《普华永道:2023年网络安全立法研究报告(英文版)(62页).pdf》由会员分享,可在线阅读,更多相关《普华永道:2023年网络安全立法研究报告(英文版)(62页).pdf(62页珍藏版)》请在三个皮匠报告上搜索。
1、A comparative study and considerations for future cybersecurity legislationCybersecurity legislation insightsDiscussion paperVolume 1-Introduction and study summaryVolume 1 1.Preface22.National Cybersecurity Strategy(NCS)33.Cybersecurity legislation54.Designing cybersecurity legislation305.Emerging
2、trends of cybersecurity legislation49Acknowledgements54Endnotes55Contents1Volume 1-Introduction and study summaryThe digital age is a new era of interconnectivity and innovation.People across the world have integrated information and communication technologies(ICTs)into their daily life and critical
3、 operations.Digitisation has now become an inseparable and inevitable part of global socioeconomic development.As an inevitable consequence,the increased dependency on technology has led to greater exposure to cyber threats and challenges.In response to the heightened vulnerability to cyberattacks,c
4、ountries across the globe have established or are constantly having to establish and update their domestic legislations,and collaborate with their international counterparts against cyber threats.The approaches countries have adopted in designing cybersecurity legislation vary from one to the other
5、depending on numerous factors,such as national socioeconomic status or historical background.This paper has been written with a detailed analysis of the differences and similarities between different countries approaches.We sampled thirteen countries(or called“subjects”hereafter)across the different
6、 continents and studied their cybersecurity environments,in particular focusing on their strategies for legislation.These sample countries are Brazil,Chile,China,Germany,India,Mexico,Singapore,South Africa,the United Arab Emirates(UAE),the United Kingdom(UK),the United States(US),Vietnam and the Eur
7、opean Union(EU).This paper intends to share observations,analysis and insights from various stakeholders,including cybersecurity and privacy policy researchers.This paper also intends to provide insights and guidance to policy makers and key stakeholders at the early stage of formulating strategy fo
8、r cybersecurity legislation.In overview,this report includes the following contents.National Cybersecurity Strategy(NCS):Our team first analysed the National Cybersecurity Strategy(NCS)documents,which are the foundation and cornerstone for designing national cybersecurity strategy.This section outli
9、nes our findings on common structures and components of NCS adopted by the study subjects.Nine cybersecurity areas:We conducted a thorough comparative study on our subjects cybersecurity legislation and shortlisted nine common areas of interest:1.Critical infrastructure(CI)protection2.Incident respo
10、nse and crisis management3.Cybercrime law 4.Personal data protection5.Non-personal data protection6.Information and communication technology(ICT)vulnerability management7.Awareness and capability8.International cooperation9.Cybersecurity technologies and solutions marketplaceThis section provides a
11、general overview of variations and similarities in security and legislation design approaches in the nine areas of cybersecurity.This section also highlights notable observations in those areas.Five considerations:After aggregating the knowledge and insights gathered during the comparative study,our
12、 team identified five considerations that countries in their early stage of developing their cybersecurity strategy(includinglegislation)can take into consideration.Future trends in legislation:Lastly,the report sheds light on emerging cybersecurity legislation trends so that countries may better pr
13、epare themselves for a rapidly evolving digital paradigm.1.PrefaceVolume 1-Introduction and study summary22.National CybersecurityNational Cybersecurity Strategy(NCS)is a document that highlights the challenges,high-level goals,principles and priorities that guide a country in addressing its cyberse
14、curity needs.With a clear vision,policymakers and key stakeholders can drive a more comprehensive,consistent and coherent approach.NCS shapes the strategic guidelines of a countrys cybersecurity approach and plays a crucial role in its cybersecurity protocol.It is summative,and its principles will i
15、nfluence a countrys cybersecurity legislation.One commonality that all countries share throughout their NCS is the goal of translating their nationwide vision into implementable and coherent cybersecurity legislation and regulations.Thus,an NCS should be based on an all-encompassing understanding an
16、d analysis of the overall digital environment while being tailored to the countrys specific circumstances and priorities.Strategy(NCS)As mentioned above,NCS is a stepping stone for cybersecurity legislation to be developed.It articulates the cybersecurity challenges a country faces and the correspon
17、ding goals that it aims to achieve.Furthermore,it may also state specific cybersecurity issues to be addressed and actions to be carried out.Below are some of the challenges,goals and issues commonly found in the NCS of our 13 subjects.ChallengesIncreasing instances of cybercrimesIncreasing level of
