introduction · hacking as a service (haas) haas is offered by companies that provide ethical...

Dubai International Academy Model United Nations 2020| 12th Annual Session

Research Report | of 23

Forum: United Nations Commission on Science and Technology for

Development

Issue: Implementing measures to ensure the encryption and safety of

personal data and rebuild consumer confidence in the face of

technological advancements and scandals

Student Officer: Sahil Singhvi

Position: President Chair

Introduction

In the 21st century, technology has influenced individuals. Gradually, it has become a

quintessential aspect of a person’s day-to-day life. In our modern society, people cannot subsist

without various technologies such as mobile phones and laptops. According to the International

Telecommunication Union, at the end of 2018, a staggering 51.2% of the world’s population had

access to the Internet. From 2005, the world has made immense progress with an increase of

35.2% in Internet users.

Technological advancements have created immeasurable benefits, including enhanced

communication between foreign companies and increased availability of resources for research.

As a result of the increased availability of data on the Internet, firms can successfully carry out

research and development for the creation of innovative products. However, these technological

advancements have created issues such as the struggle of ensuring the encryption of personal

data and increased job redundancy due to artificial intelligence systems. These limitations are

ever-present in the 21st century as cybersecurity experts and unethical hackers are able to

penetrate network systems with ease. The concept of privacy, the right of an individual to be left

alone and seclude personal information to themselves, has been plagued with the evolution of

technology. Furthermore, the principle of digital privacy, where an individual has the capability of

controlling when there is data collected and how third-party corporations utilize it, is nearly

unattainable in a data-centric world. Our data-centric world involves fierce competition between

firms across the globe. Hence, firms are unwilling to disclose the processing of data as they obtain

market research that is used to devise creative marketing strategies for their latest innovations. As

a result, the firms do not reveal the strategies that assist them in outperforming their competitors

to the public eye. Furthermore, some firms utilize the data unethically in instances such as the



2016 U.S. Elections and the Brexit campaign carried out by Cambridge Analytica. Consequently,

these firms reduce their transparency to the public in order to disguise these illegal acts.

As the world continues to rely on technology, according to IoT Analytics, the number of

interconnected devices that allow for the collection and exchange of data is projected to soar from

an estimated 19.4 billion in 2019 to 27.9 billion in 2023. These statistics indicate that the data-

driven world will continue to expand with the increased dependency of modern society on digital

technologies and the Internet.

With these statistics considered, as the data-centric world continues to thrive: what

happens to our personal data, digital privacy, and identity on the Internet? Governments around

the world have made advances by shedding light on the high-profile data scandals and breaches

in order to explore a variety of solutions. Digital privacy is continuously debated upon in the face

of the data breaches and scandals with regards to companies such as Cambridge Analytica,

Facebook, Google, Panera Bread, and Marriott International. The reputation of these various

companies is tainted as a result of utilizing big data to increase the efficiency of their respective

business operations without a thought to digital privacy. Consumer anxiety is at an all-time high

due to the countless number of data scandals that have taken in place in the last decade.

Consumers are worried about the potential damage that can be caused by unethical hackers who

possess their personal data. What if these black-hat hackers steal credit card details? What if they

impersonate consumers with malicious intent? Furthermore, social media platforms and various

online platforms gather consumer data, and sometimes share it with other companies for various

reasons. Consumers are unaware of the motives behind the sharing of this personal data. A recent

event is the Cambridge Analytica scandal, where Cambridge Analytica illicitly gathered personal

data from Facebook applications. After this, Cambridge Analytica utilized this data to assist political

campaigns such as the ‘Leave.EU campaign’ and ‘Donald Trump 2016 presidential campaign’.

This highlights a cause of concern as consumers are unaware of the aims that companies have

for personal data. These motives are usually unethical as a plethora of companies utilize personal

data in order to manipulate individuals as seen in the ‘Leave.EU campaign’. Consumers have no

control over these possibilities and thus are left fearful. In order to combat these data scandals,

new data protection laws have been established within Europe and California that aim to target the

data privacy policies of multinational technology companies to enhance the digital privacy of

consumers. Consumer confidence after these data scandals is at a rock bottom; therefore, it is

imperative that effective laws and measures are implemented to ensure the encryption and safety

of personal data while rebuilding consumer confidence.



Definition of Key Terms

Artificial Intelligence (AI)

AI is the replication of human intelligence processes by computer systems.

Big Data

Big data is large volumes of data that have the capability to be harnessed for machine

learning projects and other analytical projects.

Black-hat hacker

A black-hat hacker is a cybercriminal who strives to discover computer security

susceptibilities and exploit them for personal gain or malicious reasons.

Brute-force attack

A brute-force attack is a penetration technique that utilizes trial and error to decode

encrypted data such as passwords, commonly used by cybercriminals. This technique usually

takes a long period of time, as it aims to try all the possibilities until it succeeds.

Cyberattack

A cyberattack takes place when a hacker attempts to alter, steal, damage, or destroy

computer systems, computer networks, or data.

Database

A database is an arranged set of data that is stored in a computer system, accessible in a

plethora of ways.

