Global Cyber Security
Global Approaches to Cyber Policy, Legislation and Regulation: A Comparative Overview
Pia Hüsch and James Sullivan | 2023.04.26
This paper aims to serve as a guide to policymakers by examining different approaches to cyber-security policy, regulation and legislation. It provides an overview of the priorities of five countries (the UK, the US, Canada, Japan, and Singapore) and the EU. The focus rests on cyber policy advanced in the period from January 2019 to March 2023.
The research underlying this paper focuses on four key research areas:
-
The general context in which cyber policy is made.
-
Priorities with regard to the protection of critical national infrastructure (CNI).
-
Approaches to the development of cyber skills and the cyber workforce.
-
International cooperation on norm development for cyberspace.
The Context
All jurisdictions follow a unique cyber strategy, but common approaches exist:
-
Strategies are updated in line with domestic timelines but also adjust to changes in the cyber threat landscape (such as the rise of cybercrime) and respond to geopolitical events and the increased need to secure CNI and supply chains.
-
Strategies increasingly focus on harmonising and streamlining each jurisdiction’s cyber policies to avoid fragmentation and duplication of efforts.
-
There is an increasing reliance on interventionist policies and regulations to enhance resilience and cyber-security standards.
On Critical National Infrastructure
Ensuring greater protection of critical national infrastructure (CNI) is a priority for all jurisdictions examined. This is often done by updating or increasing existing cyber-security obligations, or expanding them beyond CNI sectors to further support the resilience of supply chains. International businesses and cyber-security professionals must simultaneously comply with changing (and at times varying) obligations among different jurisdictions. Further research comparing the differing scopes of CNI designations and their respective cyber-security obligations is needed.
On the Cyber Workforce
The global cyber-security workforce shortage and the need for further skills development is seen in all jurisdictions examined. A wide range of initiatives, many of which resemble each other, are advanced by the respective jurisdictions to attract talent, diversify the workforce and increasingly harmonise existing efforts. For example, several jurisdictions have adopted skills frameworks, such as the US’s National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework or the European Cybersecurity Skills Framework (ECSF), to harmonise language used to describe cyber-security roles. Little is known about the effectiveness of these initiatives in markedly reducing the cyber-security workforce gap in a quantifiable way. More research is needed to understand which initiatives help reduce the gap in the cyber-security workforce.
On International Cooperation on Cyber-Norm Development
All jurisdictions examined actively cooperate on cyber-norm development and seek to advance a free and secure cyberspace. They do so by supporting UN processes for norm development, by engaging in a range of multilateral, bilateral and multi-stakeholder arrangements, and by seeking greater cooperation on cyber (including on the development of cyber-security skills and closing the gap in the cyber workforce). More cooperation on skills development could further boost understanding of how to develop global solutions to a global problem.
Introduction
Technological innovation and advancement continue to disrupt society at pace. While the economic benefits of breakthrough technologies are fairly clear, there are new cyber risks to infrastructure and data to consider. In light of these dynamics, countries are constantly designing, monitoring and refreshing their cyber -security policies, legislation and regulation to protect national security and the economic security and safety of organisations and their citizens. While some of the trends in cyber security are global, each jurisdiction’s approach to cyber policy and associated legislation and regulation follows its own themes and priorities.
While the content of cyber policies naturally varies, so do the mechanisms to implement them. Jurisdictions may prefer different types of levers to implement their cyber policies. Whereas one country may prefer to legislate heavily, others may advance cyber policies through standard-setting or non-binding policies. The approach a country chooses is shaped by a multitude of complex factors, including its political standpoint, constitutional structures, the cyber-threat landscape, the role of the private sector, and other socio-legal and historical factors.
Understanding national and regional approaches to cyber policy is crucial, as these directly impact individuals and organisations operating within the respective jurisdictions. This paper allows policymakers and businesses to understand regulatory trends in several jurisdictions, providing them with up-to-date insights on how the regulatory landscape in these jurisdictions is evolving – and what that means for businesses and individuals.
This guide sets out to compare the approaches of six different jurisdictions – the UK, the EU, the US, Canada, Japan and Singapore – with regard to their respective cyber-policy agendas. The aim here is to improve understanding of the impact these policy agendas have on businesses and individuals working in these jurisdictions. This paper provides a valuable overview of different approaches to cyber policy by identifying trends in key legislative and regulatory initiatives over the past four years. A comparative section at the end of the paper puts these initial findings into perspective and identifies areas for future research.
Research Questions
This paper aims to provide an overview of different approaches to cyber-security policy. To narrow down the wide research area of cyber-security policy, the research underlying the paper focuses on four key research questions:
-
What is the general background that shapes each jurisdiction’s approach to cyber policy?
-
What are the national priorities for developing cyber-resilience measures for critical national infrastructure (CNI)?
-
How do the jurisdictions advance skills development and/or workforce regulation in the cyber context?
-
How do these jurisdictions approach international cooperation on cyber regulation and how do they engage with other countries and entities, for example, in the context of norm-developing frameworks?
Methodology and Scope
The research underlying this publication was primarily based on a review of existing literature. This involved the creation of search strings that were inputted into online repositories to identify sources. Google Scholar was the primary search engine used to find academic articles. Grey literature, including policy papers, was sourced through Bing and Google Search. From these initial sources, the research team identified further literature by examining article bibliographies and other references. Alongside these secondary sources, primary sources such as legislation, regulations and other official documents and government papers were also considered.
The research was conducted from December 2022 to March 2023. Analysis of the gathered sourced material was based on a thematic approach, assessing sources’ provenance, arguments and conclusions in order to identify different approaches to cyber regulation in the EU and the five countries examined. The six jurisdictions studied – the UK, the EU, the US, Canada, Japan and Singapore – were chosen because they drive policymaking in cyber security and are leaders in the field, either as norm developers or because of their technology sectors. The research focused primarily on policies enacted or proposed between 2019 and 2023.
Throughout this paper, the term ‘policy’ is used in a broad sense and encompasses binding (‘hard law’) as well as non-binding (‘soft law’) instruments or other policies.
Limitations
This paper aims to provide policymakers with a guide on trends in recent cyber-security policy in various jurisdictions. It is therefore limited in scope and depth and serves as a starting point for future research. This means that reference can only be made to a selection of policies, regulations, or legislative activities, rather than listing them all. Nevertheless, the paper informs the reader about key issues and trends in the field, while keeping the level of detail appropriate for an initial overview.
Structure
The paper comprises six chapters, each dedicated to the approach to cyber-security regulation taken by one of the jurisdictions. Each chapter begins by setting out the jurisdiction’s approach to cyber policy, regulation and legislation, structured around the four research questions listed above. After setting out the general context in which the approach to cyber-security policy must be seen, each chapter goes on to identify how the jurisdiction advances cyber-resilience measures for CNI. Then, each chapter examines how the jurisdiction approaches skills development and workforce regulation, before analysing the approach to international cooperation on cyber-norm development. After the individual chapters, the paper offers some general concluding remarks that make initial comparative observations based on the jurisdiction-level analysis, and points out further areas of research.
The UK
Context
The UK is ‘a highly capable cyber state’ that follows an ambitious approach to cyber policy. This is reflected in its 2022 National Cyber Strategy, which advances a ‘whole of society approach’. Although largely in line with its 2016 Strategy, which shifted UK cyber policy toward binding regulation, the UK’s new strategy stresses a greater need for a holistic approach to cyber policy, as cyber issues relate to all areas of modern life. The ‘whole of society’ approach, as advanced in the UK cyber strategy, includes public–private partnerships and civil society, but also aspects such as ‘education strategy, industrial policy, work on regulations and incentives, and foreign policy’.
