In April, more than 50 chief information security officers called on G7 and OECD member states to address the growing divergence in cybersecurity regulatory requirements. Rules are increasingly varying from country to country and even domestically as governments respond to serious incidents.
Fragmentation complicates the operations of global companies, which must meet different obligations in different markets, even when selling the same product or service. And in today’s digital economy, that same product and service is often deployed, updated and patched from a central, often foreign, hub.
This is already a challenge for industry in established, digitally mature markets, such as the United States and European Union. In the Indo-Pacific, approaches to market regulation and absorbing cyber risks are even more nation- and culture-specific.
Australia, Japan, South Korea and Indonesia—some of the largest digital markets in the Indo-Pacific—have all updated their cybersecurity regulations in recent years. This has included strengthening data protection rules (such as Japan’s upcoming amendments to the Act of Protection of Personal Information); updating information security standards (such as amendments to South Korea’s Network Act); tightening oversight over critical infrastructure providers (such as Australia’s Security of Critical Infrastructure Act) and introducing inaugural rules (as with Indonesia’s Cybersecurity and Resilience Bill).
Overall, the issue isn’t so much contradiction in legislative or regulatory texts. The four nations broadly require the same types of controls, including penetration testing, patch management, plans for incident response and business continuity, and security training for personnel. The issue is the variances that emerge as regulators implement and enforce rules due to unequal institutional capabilities and differing cultures of technology governance.
As Ravi Nayyar argued in The Strategist, such fragmentation is a strategic vulnerability. It exposes the highly interdependent networks and markets of the Indo-Pacific to lags in vulnerability disclosures, effective incident responses and remediation.
Arguably, Australia now has a tight-knit, synchronised and robust latticework of cyber legislation. Effective implementation, however, hinges on robust inter-agency coordination and the ability of regulated entities, when in the eye of a storm, to navigate potentially differing requirements, reporting lines and guidance from multiple sources. Those sources include the Australian Cyber Security Centre, the Cyber and Infrastructure Security Centre, Australian Prudential Regulation Authority and the Information Commissioner. High-profile breaches, such as the Qantas breach revealed this month, demonstrate that a complex legal regime doesn’t automatically equate to operational resilience.
Japan has tightened information security controls, including through a strengthened mandate for the National Center of Incident Readiness and Strategy for Cybersecurity. At the same time, the Japanese system relies on a high level of trust that government puts in private entities, most of which are Japanese, to observe good practices and uphold a communal sense of responsibility. Japan’s approach to cybersecurity must be considered alongside its Society 5.0 philosophy—a full convergence of information and communications technologies with physical life to overcome an aging population and innovation inertia.
In South Korea, the government exercises a high degree of control through laws and regulations as well as the national security and intelligence apparatus. The Korea Internet and Security Agency, for instance, is a single authority in charge of incident response, domain name management, threat intelligence, privacy and data protection, and information security certification. South Korea’s approach of positive regulation requires operators, vendors and service providers to obtain explicit permission before deploying activities, products and services.
Indonesia has an ambitious agenda to strengthen governance and regulation of cybersecurity, but lacks capacity. Legislation and regulation follow, rather than precede, action by the executive. For instance, the National Cyber and Crypto Agency was established, with an all-encompassing mandate, in 2018 by presidential decree in the absence of a national cyber strategy or cybersecurity legislation. In 2019, Parliament chose not to consider the draft legislation, and a draft bill has only this year been included on the legislative agenda. Consequently, regulatory enforcement is incidental, reactionary and subject to selective application of laws, such as the Electronic Information and Transactions law.
It’s not clear whether international regulatory fragmentation can be reversed. Across the Indo-Pacific, cybersecurity has become an issue of national security. That implies that imposed compliance obligations towards the private sector are not merely one of national risk management based on technical advice but inherently political and geo-economic.
At this year’s Raisina Dialogue, Indian Minister of External Affairs S Jashankar declared that ‘the world today makes business decisions, factoring in national security in a manner in which it did not do so before, especially in the digital era’ and that ‘all countries are not the same and the digital era will bring out that differential more sharply’.
Domestic and regional manifestations of fragmentation have several consequences. Technical efficiency is impeded by compliance burdens and coordination failures. Innovation is undermined by regulatory complexity and restrictive processes. Trust, essential for commercial and technology partnerships, is weakened by inconsistent application of standards and perceived capability gaps linked to national regulatory choices.
This permits chief executives and information security officers to ask their governments: how much of the geopolitical risk premium are you asking us to pay?
This article is a delivered as part of ASPI’s partnership with Microsoft investigating the nature and consequences of regulatory fragmentation with respect to cyber resilience in the Indo-Pacific. The opinions are the author’s.