The Research on Cybersecurity Risks in 5G network: Perspectives on Global strategy

In the recent years, the tide of open movement has pushed vigorously from the open source software, open hardware and the recent open data. More and more countries have joined the global initiative of open government data in order to achieve the ultimate goal to promote the democratic governance. National government adopts open data policy to enhance the transparency, participation and collaboration of the citizen into the government operation. Meanwhile, fueled by the knowledge economy and the statistical analysis of the big data technology, open government data could work as the catalyst to individuals, industries and government agencies to transform data into potential knowledge-based services. Up to the end of 2013, there are around 77 countries have adopted the Open Government Data policy. Taiwanese government also declared to take part in the open data revolution. The government had officially launched the open data policy in 2012. In Resolution No. 3322, the Executive Yuan prescribes that open government data could enhance the transparency of the government; improve the quality of life of people; and meet the needs of the industry. Governmental agencies under the authority of the Executive Yuan shall to recognize the importance of the empowerment brought from open government data to the quality of the decision-making process and asked the agencies to implemented the policy from the perspectives of the user’s needs and applications, and also the consider to include machine readable format for the data. The Executive Yuan directed the Research, Development and Evaluation Commission (RDEC)（行政院研究發展考核委員會） to develop related principles and measures to support government agencies of the Executive Yuan to plan, execute and open up their data. At the same time, it also directed the Industrial Development Bureau（IDB）, Ministry of Economic Affairs (MOEA) （經濟部工業局）to develop responsive strategies to cope with the industrial development. Pursuant to the Resolution No. 3322 of the Executive Yuan, RDEC worked through the open government data related laws and regulations, proclaimed the “Open Government Data Operating Principle for Agencies of the Executive Yuan”（行政院及所屬各級機關政府資料開放作業原則）and the “Essential Requirements for Administrate Open Government Data Datasets” （政府資料開放資料集管理要項）in the early 2013. All government agencies of the Executive Yuan have to adopted the following 3 open government data steps："open up government data for public use”, “provide data free of charge subject to certain exemptions”, "automated systematic release and exchange data”, and work in with 4 open government focus strategies: “release data actively and by the priority in the field of daily necessity”, “develop the norm of open government data”, “promote the use of Data.gov.tw”, and “demonstrate and advocate open government data services”. Ministry of Economic Affairs (MOEA) （經濟部工業局）also provided grants ($9,200 NTD) to the open government data value-added applications and development. The open government data platform (data.gov.tw) was launched in July, 2013, as the official Taiwan government site providing public access and reuse of government data sets from 62 government agencies of the Executive Yuan, including the Ministry of Interior (MOI)（內政部）, Ministry of Foreign Affairs (MOFA)（外交部）, Ministry of Economic Affairs (MOEA)（經濟部）, Council for Economic Planning and Development (CEPD)（行政院經濟建設發展委員會）, Hakka Affairs Council (HAC)（客家委員會）, Water Resources Agency, Ministry of Economic Affairs (WRA) （經濟部水利署）, and 4 local governments. At the end of 2013, each government agency is required to release at least 55 data sets. In addition, the rising tide of private-sector (individual or enterprise) also aims to mine the gold in open government data. Act upon the National Information and Communication Initiative (NICI)（行政院國家資訊通信發展推動小組）in the consultation of the open government data policy, Taipei Computer Association (TCA)（台北市電腦同業工會）organized the “Open Data Alliance” (ODA)（Open Data聯盟）as a bridge between the information provide-side (public sectors) and the demand-side (private sectors), to communicate and coordinate the expectations and needs from communities (bottom-up) towards open government data. On Dec. 11, 2013, Taiwan took one more step in the global open data initiative. Open Data Alliance (ODA) and the Open Data Institute (ODI) in UK signed the memorandum of understanding (MOU) and announced the alliance established to promote and explore the potential opportunities of open data holds for the public, private and academic sectors. The engagement of ODA and ODI could bring another catalyst for the open movement in Taiwan to take one big step in the international community. According to a survey from ODA, the biggest challenge so far is the available data sets do not really meet the needs of the industry. And most of the feedback reflects the concerns in licensing, charge, frequency of updates, data formats and data quality. These voices echo the open government data issues encountered in many countries. There are still some obstacles with the applicable laws and regulations (for example, Charges and Fees Act, Personal Data Protection Act, Accoutability & Liability etc.) wait to be solved before both public and private sectors to go onto the next level of open data development.

