Cyber risks know no boundaries and pose a global and national security issue. In order to contextualise the evolving cyber security regulatory landscape in Australia, it is important to understand the strategies adopted by other countries including the US, UK, EU and in the Asia-Pacific region. Below is a snapshot of the initiatives implemented by some of Australia's key trading partners to manage cyber risks in 2021.
Cybersecurity Act and Critical Infrastructure
Singapore launched its first Cybersecurity Strategy in 2016. One of the most significant pieces of legislation to come from this was the Cybersecurity Act 2018 (Act. 9 of 2018) (the Act). The Act created a cyber security regulator, the Cybersecurity Commissioner, and gave the Commissioner significant powers for the response and prevention of cyber security incidents affecting Singapore.
The Act also identified 11 critical sectors of essential services and set out a framework for the monitoring of Critical Information Infrastructures (CIIs). The essential services include energy, info-communications, water, healthcare, banking, aviation and the media. Under the Act, CIIs are obliged to report cyber security incidents to the Commissioner, conduct regular audits and risk assessments, and provide reports on their cybersecurity if requested by the Commissioner.
The Act also creates a framework for licensing and regulating service providers of certain types of cyber security services, including a requirement that they be a "fit and proper" person to provide the service. These requirements extend to both Singaporean and overseas service providers offering such services in Singapore.
Cybersecurity Strategy 2021
On 5 October 2021, Singapore launched the Singapore Cybersecurity Strategy 2021. The strategy comprises three strategic pillars and two foundational enablers:
- Build resilient infrastructure
Under this pillar, the government will work closely with CII owners, the cybersecurity industry and key digital infrastructure owners to enable a coordinated approach to national cyber security. This includes a review of the Cybersecurity Act, additional regulations, modernising the cyber security architecture of government systems and raising the level of cyber competency across government.
- Enable a safer cyberspace
In 2020, the government launched the Safer Cyberspace Masterplan, which articulated its approach to creating a clean and healthy digital environment. The Masterplan remains relevant to Strategy 2021. Strategies include providing an additional layer of protection to all Singaporeans by securing the national internet infrastructure, making cyber security resources available, providing SMEs with resources and support, and rolling out cyber awareness campaigns.
- Enhance international cyber cooperation
This pillar seeks to engage and collaborate with international partners to work towards the longer-term objective of a rules-based multilateral order in cyberspace and to develop mechanisms and policies to raise the global baseline level of cybersecurity.
- Develop a vibrant cybersecurity ecosystem
This involves supporting industry innovation, startup cyber companies and internationalising Singaporean cyber security companies.
- Grow a robust cyber talent pipeline
This enabler involves supporting youth, women and mid-career professionals to pursue a cyber security career. The government will partner with industry and higher-educational institutions to enhance career pathways and facilitate the development of deep skills as well as develop good pathways for cyber security professionals in the public sector.
Internet of Things and Cybersecurity Labelling Scheme
In October 2020, Singapore also launched the Cybersecurity Labelling Scheme (CLS) for consumer smart devices, as part of efforts to improve Internet of Things (IoT) security, raise overall cyber hygiene levels and better secure Singapore's cyberspace. The CLS is the first of its kind in the Asia-Pacific region. Under the scheme, smart devices will be rated according to the levels of cyber security provisions built into the device software. This will enable consumers to identify products with better cyber security provisions and make informed decisions. In early 2021, the Cyber Security Agency of Singapore extended the CLS to all categories of consumer IoT devices, such as IP cameras, smart door locks, smart lights and smart printers.
Cyber security strategy
The UK's second National Cyber Security Strategy (NCSS) was established in 2016 and ends in 2021. The NCSS was underpinned by £1.9 billion of investment in transformational activities.
The UK Innovation Strategy published by the Department for Business, Energy & Industrial Strategy in July 2021 foreshadowed that the UK government would publish a new National Cyber Strategy by July 2022 that would build on the 2021 Integrated Review, emphasising the UK’s strength in cyber as an opportunity for ensuring long-term prosperity and security. It will include measures to foster growth and innovation in the UK's cyber security sector, develop more secure digital infrastructure, ensure security is built into future technologies, and protect cutting-edge research and IP in sectors critical to strategic advantage.