Data Breach

A data breach is a security incident in which an unauthorized environment (individuals or

companies) gains access to confidential information. A data breach is a cybercrime that is carried

out by cybercriminals for monetary gains.

Digital Privacy

Digital privacy is the protection of an individual’s information that is used or created while

using the Internet on a personal device. One of the beliefs is that individuals should have the

freedom to control how their data is obtained and utilized. Another notion is the principle that



individuals have the right to digitally communicate information with the expectation that their

communications are secure.

Distributed denial-of-service attacks (DDoS attacks)

DDoS attack is a cyberattack where multiple exploited systems are used to target one

system, causing a denial of service by flooding the bandwidth of the targeted system.

Encryption

Encryption is a cybersecurity technique where confidential information is encoded to

ensure unauthorized individuals cannot access the data. The technique involves utilizing an

encryption key to gain access to the information. Users who do not have access to the information

will perceive unreadable data with the assistance of ciphertext.

Hacking as a service (HaaS)

HaaS is offered by companies that provide ethical hackers with advanced hacking skills,

where the hacker performs ethical tasks such as penetration testing.

International Telecommunication Union (ITU)

Founded in 1865 by the United Nations, the ITU is a specialized agency for information and

communication technologies that aims to enable universal connectivity in networks.

Internet

The Internet is a global system of computer networks that offer a variety of information and

communication facilities.

Internet of Things (IoT)

IoT refers to the connection of computing devices to the Internet, which enables the devices

to send and receive data.

Malware

Malware is an abbreviation for malicious software, which is a program or file that is

damaging to a computer system. There are various types of malicious software, such as spyware,

Trojan horses, computer viruses, and worms.



Ransomware

Ransomware involves a hacker inserting code into a firm’s data system that holds the firm’s

data hostage. The hacker demands the firm to pay a ransom, or the data is destroyed. It is spread

through deceitful emails or by visiting infected websites.

Software bug

A software bug is an error in a computer program that causes the program to produce

unwanted results or behave in unintentional ways.

United Nations Commission on Science and Technology Development (UNCSTD)

United Nations Commission on Science and Technology for Development is a subsidiary

commission of the Economic and Social Council (ECOSOC). The commission was created in 1992

to discuss the advancement and repercussions of technology and science on the global society,

and to draft relevant resolutions to solve pressing issues with regards to scientific matters and

advanced technology. The UNCSTD provides high-level advice to the General Assembly and

ECOSOC on relevant technological and scientific issues through meticulous analysis.

White-hat hacker

A white-hat hacker is an ethical computer security specialist who aims to improve the

security of computer networks by performing penetration tests and other testing methodologies.

Zero-day attack

A zero-day attack is a cyberattack that transpires on the same day a vulnerability is

revealed in software, and thus, a fix is not available at the time of the attack.

Key Issues

Ease of accessing personal data due to human error

“Getting information from the Internet is like taking a drink from a fire hydrant” - Personal

Computing Pioneer Mitchell Kapor ("A Quote By Mitchell Kapor").

According to a data visualization company known as “Information is Beautiful,” there have

been over 300 publicly-disclosed data breaches involving the theft of over 100,000 records in the

past decade. This figure suggests that the primary method of obtaining personal data is through

penetrating network systems of companies that store personal data of consumers in servers and

databases, instead of targeting individuals. Data breaches are primarily caused due to human error



due to reasons such as the usage of vulnerable passwords, a lack of data security awareness,

inept data handling, disregard of appropriate security procedures, uncontrolled data access, and

coding errors.

From 2017 to 2019, 28 of the data breaches occurred as a result of inadequate security.

For instance, in 2018, ‘Nametests,’ a Facebook quiz application owned by Social Sweethearts,

exposed personal data of 120 million users including pictures, friend lists, and status updates due

to a security failure. Fortunately, a white-hat hacker named ‘Inti De Ceukelaire’ obtained the

information and did not provide it to third-party organizations. In this scenario, the issue arose as

a result of a rookie programming mistake, which exposed the personal data of over 120 million

individuals. This incident highlights the lack of attention companies give to experienced

programmers, cybersecurity engineers, and network systems. Experienced software programmers

are able to rectify rookie mistakes and can assist in reducing the instances in which an intruder

gains access to confidential information. Nonetheless, human error is an aspect that will always

plague companies, and thus, data leaks will continue to occur with experienced professionals as

well; however, the occurrence of these incidents will reduce dramatically.

Usage of vulnerable passwords

According to TraceSecurity, 81% of data breaches occur due to sensitive passwords.

Usually, employees in companies that have encountered data spills utilize passwords such

as their date of birth or name that can be remembered effortlessly, however, these

passwords could also be correctly guessed by an intruder or similarly could be obtained

through the brute-force attack, especially if the password is straightforward. Furthermore,

if all the employees in a company utilize the same password, all the accounts in the

company risk being breached, in case one of them is accessed by hackers.

A lack of data security awareness

Through the analysis of 300 data breaches, it is clear to see that many employees of these

companies that have been attacked by black-hat hackers aren’t updated on data security.