This new holistic approach also confirms the UK’s commitment to being a ‘cyber power’, a term used throughout the strategy, solidifying the UK’s strategic approach to cyberspace. It refers to the UK’s position advanced in the 2021 Integrated Review, which stresses the importance of responsible and democratic cyber power to achieving the UK’s national goals. On the whole, the UK’s strategy follows a ‘strategic and wide-ranging approach to cyber’. Next to the national cyber strategy, the UK also has a Government Cyber Security Strategy (2022–30) and a cyber-resilience strategy for the UK National Health Service (NHS).
The UK’s strong position in the cyber field is supported by a wide range of public authorities working on cyber matters. The National Cyber Security Centre (NCSC) stands out for conducting central – primarily technical – work on UK cyber security since its establishment in 2016, analysing and researching key cyber threats and risks. In 2020, the UK also confirmed the existence of its National Cyber Force, a unique body dedicated to offensive cyber operations. This agency sits between the intelligence agency GCHQ and the Ministry of Defence and ‘covers the full range of the UK’s national-security priorities’, including serious crime, terrorism and state threats. In 2023, the Department of Science, Innovation and Technology was formed, taking over tasks on cyber policy previously undertaken by the Department for Digital, Culture, Media and Sport (DCMS). Of primary relevance for the UK workforce is the UK Cyber Security Council, a self-regulatory body developing and promoting professional standards for the cyber workforce.
The wide range of threats facing the UK was underlined in the NCSC’s 2022 Annual Review. These include ransomware attacks and other types of cybercrime, threats posed by state actors in cyberspace, and commercially available cyber tools. The UK also faces a significant gap in the cyber-security workforce, which increased further in 2022. The UK cyber strategy recognises this gap and signals an intention to expand the UK’s cyber skills and train, attract and diversify a growing cyber-security workforce.
Priorities for National Cyber-Resilience Measures for CNI
One of the priorities set out in the UK National Cyber Strategy is increasing the UK’s resilience. Confirming its whole-of-society approach, efforts to increase cyber resilience include (but are not limited to) improving the resilience of CNI. The UK government currently identifies 13 sectors as CNI, including civil nuclear, chemicals, food and health – education is not among the sectors listed. Given that a large percentage of UK CNI is owned by the private sector, close cooperation between the public and private sectors is required. The NCSC fosters such cooperation and provides a number of tools for guidance and advice for CNI businesses. It has also set up the ‘Industry 100’ initiative for further cooperation with industry partners. Furthermore, the 2023 Refresh of the UK’s Integrated Review announced a National Protective Security Authority, which ‘will engage with businesses and institutions to protect [the UK’s] security and prosperity at home’.
On the regulatory side, the UK has confirmed it will update its 2018 Security of Network & Information Systems Regulations (NIS Regulations). Results of the consultation process on the proposal for the updated NIS Regulations were published in November 2022, stating that the government aims to update this legislation ‘as soon as parliamentary time allows’. Given the updated EU regulations on NIS, such an update comes as no surprise, but could potentially mark one of the first areas of divergence post-Brexit. Businesses and their cyber-security staff operating in the EU and the UK which fall under the scope of both regulations will have to comply with two changing – but not necessarily identical – sets of requirements.
One of the UK’s priorities for the updated NIS Regulations is to broaden the scope of their application, to include more businesses that will have to comply with the respective binding obligations, technology providers in particular. The regulations’ two-tier system, which imposes stricter requirements on essential service providers than on digital service providers, will remain. However, and arguably ‘long overlooked by the UK’s NIS Regulations’, managed service providers will be added as a new category of digital service providers that must comply with the regulations’ requirements. Although software companies are unlikely to be included, the illustrative list published by DCMS names IT outsourcing services, application management services, managed security operations centres and incident response services as managed IT services that will fall within the new scope of the NIS Regulations. As a result, these entities’ cyber workforces must comply with the new cyber-security obligations in the updated NIS Regulations. Furthermore, the updated regulations aim to improve the reporting of cyber incidents to regulators, likely expanding mandatory reporting to incidents ‘even if they don’t immediately cause disruption’.
Beyond CNI – and mirroring the EU’s proposal for a Cyber Resilience Act – the UK also passed the Product Security and Telecommunications Infrastructure Act in December 2022. This entails obligations for companies that manufacture, import or distribute smart consumer products, further enhancing cyber resilience in the UK; however, these obligations have not yet come into force, as they require additional regulation. Such obligations may build upon the Code of Practice for Consumer IoT Security that the DCMS and NCSC developed in 2018. In addition, the UK government is advancing a Data Protection and Digital Information Bill, seeking to update the data protection laws previously based on the EU’s General Data Protection Regulation, and to reduce paperwork for businesses.
Workforce and Skills Development and Regulation
In order to implement the regulatory updates outlined above and to enhance cyber resilience, the UK’s National Cyber Strategy recognises a need for developing a more ‘diverse and technically skilled workforce’. Improving diversity, in this context, goes beyond targeting the gender imbalance in the field, but also includes the need for greater regional diversity. London and the southeast of England employ nearly half of all UK cyber-security professionals. In response to this imbalance, the UK government has funded 12 ‘cyber clusters’. Located throughout all four home nations, these organisations are tasked with enhancing cooperation with the (local) private sector and civil society, but also with various public stakeholders.
Other government-backed initiatives for skills development include CyBOK (a programme setting up a body for collecting knowledge and making resources to develop cyber skills publicly available). Further initiatives under the NCSC’s CyberFirst programme for students include ‘Cyber Explorers’, a learning platform for young students, and the CyberFirst bursary scheme, offering undergraduate students £4,000 per year in financial assistance and cyber-security training to support their careers in cyber security. The UK Cyber Security Council has further established a cyber career framework, identifying 16 areas of specialism that provide practitioners with guidelines for career planning. In addition, the UK Cyber Security Council has taken over the (formerly NCSC-run) Certified Cyber Professional Scheme. The Council has also launched a pilot professional registration scheme for some of the 16 specialisms in cyber security at three registration titles: Associate; Principal; and Chartered. This pilot scheme will be extended to more specialisms throughout 2023. Such pilot projects can be seen as indicative of future developments in the professionalisation of the UK’s cyber workforce. This is also in line with a DCMS consultation on the professionalisation of the cyber workforce, which envisages professional standard-setting by 2025.
Nevertheless, the UK arguably still faces a significant shortage in the cyber-security workforce, and a cyber-security skills gap, despite the fact that the government has launched a wide variety of initiatives. A similar assessment is made in a DCMS study, ‘Cybersecurity Skills in the UK Labour Market 2022’, which found that many organisations lack skills in areas such as setting up configured firewalls or detecting and removing malware. Other skills-development paths such as apprenticeships or skills transfers in later career stages could be better utilised to try to close the gap even more. Further research is thus necessary to better understand the effectiveness of existing initiatives for skills development.
International Interaction on Cyber-Norm Development
As well as advancing cyber policy on a domestic level, the UK also shapes international norm development in cyberspace. A 2022 ministerial document describes the UK as a ‘leading responsible and democratic cyber power’. The UK delivers on such ambitions by being actively involved in the UN norm-development processes, arguing in favour of norms of responsible cyber behaviour and the applicability of international law in cyberspace. The UK has also repeatedly argued in favour of a multi-stakeholder approach to cyberspace governance. Furthermore, the UK government emphasises the need for a stable, peaceful and secure cyberspace that maintains human-rights standards.