18、 sophistication in cyberattacksIncreasing vulnerabilities in critical infrastructuresGoalsEnhance cyber resilienceControl cybersecurity riskLeverage international cooperation in combating cybercrimeBuild open and connection-enabled cyberspaceIssues to be addressedDomestic legislation and regulation
19、buildingIdentify and emphasise critical infrastructures(CI)Combat cybercrimeInternational cooperationExpand the partnership between the public sector and private sectorPromote the development of the cybersecurity industryRaise national cybersecurity maturity levelRaise awareness and capabilitiesTo s
20、ummarise,NCS is essential for developing a countrys cybersecurity.The challenges,goals or measures proposed therein reflect the overall requirements of cybersecurity development and can act as a critical reference point.Volume 1-Introduction and study summary43.Cybersecurity legislationThis section
21、provides an overview and comparative analysis of the diverse approaches and subjects adopted in the nine cybersecurity areas.3.1 Critical infrastructure(CI)protection3.1.1 Legislative modelCritical infrastructure protection legislation has entered a mature stage.Most of our sampled countries have CI
22、 protection legislation in place;they are Brazil1,2,Chile3,China4,Germany5,India6,Singapore7,South Africa8,the UAE9,the UK10,the US11,Vietnam12,and the EU13,14.There are two legislative models,one dedicated to CI protection laws and the other incorporating relevant requirements into the broader cybe
23、rsecurity legislation or strategic initiatives.3.1.2 Legislative frameworkWe observed commonalities in the writing structure and content coverage of numerous CI protection laws.The structure of the components is as follows:1.Introduction,definitions and scope of CI protection laws-it covers the purp
24、ose and scope of the CI protection law.2.Enforcement bodies and duties-it describes the responsibility of government bodies in CI protection,including enforcement bodies and the national Computer Security Incident Response Team(CSIRT).3.Duties of operators-it describes the administrative and technic
25、al requirements for CI operators,including their security and incident reporting requirements.4.Miscellaneous-it includes the terms or articles that do not fit in any of the above sections but are deemed critical to the CI protection.Often,this section would cover contents related to penalties,grace
26、 periods,transitional measures,gap analysis and remediation,among others.Volume 1-Introduction and study summary63.1.3 Definition and scopeDepending on the national priorities and circumstances of individual countries,CI may encompass a wide range of industries and sectors.In general,energy,transpor
27、tation,banking and finance and telecommunications are defined as CI in most countries.Critical infrastructure can have a different name depending on the country in question.It is commonly referred to as critical infrastructure,critical entity(CE)or essential services(ES).Critical information infrast
28、ructure(CII)refers to a system carried and operated based on CI and is a concept with a smaller scope.CI,CE and ES are collectively referred to as CI hereafter in this report.3.1.4 Roles and responsibilities of government authorities To continuously improve national CI protection,some countries impl
29、ement the risk management cycle,including managing the vulnerability of critical infrastructure;managing critical infrastructure incident reports;conducting incident investigation;providing cybersecurity advice and support for critical infrastructure;imposing disciplinary actions;and establishing re
30、levant standards of CI protection.There are two authority models in CI protection.One is having a central authority overseeing the entire CI protection operation,and another is delegating power to different authorities.However,numerous tasks and multiple stakeholders are involved in CI protection,an
31、d many countries in our sample nominate agencies to coordinate and be responsible for CI protection.7Volume 1-Introduction and study summaryVolume 1-Introduction and study summary83.1.5 Incident reporting mechanismMost countries have specified their cybersecurity incident/threat reporting requiremen
32、ts for their CI operator/owner.This study found that incident reporting requirements across most jurisdictions include three primary components:the reporting path,time requirements for reporting and reporting content.Cybersecurity incident reporting path Most legislation outlines the reporting path
33、when security incidents occur,which is generally reported to the national Computer Security Incident Response Team(CSIRT)immediately.While most countries have a CSIRT as the body to report CI incidents,the US has set up CISA(Cybersecurity&Infrastructure Security Agency)to handle incident reporting f
34、rom CI operators.Time requirements for reporting The reporting time requirement ranges from 6 to 72 hours,depending on the situation.In addition,some countries do not have a time requirement or have one that is described in vague wording such as immediately or as soon as possible.Cybersecurity incid
35、ent reporting contentCountries with a higher level of cybersecurity maturity provide detailed guidelines on what content needs to be included in the incident report.The content should generally include:description of the security incident;the time when the incident occurred;the duration of the incid