Internet of things
In July 2020, the UK Government announced that it was planning to amend the legislation to make "smart" consumer products more secure and put out a call for submissions.
On 21 April 2021, the government announced its intention to introduce new legislation that would regulate the security of consumer smart devices, including phones, televisions, speakers, toys, wearables, doorbells and other consumer internet of things (IoT) devices.
Whilst the legislation is yet to be published, the government has announced the following requirements will be included:
- Customers must be informed at the point of sale of the duration of time for which a smart device will receive security software updates
- Manufacturers will be banned from using universal default passwords, such as "password" or "admin", that are often preset in a device’s factory settings and are easily guessable
- Manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.
Critical infrastructure: communications
In 2020, the Telecommunications (Security) Bill was introduced into UK Parliament. The Bill amends the Communications Act 2003 by establishing a new telecommunications security framework, including new security duties on public telecommunications providers and new powers for the Secretary of State to make regulations and issue codes of practice. It also allows the Secretary of State to make regulations that require providers to take specific security measures, and imposes a duty on providers to inform the Office of Communications (Ofcom) of any security incidents.
The Bill also introduces new national security powers for the government to impose, monitor and enforce controls on public communications providers' use of designated vendors’ goods, services and facilities within UK telecommunications networks.
The Biden administration has in the last year taken an active role in improving and strengthening the US's cyber security and increasing cyber resilience across industries.
Executive Order on Improving the Nation's Cybersecurity
Shortly after the cyber attack on Colonial Pipeline in May 2021, which led to fuel shortages across the East Coast of the US, President Biden signed an Executive Order (EO) to improve the nation’s cyber security and protect federal government networks. It intends to:
- improve software supply chain security by establishing baseline security standards for private-sector vendors who supply to the government
- create a standard playbook for federal departments and agencies when responding to cyber incidents
- improve detection of cyber security incidents on federal government networks
- improve investigative and remediation capabilities by creating cyber security event log requirements for federal departments and agencies
- establish a Cybersecurity Safety Review Board for analysing the impact of breaches
- facilitate easier threat sharing information between the government and private sector; and
- modernise and implement stronger cyber security standards in the federal government by moving the federal government to secure cloud services and a zero-trust architecture, and mandating deployment of multifactor authentication and encryption within a specific time period.
On 8 October 2021 a memo on endpoint detection and response (EDR), as part of the implementation of the EO, provided that agencies have 90 days to provide Cybersecurity and Infrastructure Security Agency personnel and contractors access to existing EDR deployments, in an effort to accelerate the adoption of EDR solutions.
TSA's Security Directive
In May 2021, the Department of Homeland Security’s Transportation Security Administration (TSA) issued an initial Security Directive requiring critical pipeline owners and operators to report cyber security incidents, designate a cyber security coordinator, and conduct a review of their current cyber security practices.
In July 2021, TSA issued a second Security Directive requiring owners and operators of pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections including:
- implementing specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems within prescribed timeframes
- developing and implementing a cybersecurity contingency and recovery plan
- conducting an annual cyber security architecture design review.
National Security Memorandum
On 28 July 2021, President Biden signed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (NSM). The NSM:
- directs the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST), in collaboration with other agencies, to develop cyber security performance goals for critical infrastructure; and
- established an Industrial Control Systems Cybersecurity Initiative, a voluntary and collaborative effort between the US’s federal government and the critical infrastructure community. The initiative will encourage and facilitate the deployment of technologies and systems and response actions to cyber threats to ensure safe operations of these critical systems.