The UK’s international cooperation on cyber-norm development is primarily advanced through the Foreign, Commonwealth and Development Office (FCDO), which funds a number of initiatives for greater norm cooperation in cyberspace; this includes, for example, funding projects identifying responsible cyber behaviour. In addition, the UK actively supports and funds cyber capacity-building in cooperation with a range of jurisdictions, particularly Commonwealth countries. In 2021, an additional £22 million for cyber capacity-building in Africa and the Indo-Pacific was announced.
More recently, the UK has cooperated with its allies with respect to sanctioning cyber-criminals, as well as with attributing malicious cyber operations to state actors. Finally, the UK has concluded a large number of bilateral agreements with other jurisdictions, setting out areas of cooperation in the cyber domain, including the US, the Netherlands, Australia and Italy.
The EU
Context
The EU is a well-established player in the field of cyber policy and actively shapes Europe’s approach to the regulation of cyber security. Economically powerful, the EU has also proven to be highly influential on cyber-security matters, and not just when it comes to data protection. The EU implements its vision for a free and secure cyberspace through a combination of different instruments, binding regulations, standard-setting directives and influential policies (including cyber diplomacy). Whereas the EU cyber-security policy in the 2010s was still largely seen as fragmented or ‘unsystematic’, many of the more recent efforts are working towards greater horizontal integration and harmonisation among EU member states. Four key activities have stood out in the past few years.
Firstly, the EU updated its cyber-security strategy in 2020 to mark the new digital decade. The updated strategy prioritises greater cyber resilience, especially for critical infrastructure, as well as increased cooperation and EU leadership on international norms and standards development. Activities in both areas are addressed in greater detail below.
Secondly, the role of the European Union Agency for Cybersecurity, ENISA, has been strengthened by the 2019 Cybersecurity Act, giving the body a permanent mandate, as well as more tasks and resources. The EU Cybersecurity Act introduces an EU-wide cyber-security certification framework for ICT products, services and processes.
Thirdly, the European Commission and the European External Action Service set out the EU’s new cyber defence policy in November 2022, which is ‘intended to strengthen European Cybersecurity capacity, boost military and civilian cooperation, close potential loopholes, reduce strategic dependencies and develop cyber skills’. This policy is primarily a response to deteriorating relations with Russia, and includes setting up an EU Cyber Defence Coordination Centre, as well as a network of military Computer Emergency Response Teams, an EU Cyber Commanders Conference and joint exercises. Similarly, the newly proposed Cyber Solidarity Act envisages the creation of a cyber emergency fund for incident response in the event of a large-scale cyber attack.
A final noteworthy development is the proposal of the EU Cyber Resilience Act. The Commission’s proposal from September 2022 ‘aims to impose cybersecurity obligations on all products with digital elements whose intended and foreseeable use includes direct or indirect data connection to a device or network’. This includes cyber security by design as well as by default principles. The proposal is not yet in its final form, but is said to require businesses such as hardware manufacturers or software developers (as well as distributors and importers) to comply with ‘an “appropriate” level of cyber security, the prohibition [on selling] products with any known vulnerability, security by default configuration, protection from unauthorised access, limitation of attack surfaces, and minimisation of incident impact’. The Cyber Resilience Act is widely seen as a shift away from the EU’s sectoral approach to regulation, which imposes cyber-security regulations on specific products such as medical devices. Instead, the Cyber Resilience Act is intended to avoid both the fragmentation of market standards and duplication of obligations.
Priorities for National Cyber-Resilience Measures for CNI
The protection and resilience of CNI are also a growing priority for EU policymakers. In order to be prepared to respond to the landscape of heightened threats in the contemporary geopolitical context, the EU is currently seeking to update its directive on critical infrastructure (from 2008) and intends new legislation to be in force in 2024.
This new legislation will be complemented by existing directives, primarily the Directive on Resilience of Critical Infrastructure and the Revised Directive on Security of Network and Information Systems (NIS 2 Directive). The former was proposed by the Commission in 2020 to strengthen the resilience of critical entities that provide essential services in case of disruption, e.g., terrorist or other attacks. Member states are required to have a strategy for such events and to ‘carry out risk assessments’.
Updated in 2022, the NIS 2 Directive complements the Directive on Resilience of Critical Infrastructure by obliging the same CNI entities to follow cyber-resilience obligations. It has further expanded in scope and ‘now covers medium and large entities from more sectors that are critical for the economy and society’. The updated NIS 2 Directive imposes strengthened cyber-security requirements on companies, covers the security of supply chains and further ‘introduces accountability of top management for non-compliance with the cybersecurity obligations’ alongside stricter enforcement requirements, alignment of reporting obligations and supervisory measures for national authorities. The NIS 2 Directive came into force in January 2023, giving member states until October 2024 to incorporate the measures into national law. However, there can still be national differences in implementation, and businesses and cyber-security professionals may have to comply with varying obligations, depending on the country in which they operate.
The obligations set out under the NIS 2 Directive, the Cyber Resilience Act and the Cyber Security Act increase cyber-security obligations and expand their application to a growing number of sectors and organisations. These obligations underline the need for cyber-security expertise and further require that businesses comply with new policies; this is likely to increase demand for more cyber professionals and more cyber expertise in related fields, e.g., in procurement or project management.
Workforce and Skills Development and Regulation
To implement the increased obligations for cyber resilience set out in new and updated regulations, cyber-skills development is necessary, and the cyber workforce needs to be able to comply with these new measures. The lack of cyber-security skills in the European workforce has frequently been addressed in the literature. Not only is there a significant skills gap, which some studies find to be growing, but it is also increasingly difficult for companies to find and hire skilled cyber-security staff. Studies imply that the cyber-security labour market has been unable to match the steep rise in cybercrime and the high demand for cyber-security professionals in light of increasing digitalisation. Although skills and workforce development are dealt with by each individual member state, the EU is also responding to these issues, and has funded a wide range of initiatives in this sphere, particularly in terms of harmonising existing approaches.
In 2019, the European Commission launched four projects for cyber-security research, alongside training and education programmes, but their funding is now coming to an end. They were launched in preparation for the European Cybersecurity Competence Centre (ECCC), which is currently being developed. The ECCC will be located in Bucharest and will, together with national competence centres, develop ‘a common agenda for technology development’, including in businesses, especially SMEs. Furthermore, the European Commission has plans to set up a Cybersecurity Skills Academy with a potential launch date in the third quarter of 2023. This year, 2023, is also the European Year of Skills, prompting further initiatives to address the skills shortages among the EU workforce, including in cyber security.
In line with the EU’s other efforts to streamline its cyber-security policy, ENISA introduced the European Cybersecurity Skills Framework (ECSF) in September 2022. As a ‘tool to build a common understanding of the cybersecurity professional role profiles’, the ECSF sets out 12 roles and their respective skills and responsibilities, for example, those of ‘cyber incident responder’, or ‘cybersecurity educator’. However, previous studies have indicated the need for further research on what policies are most effective in supporting a robust talent pipeline for cyber-security professionals. Alongside this Framework, ENISA has also created a Cybersecurity Higher Education Database, which lists cyber-security degrees from EEA countries and Switzerland. The database is intended as a point of reference for citizens wanting to upgrade their skills through further education and training.
