Chevening Fellowship in Cybersecurity Prashant Mali

Research Paper: (Project)

“Critical Analysis of National Cyber Security Policies of UK, India, USA & Germany” .

Author
Prashant Mali
M.Sc.(Computer Science), LLM, Ph.D.(Persu.) , 2016

Page: 1
Chevening Fellowship in Cybersecurity Prashant Mali

Abstract:

Today cyber space is easily accessible and has presence beyond geo-political
boundaries; also rapidly becoming a global battlefield for various states and non-states
entities. With the advent of the Internet of Things (IoT), every compromised device has
potential to become soldier or adversary. It has become a necessity for each state to
have its own separate individual cyber security policy. In 2003 the United States of
America (USA) was first to understand the significance of cyber security policy and was
the first country in the world to have a cyber-security policy. Cyberspace communication
exposes countries to various challenges. This can be tackled by states by drafting and
implementing effective cyber security policies. This project critically analysis the recent
National Cyber Security Policies (NCSP’s) of UK, India, USA and Germany. The
documents will be analysed in the light of derived framework. This project intends to do
the comparative analysis for academic purposes only and can act as a stepping stone
for bridging gaps in cyber security policies.

Keywords:
National Cyber Security Policy, India, United Kingdom, USA, Germany.

Page: 2
Chevening Fellowship in Cybersecurity Prashant Mali

Introduction
In 1999 about cyber security was described as “a Gordian knot around which many
stakeholders circle, pulling on the strands that seem most promising and causing the
entire thing to tighten even more snugly rather than loosen to reveal its internal
structure” (Porteous,1999, p.83). This holds true even today. The answer to the question
‘What is National Cyber Security Policy?’ is complex and Whitehouse (2009, p.5)
describes it thus: “Cyber security policy includes strategy, policy, and standards
regarding the security of and operations in cyberspace, and encompasses the full range
of threat reduction, vulnerability reduction, deterrence, international engagement,
incident response, resiliency, and recovery policies and activities, including computer
network operations, information assurance, law enforcement, diplomacy, military, and
intelligence missions as they relate to the security and stability of the global information
and communications infrastructure” ..

Cyber space offers incentives for countries and their citizens - namely increased know-
how and pellucidity in government, enrichment of civil society, and it has become a
major charioteer of intellectual and economic growth (Hirshfield et al, 2015). However
along with these returns have come new threats, including cybercrime such as
espionage, data theft and fraud, non-state actors and attackers who intimidate critical
infrastructure, and conduct industrial and defence-related espionage with Intellectual
Property Rights (IPR) theft (Cardenas, 2009).

Recent cyber attacks like Ukraine power grid attack (E‐ISAC, 2016) and Bangladesh
Bank heist (PetersNews, 2016) have unsettled the critical operations of major energy
and banking organisations. Such incidents, and so many unreported others, have made
cyber security a primacy for governments around the world, and have steered many
countries to begin developing National Cyber Security Policies (NCSPs).  A national
cyber security strategy shapes a vision and formulates priorities, principles, and methods
to understanding and managing risks of the states (CARR, 2016,47). one can see policy
as the political/social vision or aspiration, strategy as what to do to get there and
planning more distinctly about how to do that, but both have overlapping features.
Priorities for NCSPs will vary by country or continents. In some countries, the effort
might be on protecting critical infrastructure, while others might focus on protecting
intellectual property, or to build capabilities in their population. The objective of this

Page: 3
Chevening Fellowship in Cybersecurity Prashant Mali

research project was to perform a Critical Analysis of NCSPs of the UK, India, USA and
Germany.

Methodology
The research objective was achieved by performing a broad examination and review of
research in the area along with NCSPs and drafts. For this purpose a credible
framework for evaluation of NCSPs needed to be developed. This was achieved by
analyzing four existing frameworks to look for commonalities and produce a harmonised
and thorough product for use. Selection of the frameworks for inclusion in this research
was based on zones where notable cyber security activism has been seen (Lemieux,
2015). Mutual compatibility and significance to the countries chosen were also
considered.

The analysis of policies helped to identify common issues, objectives and goals and the
results enabled an understanding of what these documents should or ought not be
considered when developing an NCSP.