Regularly, staff members fail to update the software they utilize, possibly due to the fact

that they aren’t aware of how significant it is to upgrade various types of software, or

sometimes receive update notifications while they are busy with their work. When software

has a new update, it usually means that a bug detected in the code has been rectified.

Thus, ensuring the protection of data as hackers are unable to exploit bugs once

companies identify these threats. However, if individuals do not update their software,

hackers can utilize the flaws in the previous update to gain unauthorized access to one’s

personal data. Moreover, employees are exploited by scammers who spread malicious

links through emails and websites. According to Infosec, 50% of users on the Internet



receive at least one phishing email daily. Furthermore, an alarming statistic discovered by

Infosec is that 97% of people in the world are unable to differentiate between a malicious

email and a regular email. Employees, unaware of the harmful viruses present, click on

these links and are afflicted with malware that can damage or steal their data.

Negligent data handling

According to IBM, 27% of data breaches are caused by human errors related to carless

data handling. Whilst employees use large amounts of data on a daily basis, it is common

for these individuals to make mistakes with regards to data transfers. For instance, if an

employee enters the wrong recipient email address or attaches the wrong file to an email,

the firm’s confidential information could be at risk, especially if a hacker gains access to

the valuable data points.

Disregard of appropriate security procedures

Particularly in competitive workplaces, employees prioritize their work-related tasks over

everything else in the workplace. As deadlines are stringent in workplaces, these

employees attempt to complete these tasks quickly, and whilst they attempt to do so, some

compromise the data security of the company. Critical aspects of an organization’s data

security structure such as updates and scans are often overlooked by workers as these

updates and scans take a long period of time to complete, and thus, conflict their work-

related deadlines. As a result of this, employees expose the entire network to data

breaches, allowing hackers to gain access to personal data with ease.

Uncontrolled data access

According to Varonis, 30% of companies around the world have over 1,000 folders

(consisting of sensitive information) that are accessible to all the employees in the

workplace. When workforces are granted too much access to data systems, the likelihood

of data breaches increase. As staff members aim to maintain a work-life balance, they wish

to speed up their tasks and achieve this by making system configurations on the data

system, even when they are unauthorized to access these data systems. While the settings

benefit one individual, they hinder the business operations of the company, and thus, incite

data breaches.



The evolution of black-hat hackers

As the IoT expands, hackers derive new techniques to penetrate network systems of multi-

national corporations. Therefore, it is incredibly challenging for cybersecurity specialists to prevent

zero-day attacks, as these attacks are unique. Consequently, cybersecurity engineers find it

challenging to predict the new attacks, and thus, hackers will always have the advantage. Even if

a firm creates multiple cybersecurity devices, black-hat hackers will always find an alternative to

penetrate the network to gain access to a countless number of data points.

According to the IBM CEO Ginni Rometty, cybercrime is today’s greatest threat to global

business. As technology advances with innovations such as self-driving cars, machine learning

systems, and digital currencies, hacking becomes more profitable and beneficial for black-hat

hackers. However, no lab research center is on the verge of discovering an impenetrable system.

Security companies are unable to create unexploitable software for the protection of networks. The

cybercrime industry is an all-time high. Moreover, security firms have begun hacking as a service

(HaaS), which allows any individual to hire a hacker for ethical purposes. However, these

individuals may persuade security firms to perform unauthorized and illegal activities for hefty sums

of money. Therefore, the nature of HaaS is unpredictable, as it is difficult to understand the motives

of individuals and firms.

Year after year, the threat of black-hat hackers become more apparent. For instance, on

October 21st, 2016, the Dyn cyberattack took place, which involved a series of distributed denial-

of-service attacks (DDoS attacks) targeted at the Dyn systems. The hack occurred after a software

known as the Mirai bots hijacked millions of exposed devices and ordered these devices to ping

the Dyn servers, and as a result, the Dyn servers crashed. As the Dyn served a plethora of

websites, many individuals in the East Coast of the United States of America lost access to PayPal,

The New York Times, Twitter, Netflix, and Spotify to name a few. According to Lloyd’s, an

insurance market in London, United Kingdom, cyberattacks cost approximately $400 billion a year.

Furthermore, the insurance market does not take into account the damages firms encounter from

the fall in consumer confidence. This alarming statistic has a detrimental impact on the world

economy as the Gross Domestic Product (GDP) of nations around the world fall.

A cyberattack similar to Dyn incident is not uncommon. Over the last ten years, over 215

cyberattacks occurred as a result of black-hat hackers, clearly indicating that it is challenging for

firms to stop hackers from penetrating systems and accessing personal data, according to

“Information is Beautiful.”

A new trend proving the evolution of black-hat hackers is the method known as

‘ransomware.’ Ransomware involves a hacker inserting code into a firm’s data system that holds

the firm’s data hostage. The hacker demands the firm to pay a ransom, or the data will be



destroyed. According to the Federal Bureau of Investigation (FBI), companies paid more than $1

billion to ransomware hackers in 2015. A worrying indication of black-hat hackers’ looming threat

is the advancement of artificial intelligence (AI). Hackers could begin trends of identity theft with

the assistance of AI bots. The AI bots can gain access to an individual’s messages, voice

recordings, and emails. Subsequently, hackers can gain access to this information to impersonate

an individual for malicious reasons.