36、ent;the security defences that were in place;and the impact and cross-border impact of the incident.On the other hand,countries with a lower maturity level lack specifics in the content coverage guideline.3.1.6 Security requirements for CI operatorsCI operators comply with many security requirements
37、 in the CI operation process.Most countries CI security requirements are based on or derived from the National Institute of Standards and Technology cybersecurity framework(NIST CSF)16.The five core parts of the security requirements are divided by function as follows:Identify-through assessments su
38、ch as security risk assessments with which the organisation understands the cybersecurity risk to organisational operations(including mission,functions,image,or reputation),organisational assets and individuals.Protect-through programmes such as security awareness and training with which the organis
39、ations personnel,business partners and suppliers are provided with cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities in line with related policies,procedures and agreements.Detect-through activities such as security continuous monito
40、ring,during which information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.Respond-through processes such as cyber incident response procedures,response planning,communication,analysis,mitigation and improvement.Recover-through
41、business continuity management in cyber incidents with recovery plans or improvement,among other initiatives.Credit:N.Hanacek/NIST159Volume 1-Introduction and study summaryCYBERSECURITYFRAMEWORKVERSION 1.1Cybersecurity incident response and crisis management are essential components of cybersecurity
42、.It guides all levels of government and non-governmental organisations(NGOs)as well as the private sector to work together to prevent,mitigate,respond to and recover from incidents.Our study noted a global trend of increasingly mature development in cybersecurity incident response legislation,with m
43、any countries publishing their cybersecurity incident response laws,including Indias CERT-IN directives17,National Cyber Security Incident Plan of China18and the USs Cyber Incident Reporting for Critical Infrastructure Act of 202219.Studies on our samples indicated that the framework of cybersecurit
44、y incident response law usually includes incident classification and a reporting mechanism.3.2.1 Classification of a cybersecurity incidentThe study found that most countries have established legal requirements for classifying security incidents.For example,Chinas National Cyber Security Incident Pl
45、an indicates that a cybersecurity incident could be classified into one of four levels,extraordinarily significant,significant,relatively significant and general.3.2.2 Reporting mechanismReporting agency All research subjects have determined the body or entity to whom cyber security incidents should
46、 be reported,e.g.,the national Computer Security Incident Response Teams(CSIRTs,also known as CERTs).CSIRTs responsibilities mainly cover the following areas:Security incident response managementInformation sharing managementCollaborative relationships managementKnowledge building3.2 Incident respon
47、se and crisis managementVolume 1-Introduction and study summary10However,national CSIRTs in developing countries mainly focus on dealing with security incident responses and have less emphasis on raising public awareness through regular training and awareness seminars.Reporting contentThe legislatio
48、ns of most countries do not specify the report content when a security incident occurs.According to the requirements of developed countries,reporting information may include who reported the event,who experienced the event,what type of event occurred,how and when the event was initially detected,wha
49、t response measures have been taken and who has been notified.Time requirements for reportingMost of the legislation describes specific reporting time requirements when security incidents occur.Most countries expect cybersecurity incidents to be reported within 48-72 hours.However,in some cases the
50、reporting requirements are relatively shorter at 6-24 hours.At the same time,some countries do not provide a specific time limit for reporting security incidents,and only indicate that they should be reported as soon as possible or immediately after occurring.11Volume 1-Introduction and study summar
51、yIn order to ensure an accurate and focused analysis,this paper focuses on cybercrimes that occur exclusively in the digital space.For example,these cybercrimes include hacking of systems or user accounts,system interference,malware,phishing and ransomware,among others.Our scope excludes traditional
52、 crimes,such as human trafficking or child pornography,that occur in non-cyber environment but uses digital space as a tool.Furthermore,based on legal characteristics,we categorised the various stages of combating cybercrime into prevention,investigation and recovery.Notably,our analysis of cybercri
53、me legislation noted a discernible trend wherein many countries are increasingly prioritising preventive measures over investigation and punishment.3.3.1 PreventionCybercrime prevention is a critical aspect of addressing the growing challenges in cyberspace.Cyberspace can be likened to a battlegroun