Method
This research considered the following:
National Cyber Security Framework Manual by NATO Cooperative Cyber Defense
Center of Excellence (Klimburg, 2012). This framework was chosen because the US,
UK & Germany are NATO members. The US Parliament recently approved passage of
the Law called National Defense Authorisation Act which seeks to bring India on a par
with NATO allies for sale of defense equipment and technology transfer (National
Defense Authorization Act, 2016). This brings India closer to NATO members and may
in future strive for various compliances, which NATO allies require to confirm with.

According to Luiijif and Healey (2012), there are five directives of NATO’s framework for
NCSPs:
1. Military cyber operations.
2. Counter cybercrime.
3. Intelligence/Counter intelligence.
4. Cyber security crisis management and critical infrastructure protection.
5. Internet governance and cyber diplomacy.

Page: 4
Chevening Fellowship in Cybersecurity Prashant Mali

Haller et al (2010) argued that capacity building and cyber awareness for national cyber
security also should form the part of cyber security policies. This report discusses &
analyses on these six directives.

Analysis & Discussion.

Military cyber operations:

In UK, the Defence Cyber Protection Partnership (DCPP) was formed to improve cyber
security within the defence supply chain, and continues to focus on best practice,
awareness, and proportionate standards. The Cyber Security Model for Defence was to
be officially implemented in 2015 (Cabinet Office, 2014), but is delayed and currently is
due to be implemented in Quarter Two of 2016 (Ministry of Defence (MOD), 2016). An
Army unit, called the 77th Brigade, has being set up for cyber warfare (MOD, 2016).
A Joint Cyber Reserve (JCR) for the UK military also has inducted individuals with no
previous military service (MOD, 2013). JCR was stated to be fully operational before
September 2016, it is now expected to be in place by April 2017 (UK Parliament, 2014).

Although there is no mention about the institutional framework of cyber security policies
in US strategy documents, it is worth noting the formation of US Cyber Command
(USCYBERCOM) in 2010, The law i.e. National Defense Authorization Act (NDAA) that
cleared the House on 18th May 2016, which elevates the U.S. Military’s cyber unit to a
individual war fighting entity (National Defense Authorization Act, 2016). Likewise UK,
USCYBERCOM Commander Admiral Michael S. Rogers had said that overall, Cyber
Mission Forces will be about 80% military and 20% civilian (Unknown, 2014). Its Law of
War Manual advocates use of force against an cyber attack (DOD, 2015).

As per Germany’s perception, cyber-attack is an attack on the IT system of the country

which embrace availability, confidentiality, and integrity of the information systems.
Germany though does not mention about military capabilities in the policies, it plans to
establish a dedicated cyber and information command along with a cyber operations
centre and a Bundeswehr cyber-security centre having 13,800 personnel (Defence Alert,
2016).

Page: 5
Chevening Fellowship in Cybersecurity Prashant Mali

India is yet to form its cyber command but a Cabinet Note is moved in this regards a
General of Integrated Defence Staff (IDS) is leading formation of the Command (Pandit,
2015). As of now, designated agencies - the Defence Intelligence Agency (DIA) and
National Technical Research Organization (NTRO) - carry out need-based offensive
cyber operations (Sridhar, 2012). India’s NCSP mentions one of its components of
mission as respond to cyber threats but fails to talk about securing cyber boundaries by
the means of active cyber defence as found in documents of UK, US & Germany. USA
and Germany talk about cyber warfare whereas India with cyber warfare also have
considered the risks of Cloud Computing, in their documents.

Counter cybercrime:

Fighting cyber crimes alone like one man army against the criminals is not going to help
any of the countries worldwide. Guaranteeing total cyber security in the national
cyberspace, along with the existence of insecure global cyber space, is a fake promise.
It is similar to the promises of politicians to build bridges where there is no river. Hence
the reason why countries like USA, UK, and Germany make sure that action plans for
the improvement of global cooperation for International Collaboration are loudly and
explicitly mentioned and highlighted to combat cyber crimes and terror. The US tried to
bring in legislation for cyber security, which was not cleared, which was then followed by
half-hearted executive order to strengthen cyber security.