International Interaction on Cyber-Norm Development
In addition to its work on the close coordination of cyber policy within the EU, the EU is also active beyond the territory of its member states. The EU’s 2020 Cyber Strategy sets out to ensure an open and safe internet and for the EU to ‘step up its cooperation with partners around the world who share [its] values of democracy, rule of law and human rights’. The EU has done much to act upon these aims, with some even referring to it as a ‘norm superpower’. Indeed, the EU’s track record points towards the active role it has played in shaping the cyber-norm debate. On an international level, the EU has supported the UN processes on norm development, and also supports the proposal for a Programme of Action to Advance Responsible State Behaviour in Cyberspace as a permanent mechanism within the UN.
Furthermore, the EU actively cooperates with other countries to strengthen their cyber security. This includes funding cyber-security measures in Eastern European countries such as Ukraine (e.g., to secure data exchanges or to protect critical infrastructure), as well as in Georgia. Together with the US, the EU plans to provide further cyber-capacity-building in Africa and the Indo-Pacific region. The EU has also funded EU CyberNet, a network of cyber-security experts and academics, to coordinate the EU’s external cyber-capacity-building projects (although this is coming to an end in 2023), as well as EU Cyber Direct, a think tank- and academia-led initiative in support of the EU’s cyber diplomacy, focusing on norm development and capacity-building programmes.
In May 2019, the European Council launched a sanctions regime which enables the EU to respond to (and deter) cyber attacks. This sanctions regime, which enables collective action by the EU and its member states, is part of the ‘EU Cyber Diplomacy Toolbox’, and it has since been extended until 2025. Potential measures include asset freezing and travel restrictions. Since its first use in 2020, the sanctions regime has been used on several subsequent occasions, for example, against the hackers who targeted the German Bundestag and those behind (inter alia) WannaCry and NotPetya. However, the attribution of cyber operations remains ‘a major challenge for EU cyber sanctions’.
The US
Context
The US has a strong record of advancing cyber-security policies that support an open, stable and secure cyberspace, and the country’s large private sector makes it a particularly powerful actor in the field. In March 2023, the Biden administration published a new National Cybersecurity Strategy, which is based on five key pillars:
-
The defence of critical infrastructure.
-
Disruption and dismantling of threat actors.
-
Shaping market forces to drive security and resilience.
-
Investing in a resilient future (including through workforce development).
-
Forging international partnerships to pursue shared goals.
These key pillars will be referenced throughout this section.
The new cyber-security strategy marks a change in the US approach to cyber policy, in so far as it aims to increase regulatory oversight and paves the way for further federal cyber-security regulation. By advancing an increasingly coordinated approach to cyber-security regulation, the strategy seeks to impose further binding obligations on the private sector, meaning that hardware and software vendors will be increasingly responsible for implementing cyber-security standards. If implemented into law, the new strategy proposes that technology companies may be liable for failing to implement these standards. This new cyber-security strategy is, however, in line with a number of recent US cyber policies, for example, the regulations on cyber security for oil and gas pipelines that were introduced after the 2021 Colonial Pipeline hack. Similarly, President Biden has increased binding obligations on businesses when introducing mandatory reporting for CNI operators experiencing a significant cyber attack (such as a ransomware attack). The new cyber-security strategy is the result of increased cooperation with the private sector, and this cooperation will remain a key component going forward.
The new cyber-security strategy also intends to streamline US policy and to coordinate regulatory efforts. Previously, the Biden administration has often relied upon presidential interventions (for example, Executive Order 14028), but Congress has also advanced additional legislation on cyber-security issues. However, Congress can challenge or subsequently legislate contrary to an Executive Order. Similarly, in terms of the new cyber strategy, one risk is that party division in Congress could limit progress on implementing the strategy’s objectives. As a result, some think that the ‘strategy won’t have any regulatory teeth itself’. The following sections take a closer look at specific aspects of US cyber-security strategy.
Priorities for National Cyber-Resilience Measures for CNI One of the main pillars of the new US cyber-security strategy relates to defending CNI. In line with the broader shift towards top-down regulatory measures set out in the cyber-security strategy, a similar shift is proposed for measures protecting CNI. In light of significant threats facing the US, Anne Neuberger, deputy national security adviser for cyber and emerging technology, considers that previous ‘voluntary efforts have been insufficient’. The new strategy thus intends to enhance regulation by establishing new cyber-security requirements in ‘certain critical sectors’ and by requiring new authorities to set regulations in other sectors. Currently, only some of the 16 critical infrastructure sectors are subject to regulation. While five sectors (nuclear power, large energy generation, chemicals, financial services and major defence contractors) were subject to regulation prior to the Biden administration taking office, the Colonial Pipeline attack led to the regulation of further sectors, i.e., oil and gas pipelines, and aviation and railways. It is expected that the Environmental Protection Agency will also issue similar regulations for the water sector, leaving five sectors which are not subject to the oversight of an authority that has the competence to launch federal cyber regulation. Here, Congress could legislate to enhance further binding cyber-security standards for these sectors.
The protection of CNI is further advanced by the Cybersecurity & Infrastructure Security Agency (CISA), founded in 2018, which has recently published its first Strategic Plan (for 2023–25). It identifies four key priorities:
-
Leading ‘the national effort to ensure the defense and resilience of cyberspace’.
-
Reducing risk to CNI, but also increasing its resilience.
-
Fostering whole-of-nation operational collaboration and information-sharing.
-
Taking a unified approach as ‘[one] CISA through integrated functions, capabilities, and workforce’.
As much of the US’s CNI is owned by the private sector, government cooperation with industry is particularly important. Relevant initiatives include CISA’s Automated Indicator Sharing Program, an early warning system enabling information-sharing between companies and public agencies.
Further cyber-security standards and best practices are also developed and shared by the National Institute for Standards and Technology (NIST), which works closely with industry stakeholders and public agencies: for example, all federal agencies must implement its cyber-security standards. Although guidelines such as those developed under Executive Order 14028 on Improving the Nation’s Cybersecurity (May 2021) are primarily aimed at federal agencies, they can also be implemented by the private sector. One priority featured in the recent work of NIST is the protection of supply chains. NIST is currently working on updating its Cybersecurity Framework (CSF 2.0). Initially aimed at CNI only, this framework is now used more widely, and has been updated using private and civil sector input. A draft of the new framework is expected by summer 2023.
Updated regulations and an increase in binding cyber-security obligations across an expanding number of sectors also means that companies are reliant on cyber-security professionals to implement such obligations. The cyber workforce in these areas must have the relevant skills to fulfil such tasks, both to comply with regulations and to uphold cyber security more generally.
Workforce and Skills Development and Regulation
The obligation to comply with new cyber-security standards is linked to another key pillar of the new US cyber-security strategy – the investment in greater resilience. This pillar includes the aim of strengthening the cyber workforce and envisages the development of a National Cyber Workforce and Education Strategy. Currently, the gap in the US cyber-security workforce is more than 410,000. A number of initiatives support efforts to fill this gap and improve skills development throughout the US; one noteworthy example of such efforts is the National Cyber Workforce and Education Summit that took place in July 2022, bringing together relevant stakeholders from the public and private sectors and from civil society. In this context, several further efforts were announced by multiple stakeholders, including a Cybersecurity Apprenticeship Sprint, which concluded in November 2022. The ‘sprint’ underlined a commitment to grow the adoption of apprenticeships as a pathway to employment in the US cyber-security workforce. The new cyber-security strategy also stresses the need for greater diversity, equity and inclusion in the cyber workforce. It thereby echoes previous efforts, such as a June 2021 Executive Order on Diversity, Equity, Inclusion, and Accessibility in the Federal Workforce. Several initiatives aim to increase such diversity, for example an internship programme seeking increased diversity in the New York City cyber workforce.