54、d.Thus,enhancing our warfare defensive capabilities is imperative.As a widely acknowledged principle in jurisprudence,proactive measures are more effective than reactive measures in crime prevention.Governments employ various strategies to prevent cybercrime,including enforcing the implementation of
55、 preventive measures,such as those set out in the following documents:China-Guiding Opinions on Promoting the Development of the Cybersecurity Industry(Draft for Comments)20and Measures for the Administration of Cybersecurity Threat Information Release(Draft for Comments)21The US-How to recognise&pr
56、event cybercrime22The EU-Europols cybercrime-prevention guides233.3 Cybercrime lawVolume 1-Introduction and study summary12Additionally,governments can collaborate with private companies and other organisations to share information and resources,conduct system audits and assessments and implement ro
57、bust data protection measures.By taking proactive steps to prevent cybercrime,governments can better safeguard their systems and networks and mitigate potential threats before they materialise into successful cyberattacks.Prevention is a crucial pillar in the fight against cybercrime;it plays a vita
58、l role in ensuring the security and resilience of cyber operations.Moreover,many countries and regions have taken steps to enhance their security measures and prevent cybercrime,thereby raising the barrier to cybercrime occurrence and effectively reducing it.For instance,in 2017,numerous high-profil
59、e cyberattacks targeted organisations across different industries in Hong Kong,including licensed corporations(LCs)that are regulated by the Securities and Futures Commission(SFC).These attacks often involved hackers gaining unauthorised access to customers internet-based trading accounts,resulting
60、in unauthorised trades24.To address this issue,the SFC issued a directive mandating internet brokers to implement stricter security measures to combat cybercrime,such as the mandatory implementation of two-factor authentication for logins to clients internet trading accounts by licensed or registere
61、d individuals25.These efforts have reduced significantly the number of cyberattacks and the extent of financial losses.13Volume 1-Introduction and study summary3.3.2 InvestigationWhile all of the subjects have implemented legislation to combat cybercrime,there are significant differences in the legi
62、slative approaches adopted.While some countries have chosen to establish standalone legislation dedicated exclusively to cybercrime,some have opted to augment the provisions of their Penal Code by incorporating cybercrime-related contents.Notably,South Africa,the UAE,the UK,the US and the EU have le
63、gislation dedicated to cybercrime.The table below provides an overview of the dedicated laws implemented in each country.The legislations in these countries defines the main types of cybercrime and their corresponding penalties.This legislative approach allows for supplementary provisions to be upda
64、ted more effectively from a technical standpoint,offering greater adaptability to the evolving nature of cyber threats.South AfricaUAEUKUSEULawCybercrimes Act of 202026Federal Decree Law Number 5/2012271.Computer Misuse Act 1990282.The Data Protection Act 2018293.The Fraud Act 2006301.Computer Fraud
65、 and Abuse Act2.Electronic Communications Protection Act313.Many states have special regulations,NY Penal Law322013/40/EU Cybercrime Directive33Volume 1-Introduction and study summary14On the other hand,Brazil,China,Germany,India,Mexicoand Vietnamhave not introduced dedicated legislation for cybercr
66、ime.Instead,these countries have opted to amend their existing criminal laws or other relevant laws to address cybercrime.In Germany,cybercrime offences,jurisdiction and application are governed by a unified German Criminal Code34,which determines the place of commission of the offence for applicati
67、on purposes.In India,cybercrimes are covered by the Information Technology Act,200035and the Indian Penal Code,1860(IPC)36.The Information Technology Act,2000 deals with issues related to cybercrimes and electronic commerce,and it includes stringent penalties and sanctions enacted by the Indian Parl
68、iament to protect the e-government,e-banking and e-commerce sectors.The scope of the Information Technology Act has been expanded to encompass all modern communication devices,including unauthorised access to and the damaging of a victims computer without due permission.Chile and Singapore adopted b
69、oth approaches.In their early stages of combating cybercrime,they amended their existing penal codes.Subsequently,they enacted standalone cybercrime laws to further enhance their efforts in combatting cybercrime.3.3.3 RecoveryAfter experiencing cybercrime,various governments would take measures to r
70、emedy and repair the situation to make up for the damage as soon as possible while paving the way for the prevention of similar losses in the future.Useful measures include cyber insurance,awareness-raising activities and post-mortem review.15Volume 1-Introduction and study summaryAccording to data
71、from the United Nations37,nearly 71%of countries have enacted data protection and privacy legislation.Based on our study,all subjects have enacted dedicated personal data protection laws,such as the EUs General Data Protection Regulation38(GDPR)and Chinas Personal Information Protection Law39(PIPL).