The US, like the UK, places importance and focus on international cooperation in cyber
crime. The Washington administration has taken up immense efforts to create
international framework to alienate it with the cyber security policies and procedures
globally for prevention of cyber crime. Not stopping on this it has also worked on its legal
system to adjust with the rapidly changing and frequently evolving identical specialties
and specifications of cyber crime.

The total damage of cyber crime to the American economy amounts to $15m per annum
(Ponemon, 2015). This figure is despite immense efforts to create an international
framework for the prevention of cyber crime. Additionally, the White House (2011)
announced its determination to wage an international war against cyber crime in its
Cyber Security Strategy.

When it comes to Germany they lost $7.5m yet the scenario is altogether different than

Page: 6
Chevening Fellowship in Cybersecurity Prashant Mali

as seen in the US, UK and India. The struggle against cyber crime is one of the ten
objectives listed at the end of the National Cyber Security Strategy document. It is not
the topic of prime importance to either nation.

Mean annualized cost of cyber crime to large organisations in the UK was £4.1 million
per year (Ponemon Institute, 2015). In order to secure the cyber business environment,
the British government has allocated £860m for the National Cyber Security Programme
which ran from April 2011 to March 2016 (Comptroller and Auditor General, 2014). I
agree with (Cornish et al, 2011,p10) say’s “Greater organizational and public awareness
is essential to inform and shape an effective national cyber security culture”.

Germany aims to hire more skillful and expert workforce at the law enforcement
departments and create a favourable platform such that the national information security
office can go hand in hand with the private sector representatives to fetch fruitful results
for the country in combating cyber crime threat; by this it shows its intention of wider
national perspective. Also Germany is simultaneously working on setting goals against
cyber espionage. Perhaps even after seeing these efforts and initiatives it can be very
well said that the German federation is not working on cyber crime threat as if it being
the focal point of the German cyber strategy.

India lost $11.5m until March 2015 in Internet banking and credit card frauds alone,
while the Indian Computer Emergency Readiness Team (CERT-In), reported 49,455
cyber security incidents in 2015 (India Parliament, 2016). Indian cyber security policy
mentions effective law and enforcement mechanisms for cyber crime through
legislations, but to-date less has been delivered on cyber crime prevention fronts. Cyber
crime awareness remains the best vehicle for its prevention (Ciardhuáin, 2004).

Cyber security crisis management and critical infrastructure protection

The topic of ensuring safety for critical infrastructure (CI) is actually a matter of national
security with or without cyber. However, the networks operating in running critical
infrastructures are not immune from growing dependencies of Internet technologies.
Therefore, one may advocate cyber security has been combined with the national
security mostly with the critical infrastructure. Although the question of what are critical
infrastructures varies for every State, the general definition suggested to be the
providers of essential services of a country within a national security framework.

Page: 7
Chevening Fellowship in Cybersecurity Prashant Mali

User error remains number one as the greatest cause of successful attacks on critical
infrastructure (Institute, 2015). This report argues that, barring India, much of critical
infrastructure in UK, USA and Germany is in the hands of private sectors. Private sector
companies are good in technology is felt by Government, but are they ahead of
adversaries is the question. Ukraine attack proves it otherwise in many senses.

The aim to boost Public Private Partnership (PPP) and to encourage both sides of
flawless collaboration the UK underwent a drastic change in its policy frameworks hence
the second important objective of cyber security strategy of the UK is the protection of
CIs. The first and foremost reason behind this is the struggle that it is facing against
cyber crime. In total, UK government gave out £10.2bn in 2013 to its 20 biggest private
suppliers and the civil services had the lowest staff since WWII (Whitehall, 2013). This
project argues that when you have mom and pop companies in UK, which can be
deduced by the statistics that, 5.1 million (95%) businesses in UK were micro
businesses employing 0-9 people out of 5.4 million total businesses in 2015 (Rhodes,
2015)

The Berlin government has cyber security as the utmost important national issues under
which it has its own detailed cyber security strategy, which is formed and documented
specifically for the protection of CIs. Also the German strategy with respect to the cyber
security gives noticeably brighter and louder weight age to protection of CIs. When
compared with respect to the other cyber space domains in the cyber space the German
strategy is outstanding and has another detailed cyber security strategy, which is
readied specifically for CI protection.