Further examples of initiatives supporting cyber-security awareness and skills development in the US are manifold. For example, the US Security and Exchange Commission has proposed new rules that require board members of publicly traded companies to disclose their cyber expertise. CISA has also set up awareness campaigns to increase national public awareness and enhance levels of cyber-security understanding. CISA also supports a range of online training courses and has a dedicated National Initiative for Cybersecurity Careers and Studies (NICCS). The CyberSkills2Work initiative (2020) enables military veterans to transition into a career in cyber security. Other initiatives – primarily aimed at the younger generations – involve a range of cyber-security games and competitions. Meanwhile, individuals keen on advancing their cyber-security skills can consult the Cybersecurity Workforce Training Guide, which, together with the Cyber Career Pathways Tool, allows individuals to set out a training planin line with their skill level. Businesses that want to identify the extent of the cyber-security workforce within a specific area, or the costs associated with hiring additional cyber-security staff, can also consult the CyberSeek initiative, which provides information and an interactive map on job postings.
But the gap in the cyber-security workforce persists, despite this wide range of initiatives on skills development, meaning that further research is required to better understand the effectiveness of these initiatives. Here, the newly proposed National Cyber Workforce and Education Strategy is intended to coordinate the US approach to developing a stronger and more diverse cyber workforce.
To harmonise the terminology used to describe the tasks and skills of cyber-security professionals, the US has adopted the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. This sets out categories of common cyber-security functions, specialist areas of cyber-security work, and work roles, providing detailed descriptions of the required knowledge, skills and abilities for each role. Although initially launched in 2012, the current (fourth) version includes several updates made in 2020. The NICE Framework was initially advanced as a national initiative but has since been influential in many other jurisdictions, including Canada and Japan, underlining that workforce development is a global issue. Despite the widespread influence of the Framework, recent research indicates that US employers still find that graduates of US higher education institutions lack the NICE foundation. The NICE Framework continues to be updated, including through public consultation on updated Framework data such as knowledge and skills statements.
International Interaction on Cyber-Norm Development
Beyond its national policies, the US is a leader in international norm development on cyber security and the regulation of cyberspace. It strongly lobbies for a free, secure and open internet, and envisages a multi-stakeholder approach to the governance of cyberspace. This is reflected in a wide range of activities and initiatives, including the US-led (but now finished) UN Governmental Group of Experts, for which it sponsored a resolution for renewal for 2019–21, as well as multiple initiatives and exercises conducted with NATO Allies. Together with a range of like-minded countries, in 2019, the US advanced a statement on responsible state behaviour in cyberspace, supporting the efforts of UN working groups. The US also became part of the Paris Call, a multi-stakeholder initiative led by France and Microsoft, in 2021, after initially being absent from the initiative.
Additional partnerships also allow the US to engage in ‘strategically-minded capacity building’, for example in cooperation with the African Union. Further partnerships such as the trilateral agreement AUKUS (with the UK and Australia) aim to strengthen cyber defence and resilience in the Indo-Pacific. Cyber security in the Indo-Pacific is further supported through the Quad, particularly in light of increased threats in this area stemming from China and North Korea.
The US also indirectly advances norms through cooperation with other countries, for example when attributing cyber operations to states together with Five Eyes partners and others, or when imposing sanctions on cyber criminals (as was done more recently with the UK). In addition, a wide range of bilateral agreements further ensure US cooperation on cyber-security issues with like-minded jurisdictions such as Canada (on the protection of the shared energy infrastructure) and the UK (for a joint cyber academy). US cooperation with the EU is particularly noteworthy: after years of negotiations, the EU and the US recently agreed on a draft update for the EU–US data privacy framework, and in 2021 they set up the EU–US Trade and Technology Council for closer cooperation on digital transformation and technologies, based on shared values.
With respect to workforce development, the new US cyber-security strategy acknowledges that workforce development is a global issue. The strategy therefore seeks to enhance cooperation with other countries and to learn from their experience to further develop a skilled and diverse cyber workforce.
Canada
Context
Canada centres its cyber policy around its National Cyber Security Strategy, which was published in 2018. The core goals of this strategy were secure and resilient Canadian systems; an innovative and adaptive cyber ecosystem; and effective leadership, governance and collaboration. These goals remain valid, and an action plan guides their implementation. The 2021 mid-review of the strategy found that its targets were being met, including the establishment of the Canadian Centre for Cyber Security, but that challenges persist ‘in meeting the growing demands for cyber talent’.
The cyber-threat landscape has expanded since the publication of Canada’s National Cyber Security Strategy. While Canada has highly developed cyber-security systems, it is also one of the most targeted countries, especially when it comes to cybercrime. The head of the Canadian Centre for Cyber Security wrote in 2022 that ‘Cybercrime is still the number one cyber threat activity affecting Canadians [and the] state-sponsored cyber programs of China, Russia, Iran and North Korea continue to pose the greatest strategic cyber threat to Canada’. Canada’s internet usage has increased since the Covid-19 pandemic in 2020, thereby also expanding the threat surface, both for individuals and for organisations.
Although they were not caused by cyber attacks, Canada experienced internet outages in 2021 and 2022 that demonstrated the vitalness of stable connectivity and the highly connected nature of critical infrastructure sectors. The increased risk to critical infrastructure was confirmed by the Canadian Centre for Cyber Security’s cyber-threat assessment for 2023–24. Threats include that posed by state-sponsored cyber operations; influence-seeking by cyber-threat actors that are ‘degrading trust in online spaces’; and ransomware attacks and other forms of cybercrime targeting Canadians and Canadian organisations. Canadian cyber policy focuses on adapting to this changing threat landscape and on tackling continuing issues, such as shortages of the cyber-security professionals necessary for ensuring resilience in the context of the morphing threat landscape.
Priorities for National Cyber-Resilience Measures for CNI
Like other jurisdictions discussed in this paper, Canada stresses the importance of increasing the resilience of its critical infrastructure. Canada defines its critical infrastructure as comprising 10 sectors. Canadian CNI has been subject to several significant cyber incidents, in particular the healthcare sector and local government. The National Cyber Threat Assessment 2023–2024 points out that critical infrastructure depends on its supply chains, making CNI especially vulnerable as attackers might first target a supplier to infiltrate or disrupt CNI. Despite deteriorating relations with Russia and China, however, Canada’s 2023–24 Cyber Threat Assessment concludes that ‘state-sponsored cyber threat actors will very likely refrain from intentionally disrupting or destroying Canadian critical infrastructure in the absence of direct hostilities’.
To further secure its CNI, Canada has ‘increased bilateral collaboration with the United States on critical energy infrastructure protection’. In June 2022, Canada introduced Bill C-26, which requires designated operators (i.e., those providing vital services, including in the energy, finance, transport and telecommunications sectors) to increase their cyber-security measures and to report attacks. If the bill becomes law, such measures will be enforceable by the authorities with the help of audit powers, fines and even criminal penalties. This legislation, if passed, would have a direct impact on private companies operating in Canada. If designated as operators under Bill C-26, companies will have to establish, maintain and review a cyber-security programme within 90 days, report incidents, comply with directions and maintain records of incidents and compliance. Implementing such suggested obligations will require a skilled cyber workforce.
The government’s bill has been criticised as ‘potentially impair[ing] the ability of private companies to dispute demands, orders, or regulations that are issued by the government’ and for having ‘overly broad secrecy clauses’, raising concerns over transparency and accountability. Others see the mandatory reporting and information sharing between agencies as necessary steps to combat cybercrime, which in turn benefits both organisations and individuals. The bill recently finished its second reading in the Canadian House of Commons, and has yet to go to the Senate, and so it could still be amended over the course of the legislative procedure, but it could become law in 2023.
