the same global sense due to the nature of the cyber world. For this reason, as well as national measures, these crimes should also be avoided by international regulations. It is probable that any illegal cyber activities carried out abroad affect our country or that a person in our country conduct a cyber attack on a third country using the system of another country. Thus, cooperation between countries is essential in the search, detection and prevention of these attacks. For this reason, there are activities carried out by the European Union about cyber security as well as the United Nations and the International Telecommunication Union, Economic Cooperation and Development Organization and the Council of Europe, which our country is a member of.
C. Applicable law
The resolution for the implementation, administration and coordination of the national cyber security workshop from 11.06.2012 with the was published in the Official Gazette numbered 28447 and dated 20.10.2012 and came into force at the date of publicatin. With this Resolution the cyber security council was constituted, the minister of transportation, maritime affairs and communication was accepted as a competent authority with some duties in the field of cyber security. Another point given place in the Resolution is that different working groups and commissions can be established to work in the field of cyber security12.
Other staturory provisions, which were regulated in Turkey are; the cyber security strategy and the acceptance of the course of action were published in the newspaper numbered 28683 on 20.06.2013; The cyber intervention team, duty and about were adviced about the procedures and principles of their work in the newspaper numbered 28818 on 11.11.2013; in the electronic communication sector the official gazette numbered 29059 on 13.07.2014 published the network and information assurance regulations; the Bülent Ecevit Univerity Karaelmas cyber security implementation and the research center regulations were published in the official gazette numbered 29059 on 13.07.2014; the provision about the information safety in the energy sector, which is used in the industrial control system published in the official gazette numbered 30123 on 13.07.2017; cyber security infrastructure protection and the research center regulations at the Kadir Has Univerity were published in the official gazette numbered 30209 on 13.10.2017; cyber security implementation and research center regulations published in the official gazette 30295 on 8.01.2018.
The law numbered 6518 dated 06.02.2014 and the law electronic communication numbered 5809 dated 05.11.2008, have become some new articles, which were updated with the decision of the council of ministers. Moreover some new assignments about cyber security were given to the information technology and communication institution.
Furthermore, there are different international studies about the cyber security. The studies, which were attended by Turkey, were; the crime agreement, which is openend in the council of europe’s virtual environment on 01.07.2014 and the council of europe cyber crime agreement and the cyber war from 23.11.2001 from the companion Tallinn.
III. Cyber Security Insurance
A. Cyber Threat and its Types
Cyber attack is a type of an electronic attack which is executed by harmful users or groups for damaging the computer systems of the government, police, banks and individuals.
The cyber attacks made by spywares used for providing information and enquiry, the attacks made for hindering or blocking the portal and the internet service, the attacks named “phishing” made with the aim of illegal deception, the attacks made by sending harmful documents by involuntary e-mail named “spam”, the attacks made by listening to the network traffic, the attacks made by using the social media, social engineering, search engines, providing Free Web Service can be given as example for the mentioned cyber attacks13.
Cyber threats can be divided into two as software origined threats and man made threats. Software origined threats are; zombi/ghost softwares, phishing softwares, involuntary e-mail softwares, softwares with a malevolant/spy purpose while the man made threats are; organized crime syndicates, foreign intelligence services, hackers, employees who have access to the BIS and cyber terroristes.
Cyber attacks may be realised for many reasons increasing everyday such as; service hindering, critical infrastructure loss, data/information theft, fraud, data corruption, exploitation from inside, political data (information) combat, cyber terrorism, cyber crimes, malevolant hackers, vandalism, blackmail and ransom, experimental and entertainment.
B. Cyber Security Insurance
Cyber security insurance also named ‘”data protection insurance” is a new insurance sector in our country. This sector comprises protection and consultancy for the stages of “data protection”, “support in cases of crisis” and “legal proceedings” and compensation for the loss in case the incident happens.
According to the survey made by ABI Research, it is predicted that the global market for the cyber risk assurance will reach 10 milliard dolars until 2020. The main factor for the growth is stated as the increase of expenditures related to violations and attacks, risk managements strategies inclining to transfer the risk to the assurance providers.
1. Cyber Risk Assurance Warranty
The risks of cyber security are increasing every year. The loss affecting the world’s economy, created by the mentioned incidents require the people and the institutions to apply for compensation methods after the loss. If the systems are affected by the attacks despite all the meaures taken, the assurance takes action and prevents that the institutions get any permanent damage.
The cyber risk insurance warrants the cost of data loss and replacement of the lost data. The loss of profit in case of work intermission and/or deceleration due to cyber attacks or malevolant softwares and additional expenditures are the subject of the cyber risks insurance policy.
It is not possible to protect all the systems despite all the measures taken. Not only the small or middle scale companies but the world’s giants may also be influenced by the attacks and they may be forced into terminating partially their operations.
