Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 1 of 23
Forum: United Nations Commission on Science and Technology for
Development
Issue: Implementing measures to ensure the encryption and safety of
personal data and rebuild consumer confidence in the face of
technological advancements and scandals
Student Officer: Sahil Singhvi
Position: President Chair
Introduction
In the 21st century, technology has influenced individuals. Gradually, it has become a
quintessential aspect of a person’s day-to-day life. In our modern society, people cannot subsist
without various technologies such as mobile phones and laptops. According to the International
Telecommunication Union, at the end of 2018, a staggering 51.2% of the world’s population had
access to the Internet. From 2005, the world has made immense progress with an increase of
35.2% in Internet users.
Technological advancements have created immeasurable benefits, including enhanced
communication between foreign companies and increased availability of resources for research.
As a result of the increased availability of data on the Internet, firms can successfully carry out
research and development for the creation of innovative products. However, these technological
advancements have created issues such as the struggle of ensuring the encryption of personal
data and increased job redundancy due to artificial intelligence systems. These limitations are
ever-present in the 21st century as cybersecurity experts and unethical hackers are able to
penetrate network systems with ease. The concept of privacy, the right of an individual to be left
alone and seclude personal information to themselves, has been plagued with the evolution of
technology. Furthermore, the principle of digital privacy, where an individual has the capability of
controlling when there is data collected and how third-party corporations utilize it, is nearly
unattainable in a data-centric world. Our data-centric world involves fierce competition between
firms across the globe. Hence, firms are unwilling to disclose the processing of data as they obtain
market research that is used to devise creative marketing strategies for their latest innovations. As
a result, the firms do not reveal the strategies that assist them in outperforming their competitors
to the public eye. Furthermore, some firms utilize the data unethically in instances such as the
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 2 of 23
2016 U.S. Elections and the Brexit campaign carried out by Cambridge Analytica. Consequently,
these firms reduce their transparency to the public in order to disguise these illegal acts.
As the world continues to rely on technology, according to IoT Analytics, the number of
interconnected devices that allow for the collection and exchange of data is projected to soar from
an estimated 19.4 billion in 2019 to 27.9 billion in 2023. These statistics indicate that the data-
driven world will continue to expand with the increased dependency of modern society on digital
technologies and the Internet.
With these statistics considered, as the data-centric world continues to thrive: what
happens to our personal data, digital privacy, and identity on the Internet? Governments around
the world have made advances by shedding light on the high-profile data scandals and breaches
in order to explore a variety of solutions. Digital privacy is continuously debated upon in the face
of the data breaches and scandals with regards to companies such as Cambridge Analytica,
Facebook, Google, Panera Bread, and Marriott International. The reputation of these various
companies is tainted as a result of utilizing big data to increase the efficiency of their respective
business operations without a thought to digital privacy. Consumer anxiety is at an all-time high
due to the countless number of data scandals that have taken in place in the last decade.
Consumers are worried about the potential damage that can be caused by unethical hackers who
possess their personal data. What if these black-hat hackers steal credit card details? What if they
impersonate consumers with malicious intent? Furthermore, social media platforms and various
online platforms gather consumer data, and sometimes share it with other companies for various
reasons. Consumers are unaware of the motives behind the sharing of this personal data. A recent
event is the Cambridge Analytica scandal, where Cambridge Analytica illicitly gathered personal
data from Facebook applications. After this, Cambridge Analytica utilized this data to assist political
campaigns such as the ‘Leave.EU campaign’ and ‘Donald Trump 2016 presidential campaign’.
This highlights a cause of concern as consumers are unaware of the aims that companies have
for personal data. These motives are usually unethical as a plethora of companies utilize personal
data in order to manipulate individuals as seen in the ‘Leave.EU campaign’. Consumers have no
control over these possibilities and thus are left fearful. In order to combat these data scandals,
new data protection laws have been established within Europe and California that aim to target the
data privacy policies of multinational technology companies to enhance the digital privacy of
consumers. Consumer confidence after these data scandals is at a rock bottom; therefore, it is
imperative that effective laws and measures are implemented to ensure the encryption and safety
of personal data while rebuilding consumer confidence.
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 3 of 23
Definition of Key Terms
Artificial Intelligence (AI)
AI is the replication of human intelligence processes by computer systems.
Big Data
Big data is large volumes of data that have the capability to be harnessed for machine
learning projects and other analytical projects.
Black-hat hacker
A black-hat hacker is a cybercriminal who strives to discover computer security
susceptibilities and exploit them for personal gain or malicious reasons.
Brute-force attack
A brute-force attack is a penetration technique that utilizes trial and error to decode
encrypted data such as passwords, commonly used by cybercriminals. This technique usually
takes a long period of time, as it aims to try all the possibilities until it succeeds.
Cyberattack
A cyberattack takes place when a hacker attempts to alter, steal, damage, or destroy
computer systems, computer networks, or data.
Database
A database is an arranged set of data that is stored in a computer system, accessible in a
plethora of ways.
Data Breach
A data breach is a security incident in which an unauthorized environment (individuals or
companies) gains access to confidential information. A data breach is a cybercrime that is carried
out by cybercriminals for monetary gains.
