The Year Ahead in Digital Policy: Cyber Policy Merges with Security

As cyberattacks continue to grow in scale and scope, governments face increasing pressure to protect their citizens and infrastructure and establish a framework for the industry. In 2023, we will likely see a proliferation of cybersecurity laws closely linked to other security concerns, such as critical infrastructure and supply chains. There are many different aspects to cybersecurity and criminals are also becoming increasingly creative in the way they target individuals and employees through social engineering. Consequently, cybersecurity is no longer being regarded in isolation but more holistically as part of broader security and privacy strategies.

What’s at stake?
In all regions of the world, there is an increase in real and perceived threats to national security, public safety and individual privacy. The unprecedented shift to online activity during the Covid-19 pandemic and today’s hybrid work environment makes people more susceptible to ransomware and other risks than ever. According to Interpol, ransomware, phishing, online scams, and hacking are the cybercrime trends which member countries most frequently perceive as posing high or very high threats globally. As organisations introduce more robust controls within their networks and IT systems, so criminals are resorting to alternative tactics that exploit vulnerabilities through targeting consumers directly.

Recent geopolitical conflicts have involved various attacks and interventions against physical and digital infrastructure as part of a hybrid form of warfare. These attacks are among the more extreme and destructive security threats that exist. This uncertain environment may encourage policymakers to considering stricter policy instruments that address these issues.

What are the policy considerations?
Many countries are developing laws and regulations to ensure businesses and organisations have the tools and mechanisms to identify and report cyberattacks and implement multi-layer safeguards to minimise the risk of security compromises. Governments and regulators expect telecom organisations to securely design, construct and support network equipment that handles sensitive data. This includes reducing supply chain risks, carefully controlling access to sensitive parts of their networks, and ensuring the right processes are in place to understand the risks facing networks and services.

What we expect to see in the year ahead

Cybersecurity is a policy areas where there is often international consensus on the need for action. However, midst geopolitical uncertainty, policy solutions are harder to achieve, and the risks of cyber conflict may rise until states find an incentive to cooperate. We expect to see increased international cooperation between allies, such as the Counter-Ransomware Initiative, uniting key international stakeholders across governments on practical solutions to counter ransomware threats.

In APAC, leaders like Australia, Singapore, and Japan are already supporting less-developed countries in the region. With a growing commitment to mutual defence, adoption of cyber norms, and regional-level capacity building, the region is responding to the significant geopolitical risks facing it.

African countries have been moving towards adopting cybersecurity laws, notably South Africa with the Cybercrimes Act of 2020 and Ghana Cybersecurity Act of 2020. Most recently, in November 2022, Mozambique published a draft Cybercrime Bill. On a regional level, the African Union Convention on Cyber Security and Data Protection is a framework that addresses personal data protection and electronic transactions, in addition to cyber security and cybercrime. It also makes recommendations on consumer protection, data ethics and open data sharing systems for intra-African cross-border digital trade and e-commerce cross-border transfers.

In Europe, the Network and Information Security Directive 2 (NIS2) and Directive on the resilience of critical entities (CER) go beyond regulating digital infrastructure. Harmonised sanctions will apply across 11 different sectors including energy, transport, healthcare and banking. The Cyber Resilience Act will impose a range of obligations on manufacturers, importers and distributors of connected hardware and software.

In the USA, CISA released its 2023-2025 Strategic Plan which includes more cooperation and collaboration across the states to share information as it moves to strengthen the resilience of critical infrastructure. Latin America, on the other hand, has long suffered from high levels of fraud and counterfeit. Digital transformation has created opportunities for increased phishing scams, malware and ransomware so collaboration and information-sharing between countries will be beneficial.

On multilateral level, the UN will continue to seek to build consensus for a global legal framework for criminality in the cyberspace via the UN Cybercrime Convention. The UN Open-Ended Working Group (OEWG) will study the normative behaviour of states in cyber conflict and develop global norms and best practices to tackle cybersecurity threats.

These global developments reaffirm that all regions in the world are doubling down on cyber policy and are linking it closely with their national security strategies. Cybersecurity is no longer a problem solely for the ICT industry, but for any industry going through digitalisation or handling customer data. Cybersecurity awareness and education is key to help protect individuals and businesses.

Policy Case Study: Singapore builds for the future with regional cybersecurity effort  

In conjunction with the ASEAN Member States, Singapore developed the ASEAN-Singapore Cybersecurity Centre of Excellence. The Centre’s primary goals are “to conduct research and provide training in areas spanning international law, cyber strategy, legislation, cyber norms and other cybersecurity policy issues; provide CERT-related technical training as well as facilitate the exchange of open-source cyber threat and attack-related information and best practices and conduct virtual cyber defence training and exercises.

Through its work with ASEAN and on its own, Singapore has made cybersecurity collaboration paramount to its digitalisation, signing MOUs with global partners such as the United States and the United Kingdom. Collaboration with regional and international partners will be essential to future responses as cyber threats continue to evolve.