Meeting with private sector leaders
On 25 August 2021, President Biden met with private sector and education leaders to discuss the whole-of-nation effort needed to address cyber security threats and opportunities to bolster the nation’s cyber security in partnership and individually. Several participants announced commitments and initiatives:
- The Biden Administration announced that the NIST will collaborate with industry and other partners to develop a new framework to improve the security and integrity of the technology supply chain. Microsoft, Google, IBM, Travelers, and Coalition committed to participating in this NIST-led initiative
- The Industrial Control Systems Cybersecurity Initiative was extended to a second major sector: natural gas pipelines
- Resilience, a cyber insurance provider, announced it will require policy holders to meet a threshold of cyber security best practice as a condition of receiving coverage
- Coalition, a cyber insurance provider, announced it will make its cyber security risk assessment and continuous monitoring platform available for free to any organisation.
On 8 July 2021, the NIST released a critical software guidance. As part of the initial implementation phase, the Office of Management and Budget (OMB) gave agencies 60 days to identify 12 types of critical software that they are using on-premises or are in the process of buying for on-premises use.
In a second order, the OMB gave agencies 60 days to assess how well they log cybersecurity incident data against a new maturity model released. As part of the review, the agencies also had to identify gaps and develop plans to mitigate these gaps.
Federal Zero Trust Strategy
On 7 September 2021, the OMB released the Draft Federal Strategy For Moving the US Government Towards a Zero Trust Architecture. The memo gives agencies until the end of September 2024 to meet five “specific zero trust security goals," being identity, devices, networks, applications and data. The government also published guidance documents and a Zero Trust Maturity Model on what is expected for each of the five goals.
Cryptocurrency exchange sanctions
On 21 September 2021, the Biden administration imposed sanctions on a cryptocurrency exchange for laundering ransom transactions for cybercriminals. The US Department of Treasury prohibited anyone in the US from conducting business with SUEX OTC, a Russian-linked currency exchange. This sanction was the first of its kind. In a further effort to address the threat of ransomware, the White House will also convene a 30-country virtual meeting to strengthen law enforcement cooperation and diplomatic ties against cybercrime.
Office of the National Cyber Director
The Office of the National Cyber Director was established by the National Defense Authorization Act for Fiscal Year 2021, with John Christopher Inglis appointed as the first National Cyber Director. The National Cyber Director serves as a principal advisor to the President on cybersecurity policy and strategy, and cyber security engagement with industry and international stakeholders.
Ransom Disclosure Act
On 5 October 2021, Senator Elizabeth Warren introduced the Ransom Disclosure Act. This bill would require companies and organisations to report any paid ransomware demands to the Secretary of the Department of Homeland Security within 48 hours of payment. They would also need to provide supporting information including the amount paid, the currency used and any other information that may indicate the identity of the actor.
The intention behind the Ransom Disclosure Act is to allow the US Government to learn more about how ransomware operations work in order to craft more appropriate responses. There are concerns, however, with regard to a proposed publicly accessible database of the payments. In a report published by Cybereason, 80% of organisations that paid a ransom experienced a second ransomware attack. It is believed that if attackers can easily access which organisations have been recently vulnerable, these vulnerabilities will be more frequently exploited. It is also argued that additional government scrutiny following the report would increase business disruption and lengthen the restoration of normal operations.
K-12 Cybersecurity Act
On 8 October 2021, President Biden signed the K-12 Cybersecurity Act into law to enhance the cybersecurity of the US's K-12 educational institutions. The legislation authorises the director of the Cybersecurity and Infrastructure Security Agency (CISA) to conduct a study within 120 days of the specific risks impacting K–12 institutions. Subsequently, within 60 days the director will develop recommendations for cyber security guidelines for K–12 schools based on the results of the study and following that, within 120 days, will create an online training toolkit for "officials" at K–12 schools.
K–12 districts protect a great quantity of valuable data, including grades and academic records, medical files, Social Security numbers and family information.
Paris Call for Trust and Security in Cyberspace
On 10 November 2021, Vice President Kamala Harris announced a number of collaborative initiatives that the United States will undertake alongside France and other countries to address global issues and emerging threats, including efforts to advance international cooperation in cyber security. The US announced its decision to support the Paris Call for Trust and Security in Cyberspace – a voluntary commitment to "work with the international community to advance cyber security and preserve the open, interoperable, secure, and reliable internet."