Digital Privacy
Digital privacy is the protection of an individual’s information that is used or created while
using the Internet on a personal device. One of the beliefs is that individuals should have the
freedom to control how their data is obtained and utilized. Another notion is the principle that
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 4 of 23
individuals have the right to digitally communicate information with the expectation that their
communications are secure.
Distributed denial-of-service attacks (DDoS attacks)
DDoS attack is a cyberattack where multiple exploited systems are used to target one
system, causing a denial of service by flooding the bandwidth of the targeted system.
Encryption
Encryption is a cybersecurity technique where confidential information is encoded to
ensure unauthorized individuals cannot access the data. The technique involves utilizing an
encryption key to gain access to the information. Users who do not have access to the information
will perceive unreadable data with the assistance of ciphertext.
Hacking as a service (HaaS)
HaaS is offered by companies that provide ethical hackers with advanced hacking skills,
where the hacker performs ethical tasks such as penetration testing.
International Telecommunication Union (ITU)
Founded in 1865 by the United Nations, the ITU is a specialized agency for information and
communication technologies that aims to enable universal connectivity in networks.
Internet
The Internet is a global system of computer networks that offer a variety of information and
communication facilities.
Internet of Things (IoT)
IoT refers to the connection of computing devices to the Internet, which enables the devices
to send and receive data.
Malware
Malware is an abbreviation for malicious software, which is a program or file that is
damaging to a computer system. There are various types of malicious software, such as spyware,
Trojan horses, computer viruses, and worms.
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 5 of 23
Ransomware
Ransomware involves a hacker inserting code into a firm’s data system that holds the firm’s
data hostage. The hacker demands the firm to pay a ransom, or the data is destroyed. It is spread
through deceitful emails or by visiting infected websites.
Software bug
A software bug is an error in a computer program that causes the program to produce
unwanted results or behave in unintentional ways.
United Nations Commission on Science and Technology Development (UNCSTD)
United Nations Commission on Science and Technology for Development is a subsidiary
commission of the Economic and Social Council (ECOSOC). The commission was created in 1992
to discuss the advancement and repercussions of technology and science on the global society,
and to draft relevant resolutions to solve pressing issues with regards to scientific matters and
advanced technology. The UNCSTD provides high-level advice to the General Assembly and
ECOSOC on relevant technological and scientific issues through meticulous analysis.
White-hat hacker
A white-hat hacker is an ethical computer security specialist who aims to improve the
security of computer networks by performing penetration tests and other testing methodologies.
Zero-day attack
A zero-day attack is a cyberattack that transpires on the same day a vulnerability is
revealed in software, and thus, a fix is not available at the time of the attack.
Key Issues
Ease of accessing personal data due to human error
“Getting information from the Internet is like taking a drink from a fire hydrant” - Personal
Computing Pioneer Mitchell Kapor ("A Quote By Mitchell Kapor").
According to a data visualization company known as “Information is Beautiful,” there have
been over 300 publicly-disclosed data breaches involving the theft of over 100,000 records in the
past decade. This figure suggests that the primary method of obtaining personal data is through
penetrating network systems of companies that store personal data of consumers in servers and
databases, instead of targeting individuals. Data breaches are primarily caused due to human error
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 6 of 23
due to reasons such as the usage of vulnerable passwords, a lack of data security awareness,
inept data handling, disregard of appropriate security procedures, uncontrolled data access, and
coding errors.
From 2017 to 2019, 28 of the data breaches occurred as a result of inadequate security.
For instance, in 2018, ‘Nametests,’ a Facebook quiz application owned by Social Sweethearts,
exposed personal data of 120 million users including pictures, friend lists, and status updates due
to a security failure. Fortunately, a white-hat hacker named ‘Inti De Ceukelaire’ obtained the
information and did not provide it to third-party organizations. In this scenario, the issue arose as
a result of a rookie programming mistake, which exposed the personal data of over 120 million
individuals. This incident highlights the lack of attention companies give to experienced
programmers, cybersecurity engineers, and network systems. Experienced software programmers
are able to rectify rookie mistakes and can assist in reducing the instances in which an intruder
gains access to confidential information. Nonetheless, human error is an aspect that will always
plague companies, and thus, data leaks will continue to occur with experienced professionals as
well; however, the occurrence of these incidents will reduce dramatically.
Usage of vulnerable passwords
According to TraceSecurity, 81% of data breaches occur due to sensitive passwords.
Usually, employees in companies that have encountered data spills utilize passwords such
as their date of birth or name that can be remembered effortlessly, however, these
passwords could also be correctly guessed by an intruder or similarly could be obtained
through the brute-force attack, especially if the password is straightforward. Furthermore,
if all the employees in a company utilize the same password, all the accounts in the
company risk being breached, in case one of them is accessed by hackers.
A lack of data security awareness
Through the analysis of 300 data breaches, it is clear to see that many employees of these
companies that have been attacked by black-hat hackers aren’t updated on data security.
Regularly, staff members fail to update the software they utilize, possibly due to the fact
that they aren’t aware of how significant it is to upgrade various types of software, or
sometimes receive update notifications while they are busy with their work. When software
has a new update, it usually means that a bug detected in the code has been rectified.