Whereas the burden of private nursing for the elderly is getting heavier, industrialized countries with an aging society are endeavoring to seek possibilities of reducing the unit healthcare cost, such as technology assistance, and even the introduction of the brand new care type or model, which is an emerging application field of increasing importance. The development of such kind of healthcare industry not only is suitable for aging societies but also coincides with the growing health management trend of modern people. Also, while the focus on acute diseases in the past has changed to chronic diseases which are common to most citizens, the measuring and monitoring of physiological indicators, such as blood pressure, pulse, blood sugar and uric acid have critical effects on condition control. However, it will mean huge financial and physical burdens to the elderly or suffering from chronic diseases if they need to travel to hospitals to measure these physiological indicators. At this moment, an economical, reliable and timely physiological information collection and transfer system will be technology with good potential. For this reason, the purpose of this study is to investigate the potential business opportunities by applying the emerging information technology (IT) to the healthcare industry and the derivative legal and regulatory issues, with a focus on the seamless healthcare industry. It is hoped that by assessing the opportunity and risk in terms of legal and strategic analysis, we can single out the potential imbalance of fitting seamless healthcare, an IT-enabled service (ITeS), in the conventional control framework, and thereby establish a legal environment more appropriate for the development of the seamless healthcare industry. Referring to the existing electronic healthcare classification, the industry is divided into the following four blocks: electronic content provider, electronic product provider, electronic linking service provider and electronic passport service provider. Also, by depicting the outlook of the industry, the mode of application and the potential and common or special legal problems of different products are clarified. Given that health information collected, stored and transferred by electronic means involves unprecedented risk in information privacy and security, and that the appropriate control of such risk will affect the consumer’s faith in and willingness to subscribe seamless healthcare services, this study analyzed the privacy framework of the USA, the EU and Taiwan. Results indicate that future privacy legislation in Taiwan should include the protection for non-computer-processed personal information, expand the scope and occupation of applications, reinforce control incentives, and optimize the privacy protection mechanism. Further, only when service providers have the correct and appropriate concept of privacy protection can the watch-and-wait attitude of consumers be eliminated. These can help to promote subsequent development of the industry in the future. Due to the booming international trade as a result of globalization, and the gradual opening of the domestic telecommunication and healthcare markets following Taiwan’s entry into the WTO, transnational distance healthcare will gradually become a reality. However, the determination of the qualifications of practitioners is the prerequisite of transnational healthcare services. Taiwan may also consider lowering the requirements for physicians to practice in other countries and thereby to enhance the export competitiveness of Taiwan’s healthcare industry by means of distance healthcare via endorsement or reciprocity. Lastly, whereas the risks distance healthcare involves are higher than conventional healthcare services, the sharing of burdens and disputes over applicable laws in case of damages are the gray areas for executive control or judicial practice intervention. For this reason, service providers are unwilling to enter the market because the risks are too unpredictable. Therefore, this study recommends that the insurance system for distance healthcare should be the focus of future studies in order to promote the development of the industry.