This announcement builds on the United States’ continuing work to improve cyber security for its citizens and business, including rallying G7 countries to hold accountable nations that harbour cyber criminals, supporting the update of NATO cyber policy for the first time in seven years, and the recent counter-ransomware engagement with over 30 countries around the world to accelerate international cooperation to combat cybercrime.
The EU Cybersecurity Act
The EU Cybersecurity Act was enacted in 2019 to strengthen the European Union Agency for Cybersecurity (ENISA) and establish a cyber security certification framework for products and services. Part of this Act was that ENISA was to provide customers with relevant information on the applicable certification schemes by providing guidelines and recommendations, as well as conduct regular outreach and public education campaigns directed at end users to raise cyber awareness.
On 28 June 2021, several articles of the Act came into force including that each member state designates one or more national cyber security certification authorities (NCCA). This led to the establishment of national cyber security agencies within the EU in 2021 such as Italy's National Cybersecurity, as well as a number of existing agencies being delegated this responsibility.1 These authorities must supervise and enforce rules included in the Act, monitor compliance with and enforce obligations on ICT manufacturers and providers and public bodies, handle complaints and monitor developments in the field of cybersecurity certification. NCCAs must also provide an annual summary report of their activities and cooperate with other NCCAs and public authorities through information sharing.2
The ability for people to lodge complaints with their NCCA also came into effect on this date. To facilitate this, people now also have the right to an effective judicial remedy if there is a failure to act on a complaint lodged.3
The Network and Information Security (NIS) Directive was the first EU-wide legislation on cyber security. It aimed to achieve a high common level of cyber security across member states, however the EU acknowledged that its implementation proved difficult and led to different cyber security levels between members. As a result, in February 2021 the European Commission submitted a proposal to replace this Directive with NIS2 to oblige more entities and sectors to take measures to assist in increasing the overall level of cyber security in the EU.
The draft legislation for NIS2 was published in October 2021 and has broadened the scope of the NIS Directive, capturing an estimated 160,000 entities. Organisations will be covered if they have a €10 million turnover and at least 50 employees. "Essential sectors" including energy, transport, banking, health, digital infrastructure, public administration and space sectors are also captured under the draft legislation. The legislation also covers "important sectors" that include postal services, food, waste management, electronics and digital providers.
The obligations imposed by the proposed NIS2 include risk analysis, supply chain security, incident and vulnerability handling and disclosure, encryption and development and maintenance. The NIS2 Directive will also include penalties of up to €10 million or 2 percent of an entity’s total turnover worldwide for not complying with the reporting and/or cybersecurity risk management measures. The legislation is currently being amended and is expected to be finalised in the second half of 2022.
Radio Equipment Directive
On 23 September 2021, the European Commission issued a proposal to amend the Radio Equipment Directive 2014/54/EU to include a number of additional cyber security safeguards that will cover wireless devices including mobile phones, tablets, smart watches, fitness trackers and baby monitors. The Commission stated that the current design of wireless devices sold in the EU does not guarantee a sufficient level of cybersecurity, personal data protection or privacy of their users.
The draft amended directive will aim to:
- make networks more resilient by obliging companies to incorporate features to avoid their misuse to harm communication networks
- improve protection of personal data and consumer privacy
- create an obligation for the equipment to include features that minimise the risk of monetary fraud when the equipment is used to make electronic payments.
The delegated act will come into force at the beginning of 2022, provided that no objections are raised by the Council and Parliament. Once in effect, manufacturers will be given a transition period of 30 months to comply with the requirements.
The EU Cyber Resilience Act
On 19 October 2021, the European Commission published its work programme for 2022. The programme includes a proposal on an EU Cyber Resilience Act which is set to be published in Q3 2022.
While the exact content and scope of the Act is currently still being discussed, it is known that its aim will be to complement the Radio Equipment Directive and establish common standards for cyber security products.
Data Security Law
On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which took effect on 1 September 2021. The DSL is China's first comprehensive data regulatory regime and supplements China's 2017 Cybersecurity Law, which established an overarching regulatory framework to ensure network security and data protection in China.