There is a ten step German action plan, out of which three steps are for the protection of
CIs. It also points out PPP as the obligation to fulfill these goals (Bundesministerium des
Innern, 2011). German National Cyber Security Council was established to coordinate
between law enforcement units, Constitutional Court, intelligence agencies, Federal
News Agency and some ministries. This was a step taken by the German federal to
create an effective and efficient crisis management in case of national cyber incidents so
that the ambiguity with respect to the final authority to call for the action plan in case of a
cyber attack and such other related problems is solved.

India has established National Critical Information Infrastructure Protection Centre

Page: 8
Chevening Fellowship in Cybersecurity Prashant Mali

(NCIIPC), which has a mandate related to security practices for enhancing protection
and resilience. India has not defined explicitly critical infrastructure sectors in its policy
documents. Indian policy emphasis on usage of certified IT products, this could be due
to National security threat perceived from Huawei and ZTE (Inkster, 2013).

Intelligence and counter‐intelligence :

Intelligence gathering in cyberspace does not require intruding on foreign territorial

sovereignty by sending agents across borders; agents typically stay in their own
countries. Given that sending agents abroad does not violate international law,
intelligence gathering in cyberspace rarely raises any international law concerns.
International law does not prohibit countries from spying abroad or punishing spies at
home.

The division between cyber‐crime / cyber‐theft and cyber espionage has not been
clearly drawn yet. The controversy has also maintained in distinguishing military cyber
activities, cyber crime and cyber espionage. What would happen, if a group of hackers
with certain assistance of state A conducted cyber theft operation against networks of
state B specifically aiming to acquire confidential information about state A's military
secrets.

The US cyber strategy has not specifically mentioned cyber espionage. However,
property rights, industrial espionage and whether protection of confidential data belongs
to business and the state are the issues found in strategy documents (Roy, 2012).
Furthermore, the cyber strategy of Department of Defense associates counter‐
espionage activities with the efforts of finding the identities of attackers, hackers. The
difficulties of attribution in a cyber attack are assigned to specific cyber intelligence units
(DOD, 2011).

British MoD, along with the Security and Intelligence Agencies and Government
Communications Headquarters (GCHQ), have a central role in exposing cyber threats
and mitigating their risk. In a review of cyber strategy exhibits the budget allocated to the
agencies. The same report suggests £157 million is planned to spend on detection of
threats(Comptroller, General, and Great Britain: National Audit Office, 2013). In German
cyber security strategy, cyber espionage has a similar weight with the other strategies. A
special part is given to this issue in the document (Bundesministerium des Innern, 2011).

Page: 9
Chevening Fellowship in Cybersecurity Prashant Mali

India has produced military strategist like Chankya and it shows intelligence and counter
intelligence has remain an important point in India geo political strategy since ancient
times. India mentions about global cooperation among security agencies and has started
dialogues for effective exchange of the same.

Cyber diplomacy and Internet governance:

Cyber Diplomacy also known as Public Diplomacy 2.0, is mainly about adopting
technological innovations in communication and information technology to diplomacy
(Lee and Sharp, 2007). It generally involves with public relations and has brought about
a new dimension to traditional diplomacy by integrating new equipment’s, which enable
states to interact not only with their counterparts but also with the ordinary people in
different countries. Probably due to cyber diplomacy's weak and loose connection with
security issues, many policy documents do not contain special part for cyber diplomacy.

States tend to recognize cyber diplomacy as a framework in which state‐to‐state

communication and international cooperation on cyber issues are shaped. Germany
underscores international cooperation and pledges to provide active assistance to
organizations like the UN, NATO AND G‐8.

In the global Internet society, a set of mechanisms dealing with Internet governance
consists of civilian bodies including representatives from industry. The state's
intervention to this structure is severely limited. The Internet Architecture Board (IAB)
and Internet Engineering Task Force (IETF) are two of the most influential institutions in
terms of Internet governance.