Workforce and Skills Development and Regulation
As with the other jurisdictions examined in this paper, the implementation of cyber-security obligations in Canada and the achievement of good cyber-security standards more generally there – in order to increase the country’s cyber resilience – requires a skilled cyber workforce. The shortage in Canada’s cyber-security workforce remains stable but considerable. Canada actively competes for the skilled workers it needs, particularly with the US. As US entities pay relatively higher salaries, the US is an attractive place of work for Canadians. While this leads to the risk of a ‘brain drain’ in the Canadian cyber-security sector, some commentators see lower Canadian wages as an opportunity for investors in the cyber-security sector. Within Canada itself the number of job postings among the different provinces varies considerably, with Ontario serving as the main hub of cyber-security-related jobs.
With respect to cyber workforce qualifications, Canada provides both formal cyber-security education (through universities) and a range of complementary options via online courses, coding bootcamps and certification schemes. Furthermore, the Future Skills Centre supports a number of initiatives aimed at diversifying Canada’s cyber-security workforce, for example the Canadian Cybersecurity Skills and Talent Transformation scheme, a joint project with Rogers Cybersecure Catalyst. Canada has also adopted a Cybersecurity Skills Framework, which largely overlaps with the established US Cyber Security Workforce Framework (NICE), but which focuses on the needs of the Canadian labour market and SMEs.
Nevertheless, in 2022 the Canadian Chamber of Commerce – in cooperation with tech companies and civil society – demanded publicly that the government further prioritise the cyber-security sector, including bolstering the cyber-security workforce ‘by investing in cybersecurity education, talent development, retention and programs that diversify and expand the cyber workforce’. TECHNATION, a not-for-profit initiative representing Canadian technology companies, lists four main challenges for workforce development in Canada, including: the need to generate and retain cyber security talent; the need for technical and non-technical roles to gain sufficient knowledge, skills and abilities; and the need to normalise cyber security within the workplace. In addition, the Canadian workforce must be ‘responsive to the changing technology landscape’. In February 2023, the Canadian government announced additional support in the form of 250 million CAD for upskilling its workforce, including in the cyber-security profession, with the help of short-cycle upskilling programmes run in partnership with Palette Skills.
International Interaction on Cyber-Norm Development
Canada has been an active partner for international cyber-norm development, for example when advocating for an open, secure and multi-stakeholder-led internet, and supporting the application of existing international law and norms of responsible behaviour in cyberspace. Canada is not in favour of the conclusion of a new international law treaty on the regulation of cyberspace. Instead, in 2022, Canada published its interpretation of existing international law applicable to cyberspace, and has promoted the applicability of norms of responsible state behaviour in various forums, such as the G7, the G20 and NATO.
In its international cooperation on cyber policy, Canada is focused in particular on ‘help[ing] other countries expand their capacity building activities’, which has been ‘a key aspect of Canada’s cyber engagement strategy’. This commitment is demonstrated in a number of initiatives, focusing largely on Latin America, the Caribbean and Southeast Asia. For example, Canada has contributed significantly to cyber capacity-building, especially in Latin America, by allocating funds to the Anti-Crime Capacity Building Program. Similarly, Canada works with the Inter-American Committee against Terrorism to improve participation in UN processes on cybercrime and cyber-security negotiations. Within the Organisation of American States, Canada also funded a project (as of 2022) to support other member states in targeting and understanding the implications of the gender gap in the cyber-security workforce.
In cooperation with other allies, especially the Five Eyes community, Canada has repeatedly attributed malicious cyber activities to other states. It has also funded projects related to how attribution can be made. Attribution is critical, as it helps to hold malicious actors accountable, and is in line with Canada’s increasingly active role in this and other related areas.
Japan
Context
In Japan, the award of the 2020 Olympic Games prompted a significant increase in cyber-security awareness. Aiming to protect the 2020 Olympic Summer Games from cyber attacks, the Japanese government launched widespread campaigns to build up cyber resilience (including in the private sector) and to educate the workforce. The Olympics thus arguably served as a springboard for further raising cyber-security standards in the Japanese private sector. This aim was also reflected in the country’s 2018 Cyber Security Strategy (for 2018–21), which focused primarily on the Olympic and Paralympic Games, recognising ‘the potential cyber threat from hostile states’, and referring on its first page to the growing danger of ‘organised, sophisticated, and possibly state-sponsored’ cyber attacks. Japan’s cyber-security strategy thus focuses on protecting critical infrastructure, on stakeholder cooperation, and on the improvement of cyber security in the private sector.
While these approaches were widely considered to have been successful in protecting the (Covid-19-delayed) Olympic Games, the priorities outlined above remain highly relevant in 2023. However, Japan’s approach to cyber security changed significantly in 2022, in light of an increasing number of cyber attacks against the country, and in particular given the deteriorating relationships with China and Russia. While still in the process of determining a cyber-security budget for 2024, Japan announced a significant change in its cyber strategy, including the adoption of an active cyber defence. Japan had previously alluded to deterrence capabilities in its 2018 strategy, but the recent shift is significant. Some even consider it to be a ‘turning point’ for Japan’s defence policy, which is traditionally limited by Japan’s pacifist constitution (as well as by privacy considerations). This recent shift constitutes an atypical, proactive approach, which is considered necessary to ‘actively pre-empt and stop attacks before they reach Japan’s systems’.
Overall, Japan primarily pursues a top-down approach when advancing cyber-security measures domestically, relying predominantly on ‘government regulators to establish cyber-security requirements’. Japanese cyber-security policy includes key areas such as the protection of national infrastructure and the development of the cyber workforce, which will be addressed in more detail in the following sections.
Priorities for National Cyber-Resilience Measures for CNI
Among the key issues in Japanese cyber policy are the protection of critical infrastructure and improving the resilience of supply chains, as well as wider cyber-security awareness, particularly in the private sector. While ‘Japan remains a world leader in cyberspace technologies’, its own cyber-security standards have raised concerns in the past, for example in the US, which has criticised Japan’s weak cyber-security practices and has considered these to be a barrier to deeper cooperation and intelligence sharing. Yet the US and Japan have been working to overcome these differences through bilateral talks, including signing a Memorandum of Cooperation on Cybersecurity in January 2023 to strengthen the collaboration between the two countries in the area of cyber security.
Japan’s CNI is primarily owned by the private sector. The Basic Cyber Security Act entails duties for operators of critical infrastructure businesses, a group that has expanded in recent years, and which now includes 14 sectors. However, these obligations are often vague, for example when requiring that CNI providers ‘deepen [their] interest in and understanding of the importance of cybersecurity’, and information-sharing on cyber incidents remains limited, for cultural and structural reasons.
In an updated action plan from June 2022, the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) offers guidance for safety standards and information-sharing systems to further improve cyber-security standards in Japan. The plan, which is only available in Japanese, further recommends that businesses develop risk-management procedures, and sets out specific requirements to be met by CNI businesses and staff, including Chief Information Security Officers.
Moreover, Japan passed an economic security bill in May 2022 that provides greater protection for supply chains and infrastructure with regard to cyber attacks. More specifically, it imposes obligations on companies in critical infrastructure sectors to inform the government of software updates and to ‘vet some equipment procurement’. The private sector requires a skilled workforce to implement these obligations and to raise cyber-security awareness and resilience.