Firms lacking transparency

Nowadays, customers are unaware of how their data is utilized, processed, and analyzed,

and a firm’s purpose of utilising the data. Due to the lack of transparency and insufficient

engagement with stakeholders, the world’s most prominent internet, mobile, and

telecommunications companies such as Google, Vodafone, and Microsoft rank incredibly low on

the Digital Rights 2018 Corporate Accountability Index. According to the annual benchmark

conducted by the Business and Human Rights Resource Centre, a majority of the internet users

are still unaware of how their personal data is accessed and utilized.

In the 21st century, the number of Internet users continues to skyrocket. With an increased

number of Internet users, firms have access to large amounts of data, which is commonly known

as ‘Big Data.’ Big Data Analytics is an avenue that multi-national corporations have explored in

order to enhance their marketing, sales, and recruiting departments. Firms utilize it to analyze the

large volumes of data in order to innovate new business applications through market research,

which is used to optimize the experience of customers. In addition to this, firms ameliorate their

competitive advantage by altering their methodologies and refining their products, which increases

their overall ability to adapt to changes in consumer taste. Due to intense competition in the market,

firms do not disclose the procedures utilized to analyze data, as they do not want other competitors

to replicate their strategies.

After the Facebook data abuse scandal, where the data of over 87 million people was

indecorously shared with the political consulting firm known as Cambridge Analytica, society

groups were enraged by the Facebook CEO Mark Zuckerberg and his reasons to the U.S.

Congress, as well as with Facebook’s recent changes to privacy policies surrounding data rights.

Furthermore, activists are anxious not only regarding how Facebooks utilizes and shares personal

user data but also regarding how the company’s new policies are established across its universal

platform. In the United States of America, advocates in the Black Lives Movement demand access

to their personal data as well as an understanding of how their data is utilized, processed, and

analyzed.

In spite of Mark Zuckerberg’s comments on the high levels of transparency and control

users have over their data, the Digital Rights 2018 Corporate Accountability Index discovered that



Facebook disclosed the least information on how the company handles personal data when

compared to other companies in the United States of America. The index examines in what manner

companies disclose how personal data is gathered, utilized, analyzed, and the degree of control

users have. The lowest-scoring companies in the index were Etisalat, a telecommunications

company based in the United Arab Emirates, and Ooredoo, a telecommunications company based

in Qatar, as their privacy policies are not available to the public audience.

Major Parties Involved and Their Views

United States of America

The United States of America initiated USCYBERCOM, a cyber defense project in 2009.

The U.S. National Security Agency (NSA) incorporated the USCYBERCOM project into their

infrastructure. However, the media has perceived this project as an offensive force and has

remained true to the label over the past few years. According to the United States Department of

Defense, the USCYBERCOM project schemes, synchronizes, implements, and conducts activities

in order to direct the US Department of Defense for its operations and cybersecurity. Furthermore,

the project is associated with the US Strategic Command unit that strategizes nuclear warfare for

the United States of America, thus highlighting its offensive nature.

In 2008, the ‘NSA ANT Catalogue,’ a highly classified government document, which was

leaked by an unknown group, provided the world with an insight of the aggressive cyber

technologies utilized by the NSA for the espionage of their adversaries. The product known as

HEADWATER was exposed in the ANT catalogue, which is a Persistent Backdoor (PBD) software

installed into specific Huawei wireless routers. According to the leaked document, the purpose of

the product was to spy on networks in China, by enabling covert functions to detect and examine

all the Internet Protocol (IP) packets passing through the wireless router.

In 2013, the media confirmed the belief that the NSA spies on American citizens after

releasing confidential government documents revealing that the NSA obtained copies of all the

information that is transferred through domestic fiber optic cable networks. Furthermore, these

documents confirmed that the US government collected phone data of all US consumers that

showcased their Internet communications and call history. Till this day, the NSA continues to spy

on American citizens, which has enraged individuals as their digital privacy rights are violated,

sparking numerous campaigns against this act. During 2013, the ‘Stop Watching Us’ rally took

place in order to condemn the NSA and their mass surveillance that has violated the digital privacy

of individuals within the USA.



In 2019, the US Congress has been encouraged to regulate big technology companies

based in the United States of America after data scandals that affected ‘tech giants’ such as

Facebook and Google. The U.S. Government aim to achieve outcomes similar to the European

Union’s GDPR that has assisted in reducing the abuse of personal consumer data as well as

increasing transparency between firms and consumers. An example of this is the enforcement of

the California Consumer Privacy Act that is targeted at technology-driven companies. The U.S.

Government aim to address significant aspects of the GDPR such as the access, usage, and

consent of personal data. According to Alan McQuinn, a policy analyst at the Information

Technology and Innovation Foundation, the new California Consumer Privacy Act, which aims to

create outcomes similar to those produced by the GDPR, could become a complex policy as seen

with the GDPR. Alan McQuinn praises its ability to encourage data transparency and portability

whilst creating systems to regulate abuse of personal consumer data; however, the policy analyst

believes it can also cause businesses to fail as seen with the EU’s GDPR. McQuinn believes it will

create barriers for small firms to enter the tech industry due to fierce competition. Furthermore,

McQuinn believes these policies can hamper innovation in the industry while bolstering firms that

can comply with these policies and their costs.