The International Cyber Policy Unit is the UK's internet governance instrument which
was formed under Foreign Secretary (Klimburg and Healey 2012). British cyber strategy
chiefly focuses on international cooperation to create a framework for international cyber
law as well as on developing bilateral relations with powerful actor in cyber.

The wording of the US cyber strategy "International Strategy for Cyber Space" itself
indicates that Washington views cyber space as a domain which should be tackled
internationally. Thus, cyber diplomacy is attached great importance for American cyber
policy. As a clear demonstration of strategic change, the strategy document published in
2003 called "National Strategy to Secure Cyber Space." The US has assigned a decisive

Page: 10
Chevening Fellowship in Cybersecurity Prashant Mali

role in boosting cooperative ties among nations. It also highlights the preservation of
freedom of speech, legal sanctions regarding Internet governance in a liberal manner
(Roy, 2012).

A closer look at Germany’s policy on cyber diplomacy reveal that their policy proposes
effective coordination, to ensure cyber security worldwide. German policy makers
understand cyber space as a ‘space of freedom, security and justice’. Germany has also
listed down three Priorities for Cyber Diplomacy under the German OSCE Chairmanship
2016 i.e. Security, Economic Cooperation and Human Rights (Unknown, 2015). Initially,
German politicians and companies, including Deutsche Telekom, were advocating for
“email made in Germany” and even a “German Internet,” which would be required by
German federal law to route domestic web traffic through servers located within
Germany (Abboud and Maushagen, 2013,4). This though is technologically impractical
and incompatible with EU Common Market law.

India has mentioned in clear words about forging bilateral and multi-lateral relationships
along with cooperation on cyber security with other countries in its policy. Bilateral
dialogues under taken by current government on cyber security issues with the UK, US
& Germany is the compliance. This is coupled with launch of Digital India initiative,
where multi-lateral relationships are executed for its implementation. “Cyber diplomacy
is a growing area. It requires an intricate knowledge of technology, law, politics etc. The
Indian government is focusing on this” (Gupta, 2015).

Capacity building and Cyber Awareness:

Cyberspace is an intrinsic part of the development of any country. A strong cyber

capacity is crucial for states to progress and develop in economic, political and social
spheres (Pawlak, 2014). Generally maximum documents on cyber security strategies
and policies of countries foreground and highlight the exigency to elevate cyber
awareness in heterogeneous categories principally businessmen, cyber users, IT
professionals, students, government officials and lawmakers. While parents and children
are seen as most vulnerable in the cyber world and hence paid exceptional attention for
cyber security training in the UK. “to build the UK‟s cyber security knowledge, skills and
capability” (Cabinet Office and National security and intelligence, 2011, 8) remains the
fourth objective of UK’s Cyber Security Strategy .

Page: 11
Chevening Fellowship in Cybersecurity Prashant Mali

In the documents for the launch of extensive awareness campaigns, countries like the
UK and India, have recognised the usage of social media. UK’s “Get Safe Online” and
Cyber Streetwise programs, the “Cyber Security Month” organized annually by US, and
UK fall among the notable ones. Taking cyber security a step ahead, in their policy
documents and strategies countries particularly UK and India include specific
commercial security certifications/ trainings for experts in order to accentuate the need of
the hour. Conceivably in the US, at the federal level, there is no official announcement or
recognition of entities to promote R&D work. UK has also setup a Global Cyber Security
Capability Centre in Oxford Martin school.

As cyber security as a challenge has dawned on all countries, no country faces the
same cyber capacity challenge, and no one size fits all, but one size fits most (European
Union Institute for Security Studies, 2014), when challenges are known. Policies of all
the countries examined in this project definitely show a rigor, India has even
documented as an objective in its NCSP, to create half a million of professionals skilled
in cyber security by 2015. Nasscom’s President in India had quoted “India need’s at
least one million skilled people by 2020" (Shankar, 2015, 1). It may me safely argued
that India’s NCSP is not in sync with ground realities of industry requirements and needs
an update.

Cyber Capacity building is about more than just securing and utilising cyberspace:
successful implementation can help to provide broader stability and socio-economic
growth (Muller, 2015).