The development of new technology is bound to have both positive and negative effects. However, when a new technology is first introduced, it is common for insufficient attention to be paid to its negative aspects, either because there has not been time to accumulate sufficient experience in using it or because users are blinded by the potential benefits. It is only later, when the technology begins to be abused, that people wake up to the potential dangers. The evolution of computers and the Internet is a classic example of this phenomenon. While the rapid development of information technology has helped to stimulate the flow of information in every corner of society, cyberspace has also become the setting for a wide range of criminal activities. In many cases, countries' existing legal and regulatory frameworks have proved inadequate to cope with the threat posed by the various forms of unauthorized access. A variety of forms of cyber-crime have developed, including denial-of-service attacks, unauthorized accessing of databases, phishing, identity theft and online fraud or intimidation. Cyber-crime may involve making unauthorized use of individuals' personal information, stealing companies' confidential business information or selling state secrets; these new types of crime thus affect every level of society. The effects can be catastrophic, hence the growing importance is now being attached to information security, including both the establishment of effective management mechanisms to prevent cyber-crime from occurring in the first place and the development of the capabilities needed to detect such crime when it occurs. Recognizing the need to plug the gaps in the existing legal and regulatory framework in the face of cyber-crime, countries all over the world are working on the formulation of new legislation, and Taiwan is no exception. The following sections will discuss the key developments in the laws and regulations governing information security in Taiwan in recent years. I. The Convention on Cyber-crime and Chapter 36 of Taiwan’s Criminal Code (offences relating to the abuse of computers) Today, governments throughout the world are formulating measures to combat criminal activity that makes use of the Internet (cyber-crime). In many cases these measures are based on the Convention on Cyber-crime announced by the European Commission on November 23, 2001, and which came into effect on July 1, 2004. This convention is the first international agreement to be established specifically to combat cyber-crime. Its contents include discussion of the various types of cyber-crime, regulations governing the obtaining of electronic evidence, provisions for mutual assistance between nations in judicial matters with respect to cyber-crime and measures to encourage multilateral collaboration. The European Commission asked all signatory nations to revise their own national laws so that they conform to the provisions of the Convention, with the aim of establishing a unified international framework for combating cyber-crime. Responding to the international trend towards the enactment of legislation to fight cyber-crime and to eliminate any loopholes in Taiwanese law that might result in Taiwan becoming a haven for cyber-criminals, on June 25, 2003 the Taiwanese government added a new chapter, Chapter 36 (Offences Relating to the abuse of Computers) to Taiwan's Criminal Code. It contains six articles covering four types of crime: unauthorized access (Article 358), the unauthorized acquisition, deletion or titleeration of electromagnetic records (Article 359), unauthorized use of or interference with a computer system (Article 360) and creating computer programs specifically for the perpetration of a crime (Article 362). Article 361 specifies that more severe punishment should be imposed in the case of violations carried out against the computers or other equipment of a public service organization, and Article 363 states that the provisions of Articles 358–360 shall apply only after prosecution is instituted upon complaint. These new articles provide a clear legal basis for the punishment of common types of cyber-crime such as unauthorized access by hackers, the spreading of computer viruses and the use of Trojan horse programs. In formulating these articles, reference was made to the categorization of cyber-crimes used in the Convention on Cyber-crime and to the suggestions for revision of national laws put forward there. Article 36 is thus in broad conformity with current international practice in this regard and can be expected to achieve significant results in terms of combating cyber-crime. II. The authority of law enforcement to get evidence and ISPs liability In its discussion of the securing of electromagnetic records by law enforcement agencies, the Convention on Cyber-crime notes that such securing of records falls into two broad categories: immediate access and non-immediate access. Immediate access includes the monitoring of communications by law enforcement agencies, non-immediate access relates mainly to the data retention obligations imposed on Internet Service Providers (ISPs). As regards the regulatory framework for the monitoring of communications, Communications Protection and Surveillance Act came into effect in Taiwan on July 16, 1999. According to its provisions, monitoring of communications may only be implemented when it is deemed necessary to protect national security or to maintain social order. Warrants for such surveillance may only be issued if the content of the communications is related to