China

China is another country involved in militarized hacking. In February 2013, an American

cybersecurity firm known as Mandiant released a report exposing China’s direct involvement in

cyber espionage. This report detailed the cyber-espionage unit of the Chinese army known as

‘APT1’. The report provided evidence to APT1’s existence and its concealed cyber operations in

China, the technology utilized by the unit, and the affiliation between APT1 and the Chinese

military. After the Mandiant attacked the APT1 infrastructure, the firm discovered that the group

specialized in exploiting confidential data. For instance, the APT1 accessed information that

enabled the Chinese technology industry to produce cost-effective and enhance technologies to

compete against the United States of America. Furthermore, the APT1 targeted a steel

manufacturing company known as the US Steel was reconnoitered for over three years until the

Mandiant report was released to the public eye.

The Government of China has established over 60 online constraints, which have been

implemented by Internet service providers, companies, and organizations in the public sector.

Compared to other Internet restrictions integrated by nations around the world, China’s censorship

is believed to be the most extensive as the central government of China not only restricts access

to content on websites but also monitors the data of individuals. As a result of these strict

measures, Internet censorship in China is nicknamed “The Great Firewall of China.”



“The Great Firewall of China” is a significant threat to digital privacy as individuals are

unaware of important news and events that have taken place around the world. Furthermore,

Chinese citizens are unable to access global news sources in order to gain a balanced perspective.

In addition to this, the Chinese government continues to observe individuals’ Internet access,

violating the fundamental right to privacy.

Council of Europe

The Council of Europe is an international organization whose purpose is to preserve human

rights in Europe. The Council has been an ardent believer of digital privacy rights such as the

ability to control how your personal data is used by foreign companies. The Council of Europe

tackles these issues through the drafting of treaties such as “Convention for the Protection of

Individuals with regard to Automatic Processing of Personal Data.” Annually, the Council of Europe

shares reports and studies regarding the future of personal data linked to current technological

advancements such as artificial intelligence and its impact on digital privacy. Furthermore, the

Council of Europe passes resolutions such as ‘Resolution 1986: Improving user protection and

security in cyberspace’, that encourages companies to educate individuals and employees on data

security.

Privacy International

Privacy International is a UK-based charity that aims to challenge government authorities

and companies that want personal information on individuals, groups, and societies. Privacy

International strives for a future in which individuals are in control of their personal data, and the

manner in which it is collected, processed, and analyzed. Furthermore, Privacy International

continues to advocate digital privacy rights whilst they urge companies and governments to cease

the use of technology for espionage. Recently, Privacy International has been involved in a

campaign known as ‘IoT in court,’ that provides evidence for instances where police investigations

utilized technology and data to wrongfully determine in an individual as guilty for a specific criminal

activity. Furthermore, PI has been actively involved in data surveillance with regards to

communication. On October 10th, 2003, PI published a legal memorandum assessing a data

retention framework drafted by EU Justice. This memorandum meticulously analyzed existing data

retention laws within the European Union and discovered that these policies did not comply with

the law. In addition to this, they identified that this framework violated the European Convention of

Human Rights as it did not protect the right to digital privacy.

Electronic Privacy Information Center (EPIC)

EPIC is a research center that was founded in 1994 in Washington, D.C. The purpose of

the organization is to highlight privacy or human rights issues in order to protect rights, such as the



freedom of speech and digital privacy. In order to achieve their goals, EPIC conducts a variety of

activities such as conferences, advocacy of human rights, and public research on digital privacy

issues. Whilst doing so, EPIC aims to rebuild consumer confidence in the face of technological

scandals such as the Cambridge Analytica incident. In addition to this, EPIC is a platform for

individuals to gain knowledge on current data privacy, and the latest news surrounding it.

Development of Issue/Timeline

Date Event Outcome

1971 - 1972 The first computer virus, known

as the “Creeper” infected

computers and displayed the

message, “I am the creeper,

catch me if you can!”

This computer virus impacted the

future of antivirus software

released to destroy computer

viruses. In 1972, a software

program known as the “Reaper,”

was created to destroyer the

“Creeper” virus.

1976 - 2006 The largest inside-job incident

occurred over the span of 30

years, where a Boeing employee

known as Greg Chung, stole

aerospace documents (valued at

over $2 billion) and shared them

with China. This was discovered

after authorities recovered over

225,000 pages of confidential

information.

Greg Chung assisted China

through the provision of military

and spacecraft intel. This incident

was one of the largest insider

attacks in history, threatening the

entire world.

30th April 1992 The United Nations Commission

on Science and Technology for

Development is founded.

The UNCSTD was created to

discuss the advancement and

repercussions of technology and

science on the global society, and

to draft relevant resolutions to

solve pressing issues with regards

to scientific matters and advanced

technology.



22nd January 2001 Resolution 55/63 is passed in the

United Nations General

Assembly.