Findings :

When it comes to the development, implementation, upgrading and enforcement of the

policy action plans, the strategies of the UK, USA and Germany are better than India in
terms of implementation. Even after having defensive approach towards the security
strategy they have very well managed to utilize their capabilities and expertise to
achieve protection of valuable assets in an offensive manner and hence they have
successfully conquered in better protection of their resources from the volatile, uncertain,
complex, ambiguous, vulnerable cyber threats in this all new cyber world in comparison
to other countries

Page: 12
Chevening Fellowship in Cybersecurity Prashant Mali

The major globally-accepted cyber security strategies come from countries such as the
UK, USA and Germany, that particularly acknowledge the two folded dual strands of
cyber security - offensive cyber security strategy plans and defensive cyber security
strategy plans.
.
“Depending on the perspective taken, cyber security may be perceived either as the
responsibility of the private/corporate sector, or as the responsibility of specific
governmental agencies, ranging from law enforcement to the defence establishment, or
a mixture of the above” (Dunn, 2005, 14). When it comes to regulation in cyber space,
Min (2015) proposed that state control is changing from voluntary self-regulation to
enforced self-regulation in general.

The trends evidenced by the National Cyber Security Policies of USA, UK & India in their
Cyberspace traces the use of all virtual and physical ICT devices. Whereas as per the
Germany’s NCS policies, Cyberspace refers to “Internet” and Internet connected ICT
devices which means to include the Internet of Things (IoT).

Conclusions
Implementation of policy, awareness of cyber security amongst citizens and updating
cyber security policies itself is the challenge yet to be achieved. This report proposes
that National Cyber Security Policies should aim at making & developing cyber security
culture in the country. Once the citizens inculcate security as their habit, every country
then will build resilience about cyber security. This report also proposes to have a
common heading of international co-operation for data exchange in all the National
cyber security policies. This can serve then as commonly agreeable terms of
International Cyber Security policy, treaty or convention.

Recommendations and Limitations :

Recommendations
The results of this research showed that there are two key phases in the development of
a NCSP:
1. Developing and executing the strategy
2. Evaluating and adjusting the strategy.

Page: 13
Chevening Fellowship in Cybersecurity Prashant Mali

A lifecycle approach needs to be adopted, i.e. the output of the evaluation phase will be
used to maintain and adjust the policy itself, the NCSP should be able to quickly respond
to emerging cyber security issues and emerging threats. The NCSP objectives need also
to be prioritized, this is of paramount importance for the successful implementation and
for constant improvement. Policy should have a review and next update date as its last
section and should be strictly adhered to.

Limitations
Due to paucity of time laws and standards could not be analysed. This research also did
not go in intrinsic details of implementation success of NCSPs, which could be area for
further research.

References :

Lemieux, F. (ed.) (2015) Current and emerging trends in strategic Cyber operations:

Policy, strategy and practice. United Kingdom: Palgrave Macmillan.

Cardenas et. al. (2009) Challenges for Securing Cyber Physical Systems. Available at:
http://cimic.rutgers.edu/positionPapers/cps-security-challenges-Cardenas.pdf
(Accessed: 11 May 2016).

Hirshfield et. al. (2015) ‘The role of human operators’ suspicion in the detection of Cyber
attacks’ International Journal of Cyber Warfare and Terrorism (IJCWT), 5(3), pp. 28–44.
doi: 1947-343510.4018/IJCWT.2015070103.

CARR, M., 2016. Public–private partnerships in national cyber‐security

strategies. International Affairs, 92(1), pp.43-62.

Klimburg (2012) ‘National Cyber Security Framework Manual’ Available at:

https://ccdcoe.org/publications/books/NationalCyberSecurityFrameworkManual.pdf
Accessed: 01 May 2016.

Min et. al. (2015) ‘An International Comparative Study on Cyber Security Strategy’
Available at: http://www.sersc.org/journals/IJSIA/vol9_no2_2015/2.pdf (Accessed: 11
May 2016).