Thus, ensuring the protection of data as hackers are unable to exploit bugs once
companies identify these threats. However, if individuals do not update their software,
hackers can utilize the flaws in the previous update to gain unauthorized access to one’s
personal data. Moreover, employees are exploited by scammers who spread malicious
links through emails and websites. According to Infosec, 50% of users on the Internet
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 7 of 23
receive at least one phishing email daily. Furthermore, an alarming statistic discovered by
Infosec is that 97% of people in the world are unable to differentiate between a malicious
email and a regular email. Employees, unaware of the harmful viruses present, click on
these links and are afflicted with malware that can damage or steal their data.
Negligent data handling
According to IBM, 27% of data breaches are caused by human errors related to carless
data handling. Whilst employees use large amounts of data on a daily basis, it is common
for these individuals to make mistakes with regards to data transfers. For instance, if an
employee enters the wrong recipient email address or attaches the wrong file to an email,
the firm’s confidential information could be at risk, especially if a hacker gains access to
the valuable data points.
Disregard of appropriate security procedures
Particularly in competitive workplaces, employees prioritize their work-related tasks over
everything else in the workplace. As deadlines are stringent in workplaces, these
employees attempt to complete these tasks quickly, and whilst they attempt to do so, some
compromise the data security of the company. Critical aspects of an organization’s data
security structure such as updates and scans are often overlooked by workers as these
updates and scans take a long period of time to complete, and thus, conflict their work-
related deadlines. As a result of this, employees expose the entire network to data
breaches, allowing hackers to gain access to personal data with ease.
Uncontrolled data access
According to Varonis, 30% of companies around the world have over 1,000 folders
(consisting of sensitive information) that are accessible to all the employees in the
workplace. When workforces are granted too much access to data systems, the likelihood
of data breaches increase. As staff members aim to maintain a work-life balance, they wish
to speed up their tasks and achieve this by making system configurations on the data
system, even when they are unauthorized to access these data systems. While the settings
benefit one individual, they hinder the business operations of the company, and thus, incite
data breaches.
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 8 of 23
The evolution of black-hat hackers
As the IoT expands, hackers derive new techniques to penetrate network systems of multi-
national corporations. Therefore, it is incredibly challenging for cybersecurity specialists to prevent
zero-day attacks, as these attacks are unique. Consequently, cybersecurity engineers find it
challenging to predict the new attacks, and thus, hackers will always have the advantage. Even if
a firm creates multiple cybersecurity devices, black-hat hackers will always find an alternative to
penetrate the network to gain access to a countless number of data points.
According to the IBM CEO Ginni Rometty, cybercrime is today’s greatest threat to global
business. As technology advances with innovations such as self-driving cars, machine learning
systems, and digital currencies, hacking becomes more profitable and beneficial for black-hat
hackers. However, no lab research center is on the verge of discovering an impenetrable system.
Security companies are unable to create unexploitable software for the protection of networks. The
cybercrime industry is an all-time high. Moreover, security firms have begun hacking as a service
(HaaS), which allows any individual to hire a hacker for ethical purposes. However, these
individuals may persuade security firms to perform unauthorized and illegal activities for hefty sums
of money. Therefore, the nature of HaaS is unpredictable, as it is difficult to understand the motives
of individuals and firms.
Year after year, the threat of black-hat hackers become more apparent. For instance, on
October 21st, 2016, the Dyn cyberattack took place, which involved a series of distributed denial-
of-service attacks (DDoS attacks) targeted at the Dyn systems. The hack occurred after a software
known as the Mirai bots hijacked millions of exposed devices and ordered these devices to ping
the Dyn servers, and as a result, the Dyn servers crashed. As the Dyn served a plethora of
websites, many individuals in the East Coast of the United States of America lost access to PayPal,
The New York Times, Twitter, Netflix, and Spotify to name a few. According to Lloyd’s, an
insurance market in London, United Kingdom, cyberattacks cost approximately $400 billion a year.
Furthermore, the insurance market does not take into account the damages firms encounter from
the fall in consumer confidence. This alarming statistic has a detrimental impact on the world
economy as the Gross Domestic Product (GDP) of nations around the world fall.
A cyberattack similar to Dyn incident is not uncommon. Over the last ten years, over 215
cyberattacks occurred as a result of black-hat hackers, clearly indicating that it is challenging for
firms to stop hackers from penetrating systems and accessing personal data, according to
“Information is Beautiful.”
A new trend proving the evolution of black-hat hackers is the method known as
‘ransomware.’ Ransomware involves a hacker inserting code into a firm’s data system that holds
the firm’s data hostage. The hacker demands the firm to pay a ransom, or the data will be
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 9 of 23
destroyed. According to the Federal Bureau of Investigation (FBI), companies paid more than $1
billion to ransomware hackers in 2015. A worrying indication of black-hat hackers’ looming threat
is the advancement of artificial intelligence (AI). Hackers could begin trends of identity theft with
the assistance of AI bots. The AI bots can gain access to an individual’s messages, voice
recordings, and emails. Subsequently, hackers can gain access to this information to impersonate
an individual for malicious reasons.