Resolution 55/63 discusses the

topic of ‘combating the criminal

misuse of information

technologies.’ After the resolution

passed, law enforcement

regarding cybercrime became

stricter around the world.

30th January 2004 Resolution 58/199 is passed in

the United Nations General

Assembly.


topic ‘creation of a global culture of

cybersecurity and the protection of

critical information infrastructures.’

After the resolution passed,

member states and relevant

organization were urged to support

other member states to enhance

the level of cybersecurity around

the world.

17th March 2010 Resolution 64/211 is passed in

the United Nations General

Assembly.


topic ‘creation of a global culture of

cybersecurity and taking

stock of national efforts to protect

critical information infrastructures.’

After the resolution passed,

governments identified national-

level computer incident response

teams to assist in the recovery of a

computer network after a

cyberattack.

20th May 2013 A former Central Intelligence

Agency (CIA) employee known

as Edward Snowden copied and

leaked confidential information

from the National Security

Agency (NSA).

This insider attack has been one of

the most controversial scandals in

the history of data security and

technological scandals. After

exposing the document revealing

that the U.S. government spy on

U.S. citizens, many individuals

https://www.itu.int/ITU-D/cyb/cybersecurity/docs/UN_resolution_55_63.pdf




https://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/64/211

https://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/64/211



initiated protests against the U.S

government.

August 2013 The world’s largest data breach

occurred in August 2013. In

December 2016, Yahoo reported

that a group of black-hat hackers

gained access to personal data

of all the 3 billion users on their

platform.

As Yahoo disclosed the breach 3

years later, the U.S. Securities and

Exchange Commission (SEC)

gave the company a $35 million

fine. After the company revealed

the details of the data breach,

consumers launched over 40

lawsuits, causing Yahoo’s sale

price to drop by $350 million.

June 2015 Office of Personnel Management

(OPM) data breach was

jeopardized after hackers stole

over 4.2 million personnel files of

government employees,

including over 5 million

fingerprints and approximately

21 million security clearance

investigation documents.

This was one of the largest data

breaches of confidential

government information in the

United States of America and

initiated increased attention to data

security.

May 2017 The first ransomware attack

known as “WannaCry” targeted

Windows systems and

necessitated ransom payments

in the Bitcoin virtual currency.

The first ransomware attack paved

the way for additional ransomware

attacks in the future. In 24 hours,

the cyberattack infected over

230,000 systems.

July 29th 2017 The Equifax data breach

involved the exploitation of the

personal data of over 140 million

Americans. The black-hat

hackers gained access to over

200,000 credit cards.

This data breach was the largest

credit attack and resulted in the

resignation of Equifax CEO,

Richard Smith.

17th March 2018 The Facebook-Cambridge

Analytica data scandal surfaces

the Internet.

After this scandal broke out, the

Facebook CEO, Mark Zuckerberg

was under scrutiny after users



understood that Facebook shared

personal user data with Cambridge

Analytica for political campaigns

such as the U.S. Presidential

Elections in 2016. Consumers

understood that Cambridge

Analytica misused personal data in

order to create personality profiles

for individuals within the United

States of America. They aimed to

use these profiles to influence

individuals with specific

propaganda in hopes of increasing

the number of votes in favour of

Donald Trump.

May 2019 MongoDB data breach exposed

over 275 million records

containing sensitive personal

information on Indian citizens.

This data breach is one of the

largest data leaks in 2019. It

occurred due to inadequate

security procedures as the

application was using an older

version, resulting in a lack of

security.

Previous Attempts to solve the Issue

The European Union General Data Protection Regulation (GDPR)

On April 14th 2016, the GDPR was approved by the European Union Parliament; however,

it was enforced on May 25th 2018. After the implementation of this law, organizations that fail to

comply with the GDPR are threatened with the possibility of receiving hefty fines. The policy aims

to synchronize all the data privacy laws concerning Europe, protect and uphold data privacy for all

European Union citizens, and transform the way in which companies handle data privacy and

regulations around the world. Any company conducting business with European Union countries

are required to comply with the GDPR rules. According to the European Commission, GDPR will

save €2.3 billion per year as it will make it easier and cheaper for companies to operate within

Europe. Another benefit of the GDPR is when a data breach occurs, and a user’s data is



compromised, consumers are granted the right to know if their data was exploited, whilst allowing

users to understand how their data is processed. However, with a plethora of benefits, the GDPR

has drawbacks. The cost of GDPR compliance can increase incredibly quickly, depending on the

number of user data that is processed by the company. Therefore, the cost of GDPR compliance

is exceptionally high and causes an increase in the expenditure of a company, as they aim to hire

Data Protection Officers to avoid cumbersome fines.