Page: 14
Chevening Fellowship in Cybersecurity Prashant Mali

Dunn (2005) ‘The socio-political dimensions of critical information infrastructure

protection (CIIP)’ International Journal of Critical Infrastructures 1(2/3) p. 258. doi:
10.1504/ijcis.2005.006122.

Porteous, H., 1999. Some thoughts on critical information infrastructure

protection. Canadian IO Bulletin, 2(4).

Whitehouse (2009) Cyber Space Policy Review. Available at:

https://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf
Accessed: 27 April 2016.

Lee, D. and Sharp, P.M. (2007) The new public diplomacy: Soft power in international
relations (studies in diplomacy). Edited by Jan Melissen. Basingstoke: Palgrave
Macmillan.

Klimburg, A. and Healey, J. (2012) ‘Strategic Goals & Stakeholders"’ in Alexander

Klimburg (Ed.), National Cyber Security Framework Manual, NATO CCD COE
Publication, Talinn.

Comptroller and Auditor General (2014) Report by the Comptroller and Auditor General.
Available at: https://www.nao.org.uk/wp-content/uploads/2015/09/Update-on-the-
National-Cyber-Security-Programme.pdf (Accessed: 13 May 2016).

Roy, E.S. (ed.) (2012) Global Cyberspace: U.S. Outlook for a Networked world. United
States: Nova Science Publishers.

Ponemon (2015) 2015 Cost of Cyber Crime Study: United Kingdom. Available at:
http://cybersecuritysummit.co.uk/wp-content/uploads/2015/06/2015-UK-CCC-FINAL-
3.pdf (Accessed: 12 May 2016).

Ponemon (2015) 2015 cost of Cyber crime study: United States. Available at:
http://www.ponemon.org/blog/2015-cost-of-cyber-crime-united-states (Accessed: 15 May
2016).

Page: 15
Chevening Fellowship in Cybersecurity Prashant Mali

E‐ISAC (2016) Analysis of the Cyber Attack on the Ukrainian Power Grid. Available at:
http://www.nerc.com/pa/CI/ESISAC/Documents/E-
ISAC_SANS_Ukraine_DUC_18Mar2016.pdf (Accessed: 15 May 2016).

PetersNews, S. (2016) Malware at root of Bangladesh bank heist lies to SWIFT financial

platform. Available at: http://www.darkreading.com/attacks-breaches/malware-at-root-of-
bangladesh-bank-heist-lies-to-swift-financial-platform/d/d-id/1325254 (Accessed: 21 May
2016).

Haller, J., Merrell, S.A., Butkovic, M.J. and Willke, B.J., 2010. Best Practices for National
Cyber Security: Building a National Computer Security Incident Management
Capability (No. CMU/SEI-2010-SR-009). CARNEGIE-MELLON UNIV PITTSBURGH PA
SOFTWARE ENGINEERING INST.

Cabinet Office (2014) The UK Cyber Security Strategy Report on progress and forward
plans. Available at:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/386093/T
he_UK_Cyber_Security_Strategy_Report_on_Progress_and_Forward_Plans_-
_De___.pdf (Accessed: 12 May 2016).

MOD (2016) Overview: DCPP and cyber security controls. Available at:

https://www.gov.uk/government/publications/defence-cyber-protection-partnership-
cyber-risk-profiles/overview-dcpp-and-cyber-security-controls (Accessed: 13 May 2016).

MOD (2016) The British army - 77th brigade. Available at:

http://www.army.mod.uk/structure/39492.aspx (Accessed: 12 May 2016).

MOD (2013) Working for JFC - joint forces command. Available at:

https://www.gov.uk/government/organisations/joint-forces-command/about/recruitment
(Accessed: 12 May 2016).

Page: 16
Chevening Fellowship in Cybersecurity Prashant Mali

UK Parliament (2014) Joint Cyber reserve: Written question - 225462. Available at:

http://www.parliament.uk/business/publications/written-questions-answers-
statements/written-question/Commons/2015-02-25/225462/ (Accessed: 20 May 2016).

National Defense Authorization Act (2016) Available at:

https://www.congress.gov/bill/114th-congress/house-bill/1735/text (Accessed: 20 May
2016).