a threat to national security or to the maintenance of social order. Furthermore, the crime in question must be a serious one. In principle, the period for which surveillance is implemented should not exceed 30 days. These restrictions reflect the government’s determination to ensure that citizens' right to privacy is protected. While the Internet is an environment conducive to the maintenance of anonymity, electromagnetic records are easy to erase. Effective investigation of cyber-crime requires automatic recording of communications by the equipment used to transmit the messages, that is to say, it requires the retention of historic data. As regards the extent to which companies are required to collaborate with law enforcement agencies and the conditions applying to the making available of electromagnetic records, these issues relate to the public's right to privacy, and the law in this area needs to be very clear and precise. For the most part, data retention obligations are laid down in Taiwan’s Telecommunications Act. In Taiwan ISPs are classed as "Type II Telecommunications Operators". Article 27 of the Administrative Regulations on Type II Telecommunications Businesses stipulates that Type II telecommunications operators may be required to confirm the existence of, and provide the contents of, customers' communications for the purpose of investigation or collection of evidence upon request in accordance with the requirements of the law. ISPs are required to retain, for a period of between 1 and 6 months, data relating to the account number of subscribers, the times and dates of communications, the times at which subscribers logged on and off, free e-mail accounts, the IP addresses used when applying for Web space and the time and date when such applications were made, the IP address used to make postings on message boards and newsgroups, the time and date when such postings were made and subscribers' e-mail communications records. If a Type II telecommunications operator violates these provisions, he may be fined between NT$200,000 and NT$1 million and be required to remedy the situation within a specified time limit in accordance with Paragraph 2 of Article 64 of the Telecommunications Law. If he fails to remedy the situation within the specified time limit, his license may be revoked. III. The Legal Framework for Personal Data Protection titlehough, as outlined above, some revisions have already been made to the legal framework governing information security, there are still many areas which need to be reviewed. One of the most important is the protection of personal information. Following the explosive growth of the Internet, customer-related information is being processed by computers on a large scale in many different industries. With so many companies collaborating with other firms or adopting new marketing methods, the value and importance of personal information is being reassessed. The dramatic increase in the number of online scams in Taiwan in recent years has made the protection of privacy a focus of attention. The existing Computer-processed Personal Data Protection Law, drawn up to target specific industries, does not really provide adequate protection. A new Personal Data Protection Act, drawn up with reference to the European Union’s Directive (95/46/EC) on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data and the personal information protection legislation adopted in the USA and Japan, has already been submitted to the Legislative Yuan for deliberation. The key differences between this new Act and the existing Computer-processed Personal Data Protection Law are as follows. Protection is no longer industry-specific, it now applies to both natural and juristic persons and to both public and private agencies. The scope of protection has been expanded to include hard copies of documents containing personal information, and five new types of "sensitive information" – information relating to criminal records, medical examinations, medical records, sexual history and genetic information – have been added. Special restrictions apply to the collection and processing of these types of data. The Personal Data Protection Act also imposes stricter requirements on public and private agencies with regard to the protection of individuals' personal data. For example, agencies must formulate personal data protection plans and measures for dealing with personal data once those data are no longer needed for business purposes. If an agency discovers that an individual's personal data have been stolen, leaked, titleered or violated in any way, they are required to notify by telephone or letter the agency responsible for notifying the individual concerned as soon as possible. If these provisions are violated, the agency's responsible person will be liable for administrative punishment. The new Act also gives regulatory authorities greater powers to undertaking auditing in this area, makes provision for class action suits and increases the amount of compensation to be paid to victims. It is expected that these mechanisms will help boost awareness of the importance of information security in all sectors, thereby helping to ensure better protection for the public's personal information. IV. Management of Unsolicited Commercial E-Mail The widespread utilization of e-mail has created a brand new marketing channel, so that e-mail can fairly be described as one of the most important "killer applications" to which the Internet has given rise. Today, spamming is causing serious problems for both e-mail users