One year after the GDPR was implemented by the European Union, it has had desirable

impacts on the landscape of data security. This EU legislation has enhanced worldwide data

protection as countries are taking data protection seriously. This has been depicted with the

California Consumer Privacy Act (CCPA) that was signed into the law in 2018 in order to ensure

the safety of personal data. The CCPA will take effect from January 1st 2020. Other nations such

as Sri Lanka and Algeria have made similar strides in order to synchronize data privacy laws

worldwide. Another impact created by the GDPR is increased reliance on data experts as

companies have increased their expenditure on GDPR compliance. Moreover, over 500,000 data

protection offers have been employed by various companies around the world. These figures

highlight the significance of GDPR to global firms.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a federal privacy law governing Canada’s private sector that applies to the

personal data obtained through commercialization. PIPEDA is a law that applies to private sector

organizations, especially those in the technology and telecommunications industry. On the 13th of

April in 2000, PIPEDA’s regulations applied to all private sector firms and companies within

Canada. PIPEDA is beneficial to consumers in Canada, as these individuals have the right to

understand how their data is processed or analyzed for commercial purposes. However, it has

increased the overall costs of running a business in Canada, as it is expensive to comply with the

regulations of PIPEDA without hiring specialist data officers.

After its implementation in 2000, it did not achieve its primary purpose, as the number and

frequency of data breaches continued to increase in Canada. The principal reason for the

increased severity of data breaches is the lack of attention firms give to data security. As a result

of this, the PIPEDA was refined in 2018 due to the increased number of data breaches. PIPEDA

made it necessary for firms to report data breaches to the government and the Canadian citizens.

The Canadian government created this crucial change in order to increase the transparency and

accountability of firms with regards to the personal data of consumers.



Possible Solutions

Improving human practices regarding data security

As noted throughout the research report, a primary cause of data breaches, which expose

personal data, are due to human error. Companies should provide employees with necessary

training sessions regarding data security in order to enhance the awareness of digital security in

the workplace. The cybersecurity department could offer monthly briefings to the employees

regarding the importance of strong passwords and the significance of carrying out security protocol

for daily tasks in the workplace. Furthermore, firms should establish a data security policy within

the workplace, which is easily accessible, where all employees are aware of the importance of

handling data securely. In addition to this, companies should incorporate employee monitoring

software that oversees an employee’s progress in terms of data security. If a situation arises where

an employee makes an error, the system should explain the cause of the mistake and the steps

required to rectify the issue. Moreover, it is quintessential that the cybersecurity department does

not offer all the employees with access to all of the data stored in the firm’s servers in order to

prevent simple errors and inside jobs.

Implementing blockchain technology in databases

A blockchain is a structure of data that represents a growing list of financial ledger entries

that are linked using cryptography. Due to its functionality, it is resilient to the alteration of data.

The fundamental issue is the availability of accessing data as seen in principal databases. Once

a black-hat hacker penetrates a system and gains access to personal data, they are capable of

copying all of the information stored within the database. Therefore, it is common to see data

breaches exploit a large number of people; for instance, the Yahoo data breach compromised the

personal data of over 3 billion users. Universally, individuals have access to the distributed ledger.

However, the contents in the ledger are encrypted, thus making it intricate for hackers to access

sensitive data. This technology will allow for individuals to protect their personal data against

government officials or black-hat hackers who required access to such information. In order for

hackers to penetrate a network system with blockchain technology, they would have to individually

hijack each financial ledger entry, which would take an extended period of time.

However, blockchain technology is not feasible for most firms as hiring blockchain

specialists is expensive, with yearly wages of $140,000 to $150,000. Furthermore, according to

Azati software, the cost of a blockchain technology project can rise up to $200,000. Blockchain

has a plethora of complications as the technology relies on founding an agreement between

individuals in a network. To do so, it requires a lot of computing power to perform complex

algorithms to verify individuals that can edit the chain. As it requires large amounts of computing



power, blockchain technology consumes a lot of energy that can be used for other crucial

purposes. Due to blockchain’s complexity and distributed network that utilizes encryption, the

transactions take long periods of time to process. Consequently, firms will find it difficult to

synchronize user data in databases with blockchain technology seamlessly.

Improving data security techniques in order to rebuild consumer confidence

According to IBM, only 20% of consumers in the US trust firms to conceal their data from

black-hat hackers. Businesses are not immune to data breaches, but they can certainly reduce the

number and frequency of data breaches through adopting security measures to ensure data

protection, which will support the rebuilding of consumer confidence after previous data leaks. A

paramount aspect of data security involves the encryption of various types of data, including

messages, user names, email addresses, passwords, and personal data of consumers. However,

when firms encrypt data, it is pivotal that the encryption key is also provided to trusted individuals,

as there has been an increase in ‘inside jobs’ that cause data breaches. After consumers notice

that a specific firm has ameliorated its security measures and has not experienced a data breach

for a prolonged period of time, consumers will begin to trust the firm to keep their personal data

private. Firms should promote GDPR compliance and transparency by clearly showcasing how

they comply with GDPR and how an individual’s data is processed and protected. As firms

showcase their determination to ensure the encryption and safety of personal data, consumers will

perceive the degree of importance firms provide to data security, which strengthens the

relationships between firms and customers.