Unknown (2014) Advance Questions for Vice Admiral Michael S. Rogers. Available at:
http://www.armed-services.senate.gov/imo/media/doc/Rogers_03-11-14.pdf (Accessed:
19 May 2016).

DOD (2015) LAW OF WAR MANUAL. Available at:

http://www.defense.gov/Portals/1/Documents/pubs/Law-of-War-Manual-June-2015.pdf
(Accessed: 19 May 2016).

Sridhar (2012) DIA and NTRO to head offensive cyber warfare wing of India. Available
at: http://defenceforumindia.com/forum/threads/dia-and-ntro-to-head-offensive-cyber-
warfare-wing-of-india.38589/ (Accessed: 21 May 2016).

Pandit, R. (2015) Govt gets cracking on three new tri-service commands. Available at:
http://timesofindia.indiatimes.com/india/Govt-gets-cracking-on-three-new-tri-Service-
commands/articleshow/48550424.cms (Accessed: 21 May 2016).

Cabinet Office and National security and intelligence (2011) Cyber security strategy.
Available at: https://www.gov.uk/government/publications/cyber-security-strategy
(Accessed: 22 May 2016).

India Paliament (2016) Answer by Minister of IT in Parliament. Available at:

http://164.100.47.5/EDAILYQUESTIONS/sessionno/239/27.04.2016%20SE.pdf
(Accessed: 21 May 2016).

Ciardhuáin, S.Ó., 2004. An extended model of cybercrime investigations.International

Journal of Digital Evidence, 3(1), pp.1-22.

Page: 17
Chevening Fellowship in Cybersecurity Prashant Mali

Inkster, N., 2013. Conflict Foretold: America and China. Survival, 55(5), pp.7-28.

Cornish et al (2011) Cyber Security and the UK’s Critical National Infrastructure A

Chatham House Report. Available at:
https://www.chathamhouse.org/sites/files/chathamhouse/public/Research/International
%20Security/r0911cyber.pdf (Accessed: 22 May 2016).

Whitehall (2013) Whitehall monitor 2014. Available at:

http://www.instituteforgovernment.org.uk/publication/whitehall-monitor-2014 (Accessed:
18 May 2016).

Institute, T.A. (2015) Aspen institute – Intel security Critical Infrastructure Readiness

report. Available at: http://aspensecurityforum.org/aspen-institute-intel-security-cyber-
report/ (Accessed: 20 May 2016).

Pawlak, P. (ed.) (2014) Riding the digital wave: The impact of cyber capacity building on
human development, ISSUE, report nr 21

Muller (2015) Cyber Security Capacity Building in Developing Countries. Available at:

https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/NUPI_Policy_Brief-15-15-
Muller.pdf (Accessed: 19 May 2016).

European Union Institute for Security Studies (2014) Cyber Capacity Building in Ten
Points. Available at: http://www.iss.europa.eu/uploads/media/EUISS_Conference-
Capacity_building_in_ten_points-0414.pdf (Accessed: 15 May 2016).

Unknown (2015) Three priorities for Cyber diplomacy under the German OSCE
chairmanship 2016 - SWP. Available at: http://www.swp-
berlin.org/en/nc/publications/point-of-view/three-priorities-for-cyber-diplomacy-under-the-
german-osce-chairmanship-2016/print/1.html (Accessed: 20 May 2016).

Gupta, A. (2015) International cyber conference Cyber 360 degrees 

Page: 18
Chevening Fellowship in Cybersecurity Prashant Mali

Abboud, L. and Maushagen, P. (2013) Germany wants a German Internet as spying

scandal rankles. Available at: http://www.reuters.com/article/us-usa-spying-germany-
idUSBRE99O09S20131025 (Accessed: 19 May 2016).

Shankar, S. (2015) Cyber security: 1 million cyber security professionals needed by

2020. Available at: http://articles.economictimes.indiatimes.com/2015-08-
25/news/65847438_1_cyber-security-ethical-hacking-information-security (Accessed: 20
May 2016).

Rhodes, C. (2015) Business Statistics. Available at: http://www.parliament.uk/briefing-

papers/sn06152.pdf (Accessed: 20 May 2016).

Page: 19