and ISPs. E-mail users are concerned about their privacy being violated and about having their e-mail box stuffed full of junk e-mail. Spamming also ties up bandwidth which could be used for other purposes, and Distributed Denial of Service Attacks (DDOS) can make it difficult for ISPs to provide normal service to their customers. Governments throughout the world have begun to consider whether anti-spamming legislation may be necessary. In Taiwan draft legislation of this type has already been submitted to the Legislative Yuan. Taiwan's Anti-SPAM Act was drawn up with reference to the USA's CAN-SPAM Act of 2003, Japan's Law on Regulation of Transmission of Specified Electronic Mail, Australia's SPAM Act and the UK's Privacy and Electronic Communications (EC Directive) Regulations 2003. The draft SPAM Act contains 13 articles, with an emphasis on self-regulation, technology filtering and provision for seeking compensation through civil action. The Act provides for the use of an "opt-out" mechanism to regulate the behavior of e-mail senders, with the following obligations to be imposed on them. (1) The sender must specify in the "Subject" field of the e-mail whether it is a "business communication" or "advertising" to facilitate filtering by ISPs and to make clear to the recipient what type it is. (2) The sender must provide accurate information, including header, information on the sender's identity and the sender's e-mail address. (3) E-mails may not be sent if the sender knows or could be expected to know that the intended recipient has already expressed a wish not to receive e-mail from this source. E-mails may also not be sent if the sender knows or could be expected to know that the information in the "Subject" field is inaccurate or misleading. If the sender continues to send e-mails after the recipient has expressed a clear wish not to receive any more from the sender or if the sender falsifies the "Subject" or header information, then the sender may be required to pay compensation to the recipient at a rate of NT$500–2,000 per person per e-mail. With regard to the widespread practice whereby companies or advertising agencies commission third parties to send junk e-mail on their behalf, in cases where the commissioning party knows or could be expected to know that e-mail is being sent in violation of the above regulations, the commissioning party shall be held jointly liable with the party sending the e-mail. Through the implementation of this new law, the government hopes to establish a first-class Internet environment in Taiwan, putting an end to the current situation whereby large numbers of businesses are engaged in spamming. V. Conclusions Security is the biggest single factor affecting the implementation of e-government initiatives, e-business application adoption and Internet user confidence. Most people associate information security only with the purchasing of security hardware or software and the setting up of firewalls. While these products can indeed help to make the online environment more secure, Internet users should not allow themselves to be lulled into thinking that buying these products will in and of itself be sufficient to ensure security. "Security" is a fluid concept. Over time, the level of security that even a high-end product can provide will deteriorate; the fact that your system is secure now does not guarantee that it will remain secure in the future. Evidence that this is true is provided by the damage that is constantly being caused by viruses, by the need to constantly update security products and by the shift in emphasis away from virus prevention and firewalls towards preventing "backdoor" attacks and towards proactive intrusion detection. Furthermore, the information security risks that companies and organizations have to deal with are not limited to external threats; poor internal management may result in employees selling or leaking customer data or other company data, which can cause serious damage to the organization. Examination of information security theory and practice in Taiwan and overseas suggests that the establishment of effective information security measures embraces four main areas: the detection of cyber-crime, development of new information security technologies and formulation of standards, education and management of computer users and regulatory and policy issues. The most important of these is the education and management of computer users. Detection of cyber-crime is the next most important, while development of new technologies and standard setting and the regulatory and policy aspects play a supporting role. To create a genuinely secure online environment, attention must be paid to all of these. Today governments throughout the world are formulating new legislation to plug the gaps in the regulatory framework governing the online environment. Given the need to let the market mechanism operate freely and to refrain from measures that might retard industrial development, government interference in the Internet, with the exception of crime prevention activity, has generally been viewed as a last resort. Currently the government in Taiwan is still focusing mainly on self-regulation by Internet service providers and other types of business enterprise, and the government's role is still largely confined to formulating standards and assisting with the development of new security products. The area on which both the government and the private sector will need to concentrate in the future is educating and ensuring effective management of computer users.