The DSL governs data processing and management activities conducted both within China, and outside of China if they have the potential to harm China's national security or public interest or damage the legal interests of any Chinese organisation or individual. The DSL grants authority for this data to be categorised by China's Central Government as either "important data" or "national core data" in accordance with its importance to China's interests. National core data will be more heavily regulated, however both categories will be required to establish a data security management system, collect and use data lawfully and by proper means, and monitor for potential cyber risks. Organisations must also "promptly notify" users and authorities of any data breaches.
Companies that fail to protect their data may face fines of up to RMB500,000 (~AU$109,382). If a company fails to rectify failures or if the failures resulted in large-scale data leaks, they can face fines of up to RMB2 million (~AU$437,520), the forced shutdown of their business and the revocation of business licences.
The DSL has broad application and it will be essential for non-Chinese organisations doing business in China or with Chinese organisations to seek advice regarding the applicability of the DSL to its business operations, particularly if the organisation possesses data that may relate to national security and public interest.
Personal Information Protection Law
On 1 November 2021, the People's Republic of China's (PRC) Personal Information Protection Law (PIPL) officially came into effect. The PIPL introduces a comprehensive set of privacy laws much like the European Union's General Data Protection Regulation. The PIPL will operate alongside the Cybersecurity Law and Data Security Law.
Organisations that do not comply with the PIPL may be subject to fines of up to 5% of their annual turnover or RMB50 million (approx. AU$11 million).
Although the PIPL is a PRC law, the extra-territorial effect of the new law may place requirements upon overseas organisations. Organisations should be aware of the wide-reaching application of the PIPL.
Under Article 3, an overseas organisation will need to comply with the PIPL when it processes personal information of Chinese residents outside of China and any of the following circumstances apply:
- the organisation provides products or services to Chinese residents
- the organisation analyses and assesses the activities of Chinese residents; or
- other circumstances provided by law or administrative regulations.
With its wide reach, again it is essential for non-Chinese organisations to seek advice regarding the applicability of the PIPL to their business operations.
Together, the DSL and PIPL supplement the 2017 Cybersecurity Law to form an increasingly comprehensive legal framework for data security in the PRC.
Security Protection Regulations on Critical Information Infrastructure (CII Regulation)
On August 17, 2021, the State Council of the PRC released the Security Protection Regulations on Critical Information Infrastructure (the CII Regulation), which took effect on 1 September 2021. Also part of China's implementation of its 2017 Cybersecurity Law, this regulation applies only to Critical Information Infrastructure (CII), being network and IT systems that are critical to national security and public interest or have implications for companies that supply or service such networks and systems.
CII is defined based on two tests:
- The industries test: the “important network facilities and information systems” (the Facilities & Systems) in the following industries and fields: public telecommunication and information service, energy, transport, water conservancy, finance, public service, e-government, science and technology industry for national defence, and other important industries and fields; or
- The consequences test: other Facilities & Systems which may seriously endanger the national security, national economy, people’s livelihood and public welfare once they are subject to any destruction, loss of function or data leakage.
The Regulations create a general requirement for the operators of CII to adopt "necessary measures" to prevent and respond to cyber security incidents and prevent cyber attacks. They must also ensure the safe and stable operation of CII by establishing a specific security-management department and implementing risk monitoring, planning and emergency response, conduct background checks on key personnel, conduct an annual risk audit and promptly correct any identified risks and conduct detailed cyber security reviews before engaging in the procurement of network products or services.
The Regulation also creates reporting obligations to the relevant authorities of cyber incidents and treats, as well as any corporate activity that may impact the CII's cyber security such as mergers or business sales.
For a snapshot of initiatives implemented in Australia, see our insights on past and pending legislation and policies, funding and initiatives for the digital economy.
1See, for example, the Federal Office for Information Security in Germany and CCN-CERT in Spain.
2EU Cyber Security Act, Art. 58.
3Ibid, Arts. 63-4.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.