Firms lacking transparency
Nowadays, customers are unaware of how their data is utilized, processed, and analyzed,
and a firm’s purpose of utilising the data. Due to the lack of transparency and insufficient
engagement with stakeholders, the world’s most prominent internet, mobile, and
telecommunications companies such as Google, Vodafone, and Microsoft rank incredibly low on
the Digital Rights 2018 Corporate Accountability Index. According to the annual benchmark
conducted by the Business and Human Rights Resource Centre, a majority of the internet users
are still unaware of how their personal data is accessed and utilized.
In the 21st century, the number of Internet users continues to skyrocket. With an increased
number of Internet users, firms have access to large amounts of data, which is commonly known
as ‘Big Data.’ Big Data Analytics is an avenue that multi-national corporations have explored in
order to enhance their marketing, sales, and recruiting departments. Firms utilize it to analyze the
large volumes of data in order to innovate new business applications through market research,
which is used to optimize the experience of customers. In addition to this, firms ameliorate their
competitive advantage by altering their methodologies and refining their products, which increases
their overall ability to adapt to changes in consumer taste. Due to intense competition in the market,
firms do not disclose the procedures utilized to analyze data, as they do not want other competitors
to replicate their strategies.
After the Facebook data abuse scandal, where the data of over 87 million people was
indecorously shared with the political consulting firm known as Cambridge Analytica, society
groups were enraged by the Facebook CEO Mark Zuckerberg and his reasons to the U.S.
Congress, as well as with Facebook’s recent changes to privacy policies surrounding data rights.
Furthermore, activists are anxious not only regarding how Facebooks utilizes and shares personal
user data but also regarding how the company’s new policies are established across its universal
platform. In the United States of America, advocates in the Black Lives Movement demand access
to their personal data as well as an understanding of how their data is utilized, processed, and
analyzed.
In spite of Mark Zuckerberg’s comments on the high levels of transparency and control
users have over their data, the Digital Rights 2018 Corporate Accountability Index discovered that
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 10 of 23
Facebook disclosed the least information on how the company handles personal data when
compared to other companies in the United States of America. The index examines in what manner
companies disclose how personal data is gathered, utilized, analyzed, and the degree of control
users have. The lowest-scoring companies in the index were Etisalat, a telecommunications
company based in the United Arab Emirates, and Ooredoo, a telecommunications company based
in Qatar, as their privacy policies are not available to the public audience.
Major Parties Involved and Their Views
United States of America
The United States of America initiated USCYBERCOM, a cyber defense project in 2009.
The U.S. National Security Agency (NSA) incorporated the USCYBERCOM project into their
infrastructure. However, the media has perceived this project as an offensive force and has
remained true to the label over the past few years. According to the United States Department of
Defense, the USCYBERCOM project schemes, synchronizes, implements, and conducts activities
in order to direct the US Department of Defense for its operations and cybersecurity. Furthermore,
the project is associated with the US Strategic Command unit that strategizes nuclear warfare for
the United States of America, thus highlighting its offensive nature.
In 2008, the ‘NSA ANT Catalogue,’ a highly classified government document, which was
leaked by an unknown group, provided the world with an insight of the aggressive cyber
technologies utilized by the NSA for the espionage of their adversaries. The product known as
HEADWATER was exposed in the ANT catalogue, which is a Persistent Backdoor (PBD) software
installed into specific Huawei wireless routers. According to the leaked document, the purpose of
the product was to spy on networks in China, by enabling covert functions to detect and examine
all the Internet Protocol (IP) packets passing through the wireless router.
In 2013, the media confirmed the belief that the NSA spies on American citizens after
releasing confidential government documents revealing that the NSA obtained copies of all the
information that is transferred through domestic fiber optic cable networks. Furthermore, these
documents confirmed that the US government collected phone data of all US consumers that
showcased their Internet communications and call history. Till this day, the NSA continues to spy
on American citizens, which has enraged individuals as their digital privacy rights are violated,
sparking numerous campaigns against this act. During 2013, the ‘Stop Watching Us’ rally took
place in order to condemn the NSA and their mass surveillance that has violated the digital privacy
of individuals within the USA.
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 11 of 23
In 2019, the US Congress has been encouraged to regulate big technology companies
based in the United States of America after data scandals that affected ‘tech giants’ such as
Facebook and Google. The U.S. Government aim to achieve outcomes similar to the European
Union’s GDPR that has assisted in reducing the abuse of personal consumer data as well as
increasing transparency between firms and consumers. An example of this is the enforcement of
the California Consumer Privacy Act that is targeted at technology-driven companies. The U.S.
Government aim to address significant aspects of the GDPR such as the access, usage, and
consent of personal data. According to Alan McQuinn, a policy analyst at the Information
Technology and Innovation Foundation, the new California Consumer Privacy Act, which aims to
create outcomes similar to those produced by the GDPR, could become a complex policy as seen
with the GDPR. Alan McQuinn praises its ability to encourage data transparency and portability
whilst creating systems to regulate abuse of personal consumer data; however, the policy analyst
believes it can also cause businesses to fail as seen with the EU’s GDPR. McQuinn believes it will
create barriers for small firms to enter the tech industry due to fierce competition. Furthermore,
McQuinn believes these policies can hamper innovation in the industry while bolstering firms that
can comply with these policies and their costs.
