Certifications under consideration in 2021 include EU Common Criteria for critical infrastructure, cloud services, artificial intelligence, and 5G.
The expanded threat landscape of cloud-based assets along with connected operational technology devices is increasing cyber risk exposure. The pandemic and economic downturn have also created new challenges for government security leaders. Indeed, the massive shift to remote work for both the public and private sectors has forced businesses, governments and other organisations to adapt security practices, processes and policies to account for the significant range of new devices and assets which are now connected to enterprise networks.
Both governments and enterprises have seen increases in Covid-19 related phishing and other cyberattacks against employees during the pandemic. Unpatched hardware, software and configuration vulnerabilities in home devices can now be exploited and leveraged to attack enterprise networks.
For many global policy makers, the transformative impact of the pandemic has reinforced the need to adopt new cybersecurity and privacy policies, many of which were under consideration before the pandemic, in order to strengthen trust in the digital economy. These include efforts to promote data privacy and protection, raise baseline security standards of care, and implement cybersecurity certification regimes.
Since the current NIS Directive entered into force in 2016, the cyber-threat landscape has been evolving. The EU Commission has launched a public consultation on a proposed revision of the Directive. This will be an opportunity to clarify minimum cyber hygiene standards, consider the expanded threat landscape of cloud computing and operation technology risks, and harmonise security standards across the EU. Much of this harmonisation will likely come through implementation of the cybersecurity certification schemes under the EU Cybersecurity Act.
While the member state cybersecurity authorities will play the lead role in driving these certifications in their respective countries, we also expect them to work closely with the European Commission and the European Agency for Network and Information Security in order to drive towards greater convergence. Certifications under consideration in 2021 include new Union-wide certification standards for EU Common Criteria for critical infrastructure, as well as certification regimes for cloud services, artificial intelligence, and 5G.
It has been more than two years since the European General Data Protection Regulation, GDPR came into effect and changed the landscape of global data security. The data protection by default approach of the GDPR is now being mirrored in Brazil with the Lei Geral de Proteção de Dados Pessoais, LGPD, with some key differences. The LGPD, which went into effect in August 2020, has a broad scope and applies to any organisation that processes Brazilian citizen data.
As many organisations processing Brazilian citizens’ data undergo digital transformation, it will be critical to understand these new requirements and to avoid penalties. The Brazilian government is expected to clarify some of the provisions of this law in 2021. Brazil is influential across the Americas and their minimum-security standards will be impactful for data security practices.
Japan, Brazil, Canada, India and New Zealand all made updates in 2020 on regulations impacting data security standards. All of these countries moved closer to the EU model of minimum cybersecurity standards and substantial fines for non-compliance. This trend is likely to continue with governments reviewing their basic cybersecurity standards in light of the changing threat landscape and concerns for data privacy. Expect to see more extraterritorial reach for these laws as governments mandate basic cybersecurity requirements and leverage fines to organisations who ignore security.
Because there is a wide range of maturity for OT security policy across APAC, there is a need for developing and harmonising security best practices. Regional industry groups are likely to drive alignment with international, consensus driven, standards. As an example, the ASEAN Ministerial Conference on Cybersecurity AMCC, agreed in 2018 to subscribe in-principle to 11 voluntary, non-binding norms as well as to focus on regional capacity-building in implementing these norms.
These norms include Critical Infrastructure Protection and OT protection. In 2018 Singapore published its Master Plan for Operational Technology standards. These efforts are likely to grow across APAC in 2021 as 5G technology is adopted and the OT threat landscape risk grows.
Earlier this year, Australia launched a consultation on a proposed enhanced regulatory framework for operators of critical infrastructure and systems of national significance. This focus on critical infrastructure stems from Australia’s Cyber Security Strategy 2020, where the government noted that highly sophisticated nation states and state-sponsored actors continue to target governments and critical infrastructure providers.
In response, the Strategy calls for critical infrastructure businesses to improve baseline security, and states that the government will invest funds in cyber situational awareness, research on cyber threats, and vulnerability assessment.
Government leaders in India have also been increasingly focused on the security of their industrial technology infrastructure against cyberattacks. Critical infrastructure cybersecurity will therefore likely be a major focus area in India’s National Cyber Security Strategy 2020, and early implementation of the Strategy is expected in 2021.
Japan continues to implement provisions of the Cyber Physical Security Framework, released by the Ministry of Economy, Trade and Industry METI in 2019 and focused on security for consumer and industrial IoT. As part of this implementation, METI released a draft IoT Security Safety Framework earlier this year, focusing on security for the layer of mutual connections between physical devices and cyberspace.
METI will likely develop further guidance on Cyber Physical Security in 2021, especially as the Tokyo Summer Olympics, which constitute a prime target for cyber attackers, have been rescheduled for next summer.
2020 saw further progress in the US on the harmonisation of regulatory requirements for cybersecurity and the growing acceptance of a risk profile model that could be examined across multiple regulatory agencies, largely based on the NIST Framework for Improving Critical Infrastructure Cybersecurity. There is also continued discussion of harmonisation in both Europe and APAC.
2021 is likely to see additional review of these requirements in Europe as banks seek to reduce duplication across national agencies and limit burdensome regulatory requirements. This is hopefully an opportunity to focus on critical risks and maintaining harmonised standards for cybersecurity.
Energy and critical infrastructure security have received renewed attention in recent months as the Covid-19 pandemic has put into focus how much we rely on the electric grid, supply chains, manufacturing and pharmaceuticals.
Over the last year, Congress has worked on the American Energy Innovation Act, which contains numerous cybersecurity provisions to strengthen US energy infrastructure cybersecurity through public-private partnerships, rate incentives for cybersecurity investments, and advanced cybersecurity technology and application research and development. While this bill is unlikely to pass before the end of this Congress, we expect to see similar legislative efforts on strengthening energy sector cybersecurity in 2021.
The US Departments of Energy and Homeland Security will also continue to prioritise energy grid and industrial cybersecurity through policy guidance and updated standards. Questions regarding whether these approaches will take a more voluntary or regulatory approach in 2021 may depend on presidential and congressional election outcomes.
Congress is also expected to consider a major transportation and infrastructure package in 2021. This legislation is expected to include provisions on smart, digital infrastructure. Therefore, critical infrastructure and OT cybersecurity considerations will need to be addressed as well.