Beyond these measures, Japan continues to strengthen its strategic partnership with the US on cyber cooperation to ensure greater resilience, particularly if confronted with hostile actions by China.
Workforce and Skills Development and Regulation
Like other jurisdictions dealt with in this paper, Japan is experiencing shortages in the cyber-security workforce, and overall cyber-security awareness is arguably relatively low in Japan. This situation is augmented as many Japanese companies outsource their IT and cyber-security work, resulting in smaller in-house teams compared with other countries. Furthermore, Japanese work culture traditionally foresees a high rate of job rotation, which comes at the cost of acquiring specialised cyber-security skills.
To respond to these skill shortages, the Japanese government has supported cyber-security skills development, for example by inaugurating the National Cyber Training Center (NICT), which offers training courses, especially for under-25s, and the Industrial Cyber Security Center of Excellence for training for mid-career and senior professionals. The NICT established a training programme, Cyber Colosseo, in advance of the Olympic Games, and also holds CYDER defence exercises, particularly for government officials and CNI businesses. However, information in English remains limited. To establish a common language for cyber-security skills, Japan has previously adopted the US NICE workforce framework, a choice made attractive by the fact that many Japanese companies outsource their IT outside Japan, and require an international understanding of what cyber-security talents are needed.
Individuals qualified in this area are thus in high demand in Japan and have good job opportunities. One IT recruitment agency reports that qualifications such as (ISC)²’s Certified Information Systems Security Professional (CISSP) are considered useful; that there is an increased demand for cloud engineers, such as Amazon Web Services engineers; and that demand is particularly high for personnel related to public cloud services such as SaaS and IaaS. The Japanese Ministry of Defense is also increasing its role as an employer of cyber-security workers, and has plans to increase cyber-defence personnel, aiming to expand today’s 800 staff members to 5,000 by 2027.
An initiative involving academia, government and the private sector founded the Cross-Sector Forum (2015) ‘to build an ecosystem to educate, recruit, retain, and train cybersecurity talent’ in Japan. The Forum has been active in advancing definitions of relevant talents and skills, and has created guidelines and provided funding for universities for cyber-security courses on which staff members of consortium partners can teach.
International Interaction on Cyber-Norm Development
Alongside these domestic policy considerations focused on increasing resilience and workforce development, Japan undertakes cyber-security diplomacy based on three main principles: the promotion of the rule of law; cooperation on capacity building; and the development of confidence-building measures. Japan has also contributed to discussions on norm development in cyberspace, for example by participating in several rounds of UN expert group discussions on cyber norms; and, in 2021, it made a public statement on its interpretation of international law in cyberspace in the UN forum.
With respect to norm development, Japan has stressed a preference for voluntary and non-binding norms on responsible state behaviour in cyberspace (as identified by the UN Group of Governmental Experts (UN GGE) report in 2015), and has voiced caution, both about extending these norms and about what it sees as the risk of prematurely debating a binding new treaty. Japan is a member of the Budapest Convention against Cybercrime and, as of 2022, had joined NATO’s Cooperative Cyber Defence Centre of Excellence. The country is also a regular participant in the ASEAN Regional Forum’s efforts on cyber issues and participates in the G7 Cyber Expert Group.
Japan also supports a number of capacity-building initiatives. These are coordinated by the NISC and focus primarily on ASEAN states. They include the annual ASEAN–Japan Cybersecurity Policy meeting and related working groups and activities. Since 2018, Japan has funded the ASEAN–Japan Cybersecurity Capacity Building Centre, which supports talent development for the region’s cyber-security workforce.
Japan has a range of bilateral agreements to strengthen technology and cyber cooperation with other countries, for example with the US and the UK. With respect to the latter, both nations are currently seeking to ‘make it easier for businesses to operate in both countries by aligning approaches to digital regulation’; to improve cyber resilience; and to ‘promote initiatives to standardise the security of internet-connected products and apps’.
Singapore
Context
Singapore is a highly digitalised city state with advanced cyber-security regulation and policies. But as ‘the cyber ecosystem in Singapore is expanding rapidly’, Singapore has also experienced a high number of cyber attacks in recent years, for example in the form of ‘SMS-phishing scams targeting bank customers’. One study finds that 65% of organisations in Singapore were hit by ransomware attacks in 2021.
To respond to the changing threat landscape and boost cyber resilience, Singapore updated its cyber-security strategy in 2021. This now rests on three strategic pillars: building resilient infrastructure; enabling a safer cyberspace; and enhancing international cyber cooperation. In addition, the strategy identifies two foundational enablers: developing a vibrant cyber-security ecosystem; and growing a robust talent pipeline.
With these priorities in mind, Singapore’s strategy is that of a nation that ‘has long set its sights on becoming a world-class, tech-driven city-state’ and which, as a consequence, considers cyber security to be a matter of national security. As regulation remains critical to supporting cyber resilience, Singapore’s government ‘explore[s] expanding the government’s regulatory remit’ under the updated cyber-security act, for example, to further expand regulation beyond CNI businesses.
At the same time, Singapore has launched multiple initiatives and projects in coordination with other countries and the private sector that seek to enhance cyber resilience and to educate and cultivate a much-needed IT workforce. One way the government seeks private sector engagement is through the Cybersecurity Industry Call for Innovation 2022, in which the government invites cyber-security businesses to join the effort to identify and develop ‘innovative solutions to address specific cybersecurity challenges’.
Priorities for National Cyber-Resilience Measures for CNI
As outlined in its cyber-security strategy, building a resilient infrastructure is a key pillar of Singapore’s cyber policy. To further enhance cyber-resilience measures for Critical Information Structure (CII), that is, any ‘computer or computer system located wholly or partly in Singapore’ that is ‘necessary for the continuous delivery of an essential service’, Singapore’s Cyber Security Agency (CSA) has launched a supply chain programme. This comes in the context of the increasingly complex threat landscape, but also in response to advanced digitalisation in the post-pandemic environment. The programme sets out five initiatives, including a toolkit, a handbook, a certification scheme and a learning hub, designed to support businesses in the sector, as well as a platform for international cooperation.
A complementary code of practice (CCoP 2.0) sets out measures and standards that businesses in the respective CII sectors must implement. The second edition of these standards of performance came into force in July 2022 and ‘specifies the minimum requirements’ that businesses in these sectors must adhere to. Companies can, however, request waivers of requirements for valid reasons. The CCoP further provides, among other things, incident response plans, and sets out design principles for cyber security.
These increased cyber-security obligations have to be implemented by businesses and the cyber workforce. However, this can prove challenging, for example with respect to the CII supply chain guide, which some have perceived as offering limited concrete points for companies to implement, for instance in case of a supply chain attack or to prevent supply chain risks.
Workforce and Skills Development and Regulation
In contrast to other jurisdictions examined in this paper, Singapore’s shortage in the cyber-security workforce lessened significantly in 2022. As it is Singapore’s ambition to be a world leader in all things cyber, the government of Singapore has introduced a broad set of measures to attract highly skilled workers, including those in the IT sector. Alongside five-year visas and visa programmes such as the TechPass, Singapore has an advanced digital infrastructure, ensuring that it is an attractive place to work.
But even where favourable conditions and the right regulations are in place, ‘digital transformation will remain but a vision without the right talent to execute it’, according to Senior Minister of State Tan Kiat How. To secure such talent, further initiatives like the TechSkills Accelerator create links between students from education institutions such as the Singapore Institute of Technology and private sector companies, for example in the form of internship programmes. At the same time, there have been calls for companies to engage in more skills-based assessments, rather than relying on formal academic qualifications during hiring processes.