China
China is another country involved in militarized hacking. In February 2013, an American
cybersecurity firm known as Mandiant released a report exposing China’s direct involvement in
cyber espionage. This report detailed the cyber-espionage unit of the Chinese army known as
‘APT1’. The report provided evidence to APT1’s existence and its concealed cyber operations in
China, the technology utilized by the unit, and the affiliation between APT1 and the Chinese
military. After the Mandiant attacked the APT1 infrastructure, the firm discovered that the group
specialized in exploiting confidential data. For instance, the APT1 accessed information that
enabled the Chinese technology industry to produce cost-effective and enhance technologies to
compete against the United States of America. Furthermore, the APT1 targeted a steel
manufacturing company known as the US Steel was reconnoitered for over three years until the
Mandiant report was released to the public eye.
The Government of China has established over 60 online constraints, which have been
implemented by Internet service providers, companies, and organizations in the public sector.
Compared to other Internet restrictions integrated by nations around the world, China’s censorship
is believed to be the most extensive as the central government of China not only restricts access
to content on websites but also monitors the data of individuals. As a result of these strict
measures, Internet censorship in China is nicknamed “The Great Firewall of China.”
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 12 of 23
“The Great Firewall of China” is a significant threat to digital privacy as individuals are
unaware of important news and events that have taken place around the world. Furthermore,
Chinese citizens are unable to access global news sources in order to gain a balanced perspective.
In addition to this, the Chinese government continues to observe individuals’ Internet access,
violating the fundamental right to privacy.
Council of Europe
The Council of Europe is an international organization whose purpose is to preserve human
rights in Europe. The Council has been an ardent believer of digital privacy rights such as the
ability to control how your personal data is used by foreign companies. The Council of Europe
tackles these issues through the drafting of treaties such as “Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data.” Annually, the Council of Europe
shares reports and studies regarding the future of personal data linked to current technological
advancements such as artificial intelligence and its impact on digital privacy. Furthermore, the
Council of Europe passes resolutions such as ‘Resolution 1986: Improving user protection and
security in cyberspace’, that encourages companies to educate individuals and employees on data
security.
Privacy International
Privacy International is a UK-based charity that aims to challenge government authorities
and companies that want personal information on individuals, groups, and societies. Privacy
International strives for a future in which individuals are in control of their personal data, and the
manner in which it is collected, processed, and analyzed. Furthermore, Privacy International
continues to advocate digital privacy rights whilst they urge companies and governments to cease
the use of technology for espionage. Recently, Privacy International has been involved in a
campaign known as ‘IoT in court,’ that provides evidence for instances where police investigations
utilized technology and data to wrongfully determine in an individual as guilty for a specific criminal
activity. Furthermore, PI has been actively involved in data surveillance with regards to
communication. On October 10th, 2003, PI published a legal memorandum assessing a data
retention framework drafted by EU Justice. This memorandum meticulously analyzed existing data
retention laws within the European Union and discovered that these policies did not comply with
the law. In addition to this, they identified that this framework violated the European Convention of
Human Rights as it did not protect the right to digital privacy.
Electronic Privacy Information Center (EPIC)
EPIC is a research center that was founded in 1994 in Washington, D.C. The purpose of
the organization is to highlight privacy or human rights issues in order to protect rights, such as the
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 13 of 23
freedom of speech and digital privacy. In order to achieve their goals, EPIC conducts a variety of
activities such as conferences, advocacy of human rights, and public research on digital privacy
issues. Whilst doing so, EPIC aims to rebuild consumer confidence in the face of technological
scandals such as the Cambridge Analytica incident. In addition to this, EPIC is a platform for
individuals to gain knowledge on current data privacy, and the latest news surrounding it.
Development of Issue/Timeline
Date Event Outcome
1971 - 1972 The first computer virus, known
as the “Creeper” infected
computers and displayed the
message, “I am the creeper,
catch me if you can!”
This computer virus impacted the
future of antivirus software
released to destroy computer
viruses. In 1972, a software
program known as the “Reaper,”
was created to destroyer the
“Creeper” virus.
1976 - 2006 The largest inside-job incident
occurred over the span of 30
years, where a Boeing employee
known as Greg Chung, stole
aerospace documents (valued at
over $2 billion) and shared them
with China. This was discovered
after authorities recovered over
225,000 pages of confidential
information.
Greg Chung assisted China
through the provision of military
and spacecraft intel. This incident
was one of the largest insider
attacks in history, threatening the
entire world.
30th April 1992 The United Nations Commission
on Science and Technology for
Development is founded.
The UNCSTD was created to
discuss the advancement and
repercussions of technology and
science on the global society, and
to draft relevant resolutions to
solve pressing issues with regards
to scientific matters and advanced
technology.
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 14 of 23
22nd January 2001 Resolution 55/63 is passed in the
United Nations General
Assembly.
