2020s and beyond: what does the future hold for global cyber legislation?

How will cyber legislation change in the next decade? Kat Sommer, our head of public affairs, explores why collaboration is crucial when it comes to the future of cyber security law around the world.

As the level of connectivity around the world increases, so does the associated level of risk. Governments have become increasingly aware of this over the last decade, and we’ve seen cyber security placed firmly on the legislative agenda as a result.

The scope and definition of cyber security has also evolved rapidly. From the protection of personally identifiable information (PII) to securing critical national infrastructure, there are many facets of security for governments to cover – a number that is only likely to increase in the future.

Already, a complex network of rules and regulations spanning jurisdictions around the world has been woven, and this will serve as the baseline for the future.

We’ve taken a look at some of the legislation in place today, and while this is by no means a comprehensive review, looking beyond our own borders at how other nations have addressed the shared challenge of cyber security could give us a glimpse of what the future could hold for global cyber legislation.

What does cyber legislation around the world currently look like?

Cyber legislation varies significantly between countries, shaped by their political systems, and culture, as well as their pace of digitisation and internet penetration. For example, African countries devising cyber crime legislation now are able to leapfrog a lot of the iterative approaches European countries have taken, and develop a more modern framework from the outset.

However, perhaps unsurprisingly when faced with similar challenges, there are shared themes across individual jurisdictions’ approaches to cyber legislation. Many governments are focusing on driving collaboration between policymakers, academia and the cyber security industry itself.

While consensus has seemingly been reached that leaving cyber resilience to market forces will not deliver the right outcomes, debate on the extent to which government intervention is required continues. This includes discussion on whether advice and guidance will suffice, or whether incentives to encourage desired behaviours could prove more effective than enforceable and sanctionable rules.

In light of often limited public sector resources and capacity, a considered approach needs to be taken when deciding on the areas in which government action can make the biggest difference, and where partnerships, or trusting the private and third sectors to pick up the slack, will offer the best value for money.

In the UK specifically, one significant driver of collaboration between industry, academia and government has been the establishment of the National Cyber Security Centre (NCSC) in 2016. By providing accessible advice, research and expertise, the NCSC now serves as a one-stop-shop for citizens, businesses, public sector and SMEs in the UK that are looking for cyber security guidance, as well as the clear technical authority to manage cyber incidents and offer advice to policymakers.

We have also seen cross-border collaboration increase in the past years, with the introduction of more data and security requirements that flow down from European level, such as the General Data Protection Regulation (GDPR) and the Network and Information Security (NIS) Directive.

There is also a question of the role of the cyber security industry in tackling emerging cyber threats. The Netherlands has a more unique approach to vulnerability disclosure, helping to mitigate common issues around the discovery, reporting and resolution of vulnerabilities. One example is the introduction of prosecutorial guidelines to safeguard security researchers better from criminal prosecution where they are acting in good faith.

We have also seen an increasingly robust approach to building business resilience in many parts of the world. For example, the Australian government has introduced the ASX 100 health check, which offers companies a baseline to assess themselves against, a model which has been replicated around the world.

In other countries, industry-specific advice and regulation is on the rise. For example, in the US, sectors such as aviation and healthcare benefit from specific security advice, which cover issues from how the government tackles cyber espionage to advice from the FDA for manufacturers of medical devices.

What does the future hold?

In a rapidly changing global cyber landscape, one thing is clear – there is no such thing as one ‘right’ approach to cyber security.

However, as cyber security threats and defensive capabilities continue to evolve over the next decade, it’s important that governments and businesses share knowledge and experiences even more openly.

By encouraging more cross-border collaboration between governments, businesses and the cyber security industry, global cyber legislation can be kept as up to date as possible and ultimately keep our global society safer.