In line with Singapore’s preference for regulation of the cyber-security sector, businesses providing cyber-security services and operating in Singapore are also subject to several regulatory frameworks. For example, where businesses offer penetration testing or managed security operations centre monitoring services, as of 2022, they are required to obtain a licence. Such measures, which could still be extended to other cyber-security services, are intended to protect consumer interests as well as to ‘improve service providers’ standards and standing over time’.
Singapore’s CSA has also initiated a certification scheme that recognises businesses that have ‘adopted and implemented good cybersecurity practices’. More concretely, SMEs can achieve the CSA’s ‘Cyber Essentials’ standard, which recognises good cyber-hygiene practices. For larger and international corporations, the CSA launched the ‘Cyber Trust’ mark, which recognises ‘comprehensive measures and practices’. The CSA’s CEO, David Koh, sees the certification system as a means for companies to demonstrate their commitment ‘to ensure that they remain cyber-secure, giving them an edge over their competitors’ while simultaneously ‘providing greater assurance to their customers’.
International Interaction on Cyber-Norm Development
One of the strategic pillars of Singapore’s 2021 cyber-security strategy aims to enhance international cyber cooperation to ‘foster an open, secure, stable, accessible, peaceful, and interoperable cyberspace’. Singapore is already proactively engaging in a wide range of initiatives fostering international cooperation on cyber matters. For example, Singapore has been an active participant in UN norm processes, including the UN’s GGE and the Open-Ended Working Group, where Singapore has called for a ‘UN cyber fellowship program for small states that would support the training in cyber issues for mid- to senior level officials from smaller developing countries’. Furthermore, Singapore co-chairs, with Estonia, the UN Group on e-governance and cybersecurity, and chairs the UN Group of Friends on Digital Technologies, in cooperation with Finland and Mexico.
Singapore hosts the annual Singapore International Cyber Week, a high-level event on cyber security fostering cooperation in the field, including on norm implementation. Singapore has also been active in regional capacity building, for example when it announced in 2019 that it would provide around $22 million for the establishment of the ASEAN–Singapore Cybersecurity Centre of Excellence which, among other things, trains computer emergency response teams.
To further support these ambitions, Singapore has multiple bilateral agreements with countries such as Australia, Japan, France, Germany, the UK and the US, all working on improving cyber capabilities in Southeast Asia. In late 2022, the Inaugural US–Singapore Cyber Dialogue was held, providing a platform of exchange for officials to discuss both further cooperation and topics such as supply-chain security, cyber capacity building, and cyber talent and workforce development.
Concluding Remarks
The following concluding remarks set out initial comparative observations based on the research underlying this paper, and point to areas that require further research to better understand the various regulatory approaches to cyber-security issues.
-
All the jurisdictions discussed in this paper have advanced a cyber strategy. While these strategies certainly take into account the cyber threat landscape and wider global contexts, aspects of the strategies remain specific to each jurisdiction (such as the Olympic Games in Japan). However, some common themes can be observed across the strategies:
-
Strategies are regularly updated in line with domestic timelines, but they also respond to international events. In the timeframe examined for this paper, recent trends include the rise of cybercrime, Russia’s invasion of Ukraine, heightened tensions between China and Taiwan, and the increased need to secure CNI and supply chains.
-
These strategy updates increasingly focus on harmonising and streamlining each jurisdiction’s existing and developing cyber policies. Such harmonisation is advanced to avoid both fragmentation and the duplication of effort. This is reflected in the UK’s 2022 strategy and its ‘whole of society’ approach, and in the EU’s efforts to move away from a sectoral approach towards a more cohesive cyber policy, including the development of a skilled cyber workforce.
-
There is a noticeable trend towards interventionist policies that emphasise regulatory approaches to cyber security, rather than voluntary standards. This trend was already apparent in the UK’s 2016 cyber strategy, and is now also reflected in the US’s 2023 National Cybersecurity Strategy. In line with this trend, businesses and cyber-security professionals must anticipate regulatory changes if they are to keep up with varying and increasingly binding obligations.
-
-
Greater protection of CNI is a priority for all the jurisdictions discussed in this paper. Although the number and scope of sectors categorised as CNI varies from one jurisdiction to another, many of the designated sectors are common. Further efforts to advance mandatory cyber-security measures beyond CNI sectors is also a priority for many jurisdictions, which again has a direct impact on businesses and the cyber-security professionals who have to implement them. Thus businesses and cyber-security professionals have to simultaneously comply with changing and at times varying obligations among different jurisdictions – particularly if they operate internationally. Further research comparing and contrasting the varying scope of CNI designations and the respective cyber-security obligations for businesses and cyber-security professionals could help clarify ways for them to navigate the different requirements, and identify the skills required from the workforce where businesses operate across a range of jurisdictions. Further research could also explore opportunities and approaches for harmonising the range of frameworks, policies, initiatives and changing regulations that currently exist.
-
Although often a whole range of tools, frameworks and initiatives improving public–private partnerships are available to guide businesses in implementing these measures, it is not always clear what these obligations entail in detail. This is especially true for non-binding or vague standards. Although much information is available in English, where this is not the case it is especially challenging for external businesses and cyber-security professionals to understand how to comply with these obligations. Again, further comparative research would help businesses and cyber-security professionals understand the practical impact of changing regulations, new cyber-security measures and – especially – the varying obligations they must comply with, such as reporting requirements.
-
A common theme seen across all the jurisdictions examined is the shortage of personnel in the cyber-security workforce, exacerbated by global events and trends, such as the Covid-19 pandemic and increased digitalisation. In fact, many of the jurisdictions outlined here compete directly with each other for skilled workers (for example, the US and Canada) or rely heavily on outside cyber expertise (as is the case for Japan). Governments have responded to such shortages by acknowledging the need to improve skills development through a range of initiatives. Many of the measures in place across the different jurisdictions resemble one another, especially where they focus on attracting young people to cyber-security professions, or involve adopting skills frameworks such as NICE or the ECSF to harmonise the language used to describe cyber-security roles. Some jurisdictions prioritise specific aspects in their efforts to support a robust talent pipeline, for example when aiming for greater diversity with respect to gender (Canada, the US) and region (the UK). However, despite the multitude of initiatives fostering skills development, little is known about their effectiveness. More research is needed to understand which initiatives help eliminate discrepancies between education and the demands of industry and, as a result, reduce the gaps in the cyber-security workforce. Singapore would make an interesting case study, providing further insights into the effectiveness of measures taken in 2022, when the city state was successful in reducing its gap in the cyber workforce.
-
Overall, the jurisdictions studied in this paper share a cooperative, proactive attitude to the development of norms applicable to cyberspace, and seek to advance a free and secure internet. All entities covered are active supporters of the UN processes for norm development in cyberspace and engage in a range of multilateral, bilateral and multi-stakeholder arrangements, seeking greater cooperation on cyber issues with other states, regional organisations, and the private sector. Areas for cooperation include norm development and capacity building, but also the development of cyber-security skills and closing the gap in the cyber workforce.
Pia Hüsch is a Research Analyst in cyber, technology and national security. Her research focusses on the impact, societal risks and lawfulness of cyber operations. Prior to joining RUSI, Pia conducted her doctoral research on the lawfulness of low-intensity offensive cyber operations in international law, particularly under the principles of sovereignty and non-intervention.
James Sullivan is the Director of Cyber Research at RUSI, where his research focuses on the most pressing cyber and technology policy challenges of our time. James founded and has grown a research group at RUSI that supports UK and international strategic responses to cyber-related challenges.