1. Organization Framework In the organization framework of critical infrastructure protection, there are mainly the public departments and the PPP organizations. The functions and task description of relevant organizations are as follows. (1) Department of Homeland Security After the September 11 attacks in America, the Homeland Security Act was passed in November 2002, and based on this act, 23 federal organizations, plans and offices were integrated to establish the Department of Homeland Security (DHS) to take responsibility for homeland security in America. The tasks include: (1) to analyze intelligence data collected from various departments such as the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) so that any threats to security can be discovered in time, (2) to protect and defend critical infrastructure, (3) to coordinate and lead America to prevent and respond to the attacks from nuclear weapons, biochemical weapons and other and (4) to coordinate the tasks of the federal government, including emergency and rescue. For the task regarding critical infrastructure and critical information infrastructure protection, the main units in charge are the Office of Infrastructure Protection (OIP) and the Office of Cybersecurity and Communications (CS&C) subordinate to National Protection and Programs Directorate (NPPD), Department of Homeland Security (DHS), to reduce the risk in both physical and cyber security to maintain national security1 (2) Congress Relevant units and committees are established both in the Senate and the House of Representatives to be responsible for protection and making policies pertinent to important critical infrastructure and critical information infrastructure. (3) Computer Crime and Intellectual Property Section In 1991, the Department of Justice (DOS) established the Computer Crime and Intellectual Property Section (CCIPS), a section of the Criminal Division, to be responsible for all crime combating computer and intellectual property. Computer crime is referred to cases which include electronic penetrations, data thefts, and cyber attacks to the important critical infrastructure. CCIPS also prevents, investigates, and prosecutes computer crimes by working with other government agencies, the private sector, academic institutions, and foreign counterparts. (4) Other Relevant PPP Organizations 2The Information Sharing and Analysis Center (ISAC) is responsible for the information security message sharing among the industries of each critical infrastructure to ensure the liaison and cooperation among industries. Finally, for the issue on critical information infrastructure, especially cyber crimes, both the National Cyber Security Alliance (NCSA) and the Cross Sector Cyber Security Working Group (CSCSWG) are designated to serve as crucial roles in governmental and non-governmental internet security prevention to be responsible for techniques and education. 2. Notification System (1)Computer Emergency Response Team Coordination Center The Computer Emergency Response Team Coordination Center (CERT/CC) run by Carnegie Mellon University is the oldest and most important early-warning organization for information security in the USA. With its experts studying internet vulnerabilities and risk assessment released regularly, it reminds people of the possible dangers which exist in the information age and the need to improve internet security. (2)US Computer Emergency Readiness Team The US Computer Emergency Readiness Team (US-CERT) was established in 2003. It is responsible for protecting the infrastructure of the internet in America and for coordinating and providing response support and defense against national cyber attacks. It interacts with federal agencies, industry, the research community, state government, and others to disseminate reasoned and actionable cyber security information to the public. (3)Federal Bureau of Investigation The Federal Bureau of Investigation (FBI), the first early warning center of critical infrastructure at the national level, is responsible for providing the information pertinent to legal execution presently and also taking responsibility for the investigation of cyber crime. (4)Information Sharing and Analysis Centers Currently, industry in America, including finance, telecommunications, energy, traffic, water resources, together established individual Information Sharing and Analysis Centers (ISACs) based on the policy made in PDD-63. The ISAC of the financial system established in October 1999 being the first established center. These ISACs further work together to form an ISAC Council to integrate the information from each of them and improve their interaction and information sharing. 