So, the cyber security assurance assists for providing the continuity of the institution by compensating the loss occured and also helping the crisis management by giving the necessary consultancy during the process.
2. Extent of the Cyber Insurance
Cyber security insurance consists of prevention, protection and regulation. Therefore, expenses of crisis management, expenses of informing, data protection loss, data and network structuring expenditures, dignity damage, workintermission, blackmail and ransom expenditures and outsourcing liability, additional payments, cyber blackmail and multimedia costs are covered by cyber insurances so that victimization resulting from attacks can be avoided.
The first steps of cyber security insurances appear to have taken place in the United States at the beginning of the 2000s. In addition to this, in recent years, the European Union and the United Kingdom have developed this issue. In relation to this issue in the UK, lawyers included cyber security insurances within the scope of occupational risk insurances because they retain important information about their clients in the cyber environment in the context of proxy relations14. In our country, however, this is still one of the areas that continue to develop.
IV. CONCLUSİON
It is very significant to ensure that the cyber attacks and the security of the cyber world, where all systems with vital preservation together with globalization are inextricably linked, are inevitably harmful. Especially when the inevitable development of technology and cyber threats evolve in the same direction, it is necessary to periodically update the technical, administrative and legal measures to be taken in national and international scope. In our country, this area will also enable the necessary awareness to be increased in an institutional and individual way, and that the use of cyber insurance will take significant steps towards ensuring the protection of harmful cyber activities.
BIBLIOGRAPHY
Ercan Nurcan Yılmaz, Halil Ibrahim Ulus, Serkan Gonen, “Transition to Information Society and Cyber Security”, Journal of Information Technologies, Volume: 8, Issue: 3 September 2015
Mustafa Unver, Cafer Canbay, “Cyber Security at National and International Dimensions” (National/International Cyber Security), Electric Engineering, Issue: 438, March 2010
Onur Yılmaz, “Transformational Security Perception and Cyber Safety in the Globalization Process” (Globalization and Cyber Security), DERGIPARK December 2017
Zeynep Nur Iman, “Cyber Security and Search Engines”, http://ab.org.tr/ab16/bildiri/103.pdf Last Access Date: 25.06.2018 https://www.btk.gov.tr/siber-guvenlik-stratejisi-ve-eylem-plani, Last Access Date; 24.06.2018 https://www.btk.gov.tr/usom-ve-kurumsal-siber-olaylara-mudahale-ekibi, Last Access Date: 24.06.2018 https://www.btk.gov.tr/usom-ve-kurumsal-siber-olaylara-mudahale-ekibi, Last Access Date: 24.06.2018
FOOTNOTE
1 Especially in military strategies, the increase and development of information and intelligence based technologies, which are used both for defense and attack purposes, have led to the concept of “information war”. This term, which was first used in 1991 during the Gulf War, is related to military strategists and international relations specialists because of the use of information technology and the use of war technology in the context of information technology.
2 Onur Yılmaz, “Transformational Security Perception and Cyber Safety in the Globalization Process” (Globalization and Cyber Safety), DERGIPARK, December 2017, C.II, Issue.4, p. 26
3 Zeynep Nur Iman, “Cyber Security and Search Engines”, http://ab.org.tr/ab16/bildiri/103.pdf , Last Access Date: 25.06.2018
4 Yılmaz, Globalization and Cyber Security, p. 31
5 https://www.btk.gov.tr/siber-guvenlik-stratejisi-veeylem-plani, Last Access Date; 24.06.2018
6 Mustafa Unver, Cafer Canbay, “Cyber Security at National and International Dimensions” (National/International Cyber Security), Electric Engineering, İssue: 438, March 2010, p. 32
7 Unver, Canbay, National/International Cyber Security, p.100
8 https://www.btk.gov.tr/siber-guvenlik-kurulu, Last Access Date: 25.06.2018
9 https://www.btk.gov.tr/usom-ve-kurumsal-siberolaylara-mudahale-ekibi, Last Access Date: 24.06.2018
10 https://www.btk.gov.tr/usom-ve-kurumsal-siberolaylara-mudahale-ekibi, Last Access Date: 24.06.2018
11 Ercan Nurcan Yilmaz, Halil Ibrahim Ulus, Serkan Gonen, “Transition to Information Society and Cyber Security”, Journal of Information Technologies, Volume: 8, Issue: 3 September 2015, p. 141
12 https://www.btk.gov.tr/siber-guvenlik-kurulu, Last Access Date: 25.06.2018
13 Yılmaz, Globalization and Cyber Security, p. 29
14 https://www.americanbar.org/publications/ gp_solo/2016/may-june/cyber_insurance_law_firms. html, Last Access Date: 24.06.2018