Resolution 55/63 discusses the
topic of ‘combating the criminal
misuse of information
technologies.’ After the resolution
passed, law enforcement
regarding cybercrime became
stricter around the world.
30th January 2004 Resolution 58/199 is passed in
the United Nations General
Assembly.
Resolution 58/199 discusses the
topic ‘creation of a global culture of
cybersecurity and the protection of
critical information infrastructures.’
After the resolution passed,
member states and relevant
organization were urged to support
other member states to enhance
the level of cybersecurity around
the world.
17th March 2010 Resolution 64/211 is passed in
the United Nations General
Assembly.
Resolution 64/211 discusses the
topic ‘creation of a global culture of
cybersecurity and taking
stock of national efforts to protect
critical information infrastructures.’
After the resolution passed,
governments identified national-
level computer incident response
teams to assist in the recovery of a
computer network after a
cyberattack.
20th May 2013 A former Central Intelligence
Agency (CIA) employee known
as Edward Snowden copied and
leaked confidential information
from the National Security
Agency (NSA).
This insider attack has been one of
the most controversial scandals in
the history of data security and
technological scandals. After
exposing the document revealing
that the U.S. government spy on
U.S. citizens, many individuals
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 15 of 23
initiated protests against the U.S
government.
August 2013 The world’s largest data breach
occurred in August 2013. In
December 2016, Yahoo reported
that a group of black-hat hackers
gained access to personal data
of all the 3 billion users on their
platform.
As Yahoo disclosed the breach 3
years later, the U.S. Securities and
Exchange Commission (SEC)
gave the company a $35 million
fine. After the company revealed
the details of the data breach,
consumers launched over 40
lawsuits, causing Yahoo’s sale
price to drop by $350 million.
June 2015 Office of Personnel Management
(OPM) data breach was
jeopardized after hackers stole
over 4.2 million personnel files of
government employees,
including over 5 million
fingerprints and approximately
21 million security clearance
investigation documents.
This was one of the largest data
breaches of confidential
government information in the
United States of America and
initiated increased attention to data
security.
May 2017 The first ransomware attack
known as “WannaCry” targeted
Windows systems and
necessitated ransom payments
in the Bitcoin virtual currency.
The first ransomware attack paved
the way for additional ransomware
attacks in the future. In 24 hours,
the cyberattack infected over
230,000 systems.
July 29th 2017 The Equifax data breach
involved the exploitation of the
personal data of over 140 million
Americans. The black-hat
hackers gained access to over
200,000 credit cards.
This data breach was the largest
credit attack and resulted in the
resignation of Equifax CEO,
Richard Smith.
17th March 2018 The Facebook-Cambridge
Analytica data scandal surfaces
the Internet.
After this scandal broke out, the
Facebook CEO, Mark Zuckerberg
was under scrutiny after users
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 16 of 23
understood that Facebook shared
personal user data with Cambridge
Analytica for political campaigns
such as the U.S. Presidential
Elections in 2016. Consumers
understood that Cambridge
Analytica misused personal data in
order to create personality profiles
for individuals within the United
States of America. They aimed to
use these profiles to influence
individuals with specific
propaganda in hopes of increasing
the number of votes in favour of
Donald Trump.
May 2019 MongoDB data breach exposed
over 275 million records
containing sensitive personal
information on Indian citizens.
This data breach is one of the
largest data leaks in 2019. It
occurred due to inadequate
security procedures as the
application was using an older
version, resulting in a lack of
security.
Previous Attempts to solve the Issue
The European Union General Data Protection Regulation (GDPR)
On April 14th 2016, the GDPR was approved by the European Union Parliament; however,
it was enforced on May 25th 2018. After the implementation of this law, organizations that fail to
comply with the GDPR are threatened with the possibility of receiving hefty fines. The policy aims
to synchronize all the data privacy laws concerning Europe, protect and uphold data privacy for all
European Union citizens, and transform the way in which companies handle data privacy and
regulations around the world. Any company conducting business with European Union countries
are required to comply with the GDPR rules. According to the European Commission, GDPR will
save €2.3 billion per year as it will make it easier and cheaper for companies to operate within
Europe. Another benefit of the GDPR is when a data breach occurs, and a user’s data is
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 17 of 23
compromised, consumers are granted the right to know if their data was exploited, whilst allowing
users to understand how their data is processed. However, with a plethora of benefits, the GDPR
has drawbacks. The cost of GDPR compliance can increase incredibly quickly, depending on the
number of user data that is processed by the company. Therefore, the cost of GDPR compliance
is exceptionally high and causes an increase in the expenditure of a company, as they aim to hire
Data Protection Officers to avoid cumbersome fines.
