Just as the world was debating about data privacy and digital sovereignty, a key oil pipeline on the Eastern coast of the United States was struck by a ransomware attack. It led to gas station closures and long queues of panicking motorists in several states. The US government has refrained from pointing towards any state actor and has blamed a criminal extortion ring ‘DarkSide’ for the attack. Critical infrastructures, like pipelines and electricity grids, can be targeted easily using cyber-attacks. It is a common realization amongst US officials that they have limited powers to force private utilities to adopt minimal levels of cybersecurity compliance. There, the future of cybersecurity regulation will be shaped by growing threats to such critical installations where a single outage can pose serious political ramifications for the ruling government.
Here we discuss how future cybersecurity regulations will be devised considering the growing tussle between cyber protectionism and liberalism.
Protecting Critical Infrastructure (CI)
Future cybersecurity regulation will aim towards increasing compliance and reporting requirements for private and public entities handling critical infrastructure. EU already had a directive designed especially for such CIs, since the year 2008, but recently a more elaborate NIS directive has come into force since 2018. The European Union Agency for Cybersecurity (ENISA) is tasked with the implementation of these directives. The USA’s counterpart is CISA (Cyber & Infrastructure Security Agency).
Protecting Industrial Control Systems still remains a daunting challenge due to several reasons. Moreover, more rigorous monitoring will be required to check if companies involved in such critical operations keep their business network and technical operations clearly separated with robust firewalls residing in between.
Regulatory Technology can’t survive without Cyber Security
RegTech has seen enormous growth in the last few years due to growing compliance requirements. However, experts now overwhelmingly believe in the policy of “Don’t Collect If You Can’t Protect”. Sooner government officials will also realize this reality. Without proper cybersecurity mechanisms, all the data collected using RegTech platforms and devices will be vulnerable to cyber-attacks. Therefore, financial and other institutions must devise proper protective mechanisms.
Digital Sovereignty and calls for data localization
A growing number of governments around the world are calling for more digital sovereignty coupled with stringent regulations demanding data localization. They aim to control the flow of information coming in and out of their geographical boundaries. Russia, China, Saudi Arabia and some other countries are leading this movement. European Union’s GDPR also introduced strict regulatory requirements with regards to the personal data of European citizens. In the future, a growing number of regulators are expected to press for such legal amendments.
Recently, western countries have introduced a barrage of laws and regulations targeting Chinese telecom companies like Huawei and ZTE. The main concern behind these moves has been potential espionage activities and privacy concerns. The USA, UK, Australia, and some European countries are at the forefront of this aggressive policy-making. Moreover, Chinese equipment isn’t eligible for federal subsidy programs in the USA. In the future, more stringent laws are expected to be introduced in developed countries. Developing countries will be pressured to get rid of Chinese telecom and cybersecurity equipment. Otherwise, intelligence information sharing with such countries may be curtailed or even halted. Similarly, China may target European competitors as an act of retaliation.
An Array of Privacy Protection Acts and Regulations
Several data protection Acts and regulations have been introduced since GDPR. Nearly every US state is working to promulgate its own data privacy and consumer protection laws. California, Nevada, Maine, and Virginia have already done it. Under-developed countries are also facing serious public pressures in this regard. Timely reporting of data breaches is an important requirement of all these regulations.
Future of Ethical Hacking
It is a consensus amongst the cybersecurity community that good (ethical) hacking is highly important for improving the overall cybersecurity of critical infrastructures and other critical information systems. However, there is an increasing concern against hacking performed by law enforcement officials and other penetration testing companies hired to check security vulnerabilities.
Courts will play an important role in this sphere. One such case is the famous pending Supreme Court case ‘Van Buren v. United States’ dealing with the Computer Fraud and Abuse Act. If courts grant greater protections to cybersecurity researchers, the global efforts to fight against cyber fraud and ransomware can improve leading to lesser requirements for other types of regulations.
IoT (Internet of Things) Regulations
There are already 30 billion IoT devices working around the world. This arena of cybersecurity will attract the most attention from regulatory bodies across the world as CIs will start deploying them in near future. The EU already has taken the lead in this regard. However, there are still no binding regulations on IoT manufacturers operating in the EU territory. A lot still needs to be done as technological advancement is outpacing regulation and stakeholder understanding.
Related To Cybersecurity Regulations: