As a cybersecurity professional, I appreciate the impact that cyber policy can have on the adoption of and effective utilization of technology. We see this working today in very advanced, mature industries. In the automotive industry, policies around safety for instance, have done wonders to reduce the number of injuries resulting from an accident. Likewise, policies for manufacturing and chemical production help reduce the risk associated with handling dangerous chemicals. Cybersecurity is far less mature than the automotive or chemical industries, however, it is influencing and being impacted by evolving cyber policies and regulations.
As a provider of email security solutions, I spend much of my time looking at how best to leverage a security ecosystem that is powered by millions of contributors. It is therefore encouraging to me to see the many strategic activities happening in cyber policy among the world’s most powerful nations. Over time, and assuming solid diplomacy engenders trust in these relationships, these activities will help mature cybersecurity in a positive direction.
Cyber Policy on a Global Scale
The Biden administration released its Executive Order on Improving the Nation’s Cybersecurity in May of 2021. This comprehensive order codifies nine initiatives that encompass everything from improving detection of incidents to creating an NTSC-like cyber incident review board. Much of the order is steeped in sharing and transparency, particularly related to threat intelligence.
The UK also produced a comprehensive National Cyber Strategy 2022 that charts the UK path to the future. Much like the US, the UK is placing a strong emphasis on prevention, preparations, detection, response and recovery; where they are tooling up with technologies to detect and prevent attacks in cyber; as well as being very careful with their supply chains – a topic also mentioned in President Biden’s order.
In Australia, there is also a strong push toward strengthening their cyber security posture. The Australian Signals Directorate has stated that organizations should adopt an enhanced cyber security posture with an elevated sense of urgency. And the Department of Homeland Affairs discusses a whole-of-nation approach the creates strong ties between the Australian government, and private sector. In this strategy they are not leaving out the individuals who play a key role in the security posture of any society. And they are putting their money where their policy is in investing over a billion dollars in this.
In Germany, the Federal Ministry of the Interior, Building and Community also put out a Cyber Strategy for Germany in September 2021. Germany is very much recognizing their role in shaping and contributing to the EU and is seeking a place where government and private industry are working together. The German Government is also noting the global nature of the problem and is looking to establish bilateral agreements to strengthen cooperation and participation.
Many other such strategies are published or are being developed. Canada has a comprehensive strategy, as does Germany, South Korea, Japan, and countless others.
In each case, there is a combination of recognizing that the nation itself has an obligation to its people to help with this technically heavy challenge, by partnering with commercial providers to deliver effective solutions to as many as possible.
Common Themes Among Strong Cyber Policies
Common among these strategies are themes of tremendous awareness around the urgency of dealing with these continually evolving threats. And there is a recognition that the way to combat this is with strong partners in both the public and private sectors. No government can do this alone. Partnerships with companies up and down the stack are necessary.
Information sharing may be the most critical goal. It is becoming more understood that comprehensive data collection on malicious threats must be done in continuum and disseminated in as near-real-time as possible to as many places as possible. Likewise, the receivers of this information need to be able to orient and act accordingly. As national (and potentially international) policies evolve, there will be a strong resistance to sharing. However, over time, there likely will be a waxing and waning of sharing fervor. In the case of cyber, the more sharing that can be done with threat intelligence, the better.
As noted in these strategies, increasing cyber resilience is a combination of people and technology. It is our people that must be trained to recognize threats and respond to threats. The ecosystem must exist to learn from people and respond broadly when a threat is discovered. This is a technological manifestation of the “think globally, act locally” initiative. The ‘act locally’ is our people recognizing and reporting. The ‘think globally’ represents the policies and strategies that position the organization, as well as the investment in technology and intelligence feeds that can respond at line speed.
It is the responsibility of companies and governments to focus resources on security that include training, reporting suspicious emails, and response capabilities, but do so with eyes-wide-open. As companies do their best to stay ahead of threats and vulnerabilities that continually crop up, there will be times when the collective community can patch and remediate in relative lockstep with people who exploit those vulnerabilities. This, however, will not always be the case. It is not reasonable to expect companies to always be ahead of every technical vulnerability. There are limits to the sizes of development shops and the speed at which they can respond. Therefore, it becomes critical to develop strategies and policies that enable the rapid dissemination of information when it is discovered, so the whole of society is able to take advantage of the information coming from a vast array of sources.
Globally focused cyber strategies are being developed by nations large and small, and will make an impact on investments in talent and technology, as well as pave the way for more transparency, standards, and communications among partners. This challenge impacts everyone since this is a global problem, though not every company, agency or country is on a level playing field equally able to manage these threats. Organizations in a strong position become weaker when other, less capable organizations are successfully exploited, so it behooves those who are strong to help the less strong. With proper policies in place, even the less strong can positively contribute. We are all in this together and with collaboration and information sharing happening at near-real-time, and a sharing of how best to respond to these threats, we will be in a much better place.