In addition to this, the U.S. government could continue its effective regulation on technology

firms and their use of private consumer data. As stated by Alan McQuinn, a policy analyst working

at a Washington think tank known as the ‘Information Technology and Innovation Foundation’, the

California Consumer Privacy Act could have disadvantageous effects similar to the GDPR due to

its complex nature that imposes a burden on small and medium-sized enterprises. Alan McQuinn

also stated, “Requiring opt-in consent could create unintended consequences – hurting innovation

and strengthening the biggest firms that have the resources to comply” (Lever). In order to avoid

these instances, tiers of various data categories could be established in order to reduce the

situations requiring opt-in consent, where opt-in consent is only compulsory for the most necessary

and sensitive types of data. Opt-in consent is a law established within the GDPR where firms are

not allowed to establish consent through the subject’s silence or through the provision of pre-ticked

boxes. Therefore, consumers have to clearly provide consent to firms in order for these firms to

process private data for market research and innovative business ideas.



Bibliography

"81% Of Company Data Breaches Due To Poor Passwords | Tracesecurity". Tracesecurity,

2019,

https://www.tracesecurity.com/blog/articles/81-of-company-data-breaches-due-to-

poor-passwords. Accessed 10 Aug 2019.

"A Quote By Mitchell Kapor". Goodreads, 2019,

https://www.goodreads.com/quotes/1432753-

getting-information-off-the-internet-is-like-taking-a-drink. Accessed 21 July 2019.

"Council Of Europe Data Protection". Council Of Europe, 2019,

https://www.coe.int/en/web/data-protection/legal-instruments. Accessed 26 July

2019.

Eckert, Nick. "Human Error As The First Cause Of Data Breaches And How To Solve The

Problem - GDPR365". GDPR365, 2019, https://www.gdpr365.com/human-error-

cause-data-breaches-solve-problem/. Accessed 23 July 2019.

"EPIC - Electronic Privacy Information Center". Epic.Org, 2019, https://epic.org/. Accessed

26

July 2019.

Grothaus, Michael. "How Our Data Got Hacked, Scandalized, And Abused In 2018". Fast

Company, 2018, https://www.fastcompany.com/90272858/how-our-data-got-

hacked-scandalized-and-abused-in-2018. Accessed 21 July 2019.

Hospelhorn, Sarah. "Major Events That Changed Cybersecurity Forever". Varonis, 2019,

https://www.varonis.com/blog/events-that-changed-cybersecurity/. Accessed 26

July 2019.

"ICT Statistics". Itu.Int, 2018, https://www.itu.int/en/ITU-

D/Statistics/Pages/stat/default.aspx.

Accessed 15 July 2019.

"ITU". Itu.Int, 2019, https://www.itu.int/en/about/Pages/default.aspx. Accessed 21 July

2019.



"ITU Releases 2018 Global And Regional ICT Estimates". Itu.Int, 2018,

https://www.itu.int/en/mediacentre/Pages/2018-PR40.aspx. Accessed 15 July

2019.

"Key Changes With The General Data Protection Regulation – EUGDPR". Eugdpr.Org,

2019,

https://eugdpr.org/the-regulation/. Accessed 27 July 2019.

Lever, Rob. "US Congress To See Push To Regulate Big Tech In 2019". Phys.Org, 2019,

https://phys.org/news/2019-01-congress-big-tech.html. Accessed 25 Aug 2019.

Maney, Kevin. "Hacking Is Growing More Profitable And Destructive. Yet No One Knows

How To

Stop It.". Newsweek, 2019, https://www.newsweek.com/2016/11/11/war-against-

hacking-cyber-crime-515935.html. Accessed 24 July 2019.

"Privacy International". Privacyinternational.Org, 2019, https://privacyinternational.org/.

Accessed

26 July 2019.

"State Of The Iot 2018: Number Of Iot Devices Now At 7B – Market Accelerating". Iot-

Analytics,

2018, https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iot-

devices-now-7b/. Accessed 21 July 2019.

Statt, Nick. "Maker Of Popular Quiz Apps On Facebook Exposed Personal Data Of 120

Million

Users". The Verge, 2019,

https://www.theverge.com/2018/6/28/17514822/facebook-data-leak-quiz-app-

nametests-social-sweetheart-exposed-user-info. Accessed 23 July 2019.

"UNCTAD | United Nations Commission On Science And Technology For Development

(CSTD)".

UNCT, 201AD9, https://unctad.org/en/Pages/CSTD.aspx. Accessed 21 July 2019.



"What Is Big Data? | Oracle". Oracle, 2019, https://www.oracle.com/big-data/guide/what-

is-big-

data.html. Accessed 21 July 2019.

"World's Biggest Data Breaches & Hacks — Information Is Beautiful". Information Is

Beautiful,

2019, https://informationisbeautiful.net/visualizations/worlds-biggest-data-

breaches-hacks/. Accessed 22 July 2019.

Appendices

i. The world’s biggest data breaches and hacks

https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-

hacks/

ii. Building trust in the digital age: rethinking privacy, property and security | Making

information systems work initiative | ICAEW

https://www.icaew.com/-/media/corporate/archive/files/technical/information-

technology/business-systems-and-software-selection/making-information-

systems-work/building-trust-in-the-digital-age-report.ashx?la=en

https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

https://www.icaew.com/-/media/corporate/archive/files/technical/information-technology/business-systems-and-software-selection/making-information-systems-work/building-trust-in-the-digital-age-report.ashx?la=en