3. Legal Norms In reference to the laws and regulations of critical infrastructure protection, America has aimed at critical infrastructure protection and computer crime to formulate the following regulations. (1) Federal Advisory Committee Act of 1972 According to the Federal Advisory Committee Act (FACA), the advisory committee can be established in every federal agency to provide the public, along with received open advice, with relevant objectives, and to prevent the public from being inappropriately influenced by the policies made by the government. However, to keep the private institutions which run the critical infrastructures from worrying the inappropriate leak of the sensitive information provided and consulted by them, Critical Infrastructure Partnership Advisory Council was established so that the Secretary of Homeland Security has the right to disregard the regulations of FACA and establish an independent advisory committee. (2) Computer Fraud and Abuse Act of 19863 The Computer Fraud and Abuse Act (CFAA) was enacted and implemented in 1986. It mainly regulates computer fraud and abuse. The Act states that it is against the law for anyone to access a protected computer without authorization. However, it also recognizes the fact that accessing a computer system of electronic and magnetic records does not mean a violation of the law. According to the CFAA, what is needed is one of the following requirements to be the wrongful conduct regulated in the Act: (1) whoever intentionally accesses a computer to obtain specific information inside the government or whoever has influenced the transmission function of the computer system; (2) whoever intentionally accesses a computer to obtain a protected database (including the information contained in a financial record of a financial institution or of a card issuer, or the information contained in a file of a consumer reporting agency on a consumer, or the information from any department of agency of the United States, or the conduct involving an interstate transaction); (3) whoever intentionally accesses any nonpublic computer of a department or agency of the United States, and causes damage. In addition, the Act also prohibits conduct such as transmitting malicious software, and defrauding traffic in any password or similar information. For any person who suffers damage or loss by reason of a violation of the law, he/she may maintain a civil action to obtain compensatory damages and injunctive relief or other equitable relief. However, the Computer Abuse Amendment Act (1994) expands the above Act, planning to include the conduct of transmitting viruses and malicious program into the norms whose regulatory measures were adopted by the USA Patriot Act enacted in October 20014 (3) Homeland Security Act of 20025 The Homeland Security Act provides the legal basis for the establishment of the Department of Homeland Security and integrates relevant federal agencies into it. The Act also puts information analysis and measures of critical infrastructure protection into the norm. And, the norm in which private institutions are encouraged to voluntarily share with DHS the information security message of important critical infrastructure is regulated in the Critical Infrastructure Information Act: Procedures for Handling Critical Infrastructure Information. According to the Act, the DHS should have the obligation to keep the information provided by private institutions confidential, and this information is exempted from disclosure by the Freedom of Information Act. (4) Freedom of Information Act Many critical infrastructures in America are regulated by governmental laws, yet they are run by private institutions. Therefore, they should obey the law and provide the government with the operation report and the sensitive information related with critical infrastructure. However, knowing that people can file a request at will to review relevant data from the government agencies based on the Freedom of Information Act (FOIA), then the security of national critical infrastructure may be exposed to the danger of being attacked. Therefore, the critical infrastructure, especially the information regarding the safety system, early warning, and interdependent units, are all exempted by the Freedom of Information Act. (5) Terrorism Risk Insurance Act of 20026 After the 911 Incident, Congress in America passed the Terrorism Risk Insurance Act to establish the mechanism to underwrite terrorism risk insurance, in which insurance companies are required to provide terrorism attack risk insurance and the federal government will also cover part of loss for severe attacks. 1.http://www.dhs.gov/xabout/structure/editorial_0794. shtm (last accessed at 21. 07. 2009). 2.http://www.thei3p.org/ (last accessed at 21. 07. 2009). 3.http://www.panix.com/~eck/computer-fraud-act. html (last accessed at 21. 07. 2009). 4.Mark G. Milone, Hacktivism：Securing the National Infrastructure, 58 Bus. Law, 389-390, 2002. 5.http://www.dhs.gov/xlibrary/assets/hr_5005_enr.pdf (last accessed at 21. 07. 2009). 6.http://www.ustreas.gov/offices/domestic-finance/financial-institution/terrorism-insurance/pdf/hr3210.pdf (last accessed at 21. 07. 2009).