One year after the GDPR was implemented by the European Union, it has had desirable
impacts on the landscape of data security. This EU legislation has enhanced worldwide data
protection as countries are taking data protection seriously. This has been depicted with the
California Consumer Privacy Act (CCPA) that was signed into the law in 2018 in order to ensure
the safety of personal data. The CCPA will take effect from January 1st 2020. Other nations such
as Sri Lanka and Algeria have made similar strides in order to synchronize data privacy laws
worldwide. Another impact created by the GDPR is increased reliance on data experts as
companies have increased their expenditure on GDPR compliance. Moreover, over 500,000 data
protection offers have been employed by various companies around the world. These figures
highlight the significance of GDPR to global firms.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is a federal privacy law governing Canada’s private sector that applies to the
personal data obtained through commercialization. PIPEDA is a law that applies to private sector
organizations, especially those in the technology and telecommunications industry. On the 13th of
April in 2000, PIPEDA’s regulations applied to all private sector firms and companies within
Canada. PIPEDA is beneficial to consumers in Canada, as these individuals have the right to
understand how their data is processed or analyzed for commercial purposes. However, it has
increased the overall costs of running a business in Canada, as it is expensive to comply with the
regulations of PIPEDA without hiring specialist data officers.
After its implementation in 2000, it did not achieve its primary purpose, as the number and
frequency of data breaches continued to increase in Canada. The principal reason for the
increased severity of data breaches is the lack of attention firms give to data security. As a result
of this, the PIPEDA was refined in 2018 due to the increased number of data breaches. PIPEDA
made it necessary for firms to report data breaches to the government and the Canadian citizens.
The Canadian government created this crucial change in order to increase the transparency and
accountability of firms with regards to the personal data of consumers.
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 18 of 23
Possible Solutions
Improving human practices regarding data security
As noted throughout the research report, a primary cause of data breaches, which expose
personal data, are due to human error. Companies should provide employees with necessary
training sessions regarding data security in order to enhance the awareness of digital security in
the workplace. The cybersecurity department could offer monthly briefings to the employees
regarding the importance of strong passwords and the significance of carrying out security protocol
for daily tasks in the workplace. Furthermore, firms should establish a data security policy within
the workplace, which is easily accessible, where all employees are aware of the importance of
handling data securely. In addition to this, companies should incorporate employee monitoring
software that oversees an employee’s progress in terms of data security. If a situation arises where
an employee makes an error, the system should explain the cause of the mistake and the steps
required to rectify the issue. Moreover, it is quintessential that the cybersecurity department does
not offer all the employees with access to all of the data stored in the firm’s servers in order to
prevent simple errors and inside jobs.
Implementing blockchain technology in databases
A blockchain is a structure of data that represents a growing list of financial ledger entries
that are linked using cryptography. Due to its functionality, it is resilient to the alteration of data.
The fundamental issue is the availability of accessing data as seen in principal databases. Once
a black-hat hacker penetrates a system and gains access to personal data, they are capable of
copying all of the information stored within the database. Therefore, it is common to see data
breaches exploit a large number of people; for instance, the Yahoo data breach compromised the
personal data of over 3 billion users. Universally, individuals have access to the distributed ledger.
However, the contents in the ledger are encrypted, thus making it intricate for hackers to access
sensitive data. This technology will allow for individuals to protect their personal data against
government officials or black-hat hackers who required access to such information. In order for
hackers to penetrate a network system with blockchain technology, they would have to individually
hijack each financial ledger entry, which would take an extended period of time.
However, blockchain technology is not feasible for most firms as hiring blockchain
specialists is expensive, with yearly wages of $140,000 to $150,000. Furthermore, according to
Azati software, the cost of a blockchain technology project can rise up to $200,000. Blockchain
has a plethora of complications as the technology relies on founding an agreement between
individuals in a network. To do so, it requires a lot of computing power to perform complex
algorithms to verify individuals that can edit the chain. As it requires large amounts of computing
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 19 of 23
power, blockchain technology consumes a lot of energy that can be used for other crucial
purposes. Due to blockchain’s complexity and distributed network that utilizes encryption, the
transactions take long periods of time to process. Consequently, firms will find it difficult to
synchronize user data in databases with blockchain technology seamlessly.
Improving data security techniques in order to rebuild consumer confidence
According to IBM, only 20% of consumers in the US trust firms to conceal their data from
black-hat hackers. Businesses are not immune to data breaches, but they can certainly reduce the
number and frequency of data breaches through adopting security measures to ensure data
protection, which will support the rebuilding of consumer confidence after previous data leaks. A
paramount aspect of data security involves the encryption of various types of data, including
messages, user names, email addresses, passwords, and personal data of consumers. However,
when firms encrypt data, it is pivotal that the encryption key is also provided to trusted individuals,
as there has been an increase in ‘inside jobs’ that cause data breaches. After consumers notice
that a specific firm has ameliorated its security measures and has not experienced a data breach
for a prolonged period of time, consumers will begin to trust the firm to keep their personal data
private. Firms should promote GDPR compliance and transparency by clearly showcasing how
they comply with GDPR and how an individual’s data is processed and protected. As firms
showcase their determination to ensure the encryption and safety of personal data, consumers will
perceive the degree of importance firms provide to data security, which strengthens the
relationships between firms and customers.
In addition to this, the U.S. government could continue its effective regulation on technology
firms and their use of private consumer data. As stated by Alan McQuinn, a policy analyst working
at a Washington think tank known as the ‘Information Technology and Innovation Foundation’, the
California Consumer Privacy Act could have disadvantageous effects similar to the GDPR due to
its complex nature that imposes a burden on small and medium-sized enterprises. Alan McQuinn
also stated, “Requiring opt-in consent could create unintended consequences – hurting innovation
and strengthening the biggest firms that have the resources to comply” (Lever). In order to avoid
these instances, tiers of various data categories could be established in order to reduce the
situations requiring opt-in consent, where opt-in consent is only compulsory for the most necessary
and sensitive types of data. Opt-in consent is a law established within the GDPR where firms are
not allowed to establish consent through the subject’s silence or through the provision of pre-ticked
boxes. Therefore, consumers have to clearly provide consent to firms in order for these firms to
process private data for market research and innovative business ideas.
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 20 of 23
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 21 of 23
Bibliography
"81% Of Company Data Breaches Due To Poor Passwords | Tracesecurity". Tracesecurity,
2019,
https://www.tracesecurity.com/blog/articles/81-of-company-data-breaches-due-to-
poor-passwords. Accessed 10 Aug 2019.
"A Quote By Mitchell Kapor". Goodreads, 2019,
https://www.goodreads.com/quotes/1432753-
getting-information-off-the-internet-is-like-taking-a-drink. Accessed 21 July 2019.
"Council Of Europe Data Protection". Council Of Europe, 2019,
https://www.coe.int/en/web/data-protection/legal-instruments. Accessed 26 July
2019.
Eckert, Nick. "Human Error As The First Cause Of Data Breaches And How To Solve The
Problem - GDPR365". GDPR365, 2019, https://www.gdpr365.com/human-error-
cause-data-breaches-solve-problem/. Accessed 23 July 2019.
"EPIC - Electronic Privacy Information Center". Epic.Org, 2019, https://epic.org/. Accessed
26
July 2019.
Grothaus, Michael. "How Our Data Got Hacked, Scandalized, And Abused In 2018". Fast
Company, 2018, https://www.fastcompany.com/90272858/how-our-data-got-
hacked-scandalized-and-abused-in-2018. Accessed 21 July 2019.
Hospelhorn, Sarah. "Major Events That Changed Cybersecurity Forever". Varonis, 2019,
https://www.varonis.com/blog/events-that-changed-cybersecurity/. Accessed 26
July 2019.
"ICT Statistics". Itu.Int, 2018, https://www.itu.int/en/ITU-
D/Statistics/Pages/stat/default.aspx.
Accessed 15 July 2019.
"ITU". Itu.Int, 2019, https://www.itu.int/en/about/Pages/default.aspx. Accessed 21 July
2019.
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 22 of 23
"ITU Releases 2018 Global And Regional ICT Estimates". Itu.Int, 2018,
https://www.itu.int/en/mediacentre/Pages/2018-PR40.aspx. Accessed 15 July
2019.
"Key Changes With The General Data Protection Regulation – EUGDPR". Eugdpr.Org,
2019,
https://eugdpr.org/the-regulation/. Accessed 27 July 2019.
Lever, Rob. "US Congress To See Push To Regulate Big Tech In 2019". Phys.Org, 2019,
https://phys.org/news/2019-01-congress-big-tech.html. Accessed 25 Aug 2019.
Maney, Kevin. "Hacking Is Growing More Profitable And Destructive. Yet No One Knows
How To
Stop It.". Newsweek, 2019, https://www.newsweek.com/2016/11/11/war-against-
hacking-cyber-crime-515935.html. Accessed 24 July 2019.
"Privacy International". Privacyinternational.Org, 2019, https://privacyinternational.org/.
Accessed
26 July 2019.
"State Of The Iot 2018: Number Of Iot Devices Now At 7B – Market Accelerating". Iot-
Analytics,
2018, https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iot-
devices-now-7b/. Accessed 21 July 2019.
Statt, Nick. "Maker Of Popular Quiz Apps On Facebook Exposed Personal Data Of 120
Million
Users". The Verge, 2019,
https://www.theverge.com/2018/6/28/17514822/facebook-data-leak-quiz-app-
nametests-social-sweetheart-exposed-user-info. Accessed 23 July 2019.
"UNCTAD | United Nations Commission On Science And Technology For Development
(CSTD)".
UNCT, 201AD9, https://unctad.org/en/Pages/CSTD.aspx. Accessed 21 July 2019.
Dubai International Academy Model United Nations 2020| 12th Annual Session
Research Report | Page 23 of 23
"What Is Big Data? | Oracle". Oracle, 2019, https://www.oracle.com/big-data/guide/what-
is-big-
data.html. Accessed 21 July 2019.
"World's Biggest Data Breaches & Hacks — Information Is Beautiful". Information Is
Beautiful,
2019, https://informationisbeautiful.net/visualizations/worlds-biggest-data-
breaches-hacks/. Accessed 22 July 2019.
Appendices
i. The world’s biggest data breaches and hacks
https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-
hacks/
ii. Building trust in the digital age: rethinking privacy, property and security | Making
information systems work initiative | ICAEW
https://www.icaew.com/-/media/corporate/archive/files/technical/information-
technology/business-systems-and-software-selection/making-information-
systems-work/building-trust-in-the-digital-age-report.ashx?la=en