72、Our study found that the pathway for legislative publications in most countries is to release national cybersecurity law first,then personal data protection law.For example,the EUs cybersecurity law,Network and Information System Security Directive(NISD)40,was implemented in 2016,while GDPR was impl
73、emented in 2018.By studying the legislative contents of our sample,the framework for personal data protection law usually includes the following:Principles of handling personal data41.Legal basis for data processing42.Rights of the personal information subject.Rules for cross-border data transfer.Da
74、ta protection authority.3.4 Personal data protectionVolume 1-Introduction and study summary16LegislationDraft legislationNo legislationNo legislationSource:UNCTAD,14/12/2021Data protection and privacy legislation worldwide3.4.1 Principles of handling personal dataPersonal data protection laws usuall
75、y include the following principles41:i)lawfulness,fairness and transparency;ii)purpose limitation;iii)data minimisation;iv)accuracy;v)storage minimisation;vi)integrity and confidentiality;and vii)accountability.3.4.2 Legal basis for data processingBefore processing personal data,the question,What is
76、 the reason for processing personal data?should be considered.It is clear that any processing of personal data is only lawful if it has a legal basis.At the same time,if there is no lawful basis for data processing,doing so will be unlawful.In addition,this study found that personal data protection
77、laws in most countries stipulate six key legal bases for data processing,namely consent,the performance of a contract,compliance with a legal obligation,protection of vital interests,protection of public interest and protection of legitimate interest(which are also referred to as businesses purposes
78、 for processing).3.4.3 Legislative status of personal data subject rightsSome countries personal data protection laws require data controllers to provide information to data subjects within a specified time frame regarding actions taken in response to their requests.However,there are also countries
79、where their laws do not specify a response time.In addition,the study found that the personal data protection laws in certain developing countries,such as South Africa and Brazil,only grant limited rights to data subjects,which generally include the right to access,rectification and erasure/deletion
80、.3.4.4 Legislative status of cross-border data transferMany countries have gradually enhanced legislations to provide more details and guidance on implementing cross-border data transfer mechanisms.The current cross-border data transfer mechanisms under which personal data can be exported legally in
81、clude the following two:17Volume 1-Introduction and study summary1.Transfer of data based on an adequacy decisionMost countries allow personal data to be transferred to countries where their privacy protection level can meet the provisions of the originating countrys data protection law.In other wor
82、ds,the country or region to which the personal data is transferred has equivalent legislations in place on personal data protection to ensure the privacy and confidentiality of the personal data and enable data subjects to exercise their rights.2.Transfers subject to appropriate safeguardsPersonal d
83、ata can also be transferred to countries that have not been recognised as having an adequate level of data protection.Data can be transferred to countries that provide adequate safeguards43as a measure to enable cross-border data transfer to be made to a third country,ensuring adequate data protecti
84、on.For example,Standard Contractual Clauses(SCC),which is a legally binding and enforceable instruments between public authorities adopted by local regulatory authority,and binding corporate rules(BCRs)can be used.This study also found that SCC and BCRs are the most commonly used data transfer tools
85、 for enterprises and businesses.3.4.5 Legislation status of data protection authorityAlthough all samples of study strengthened supervision of personal data protection,their oversight and management method vary differently.This study found that Brazil,Germany and the EU,maintain a single privacy pro
86、tection legislation with a single Data Protection Authority(DPA)entity mechanism.The DPA primarily has the following three regulatory responsibilities:1.Investigatory:data protection audit,certification review,etc.2.Authorisation and advisory:handle operations that require prior authorisation,approv
87、e corporate rules,etc.3.Corrective measures and penalties:sanctions,order compliance,impose administrative fines,etc.In contrast,the responsibilities of DPAs in Chile,China,India,Mexico and Vietnam are shared by different departments at the federal or sectoral level.Volume 1-Introduction and study s
88、ummary183.5.1 Legislative frameworkNon-personal data(NPD)protection is in its early stage of development.Only limited NPD legislations have been enacted at the time of this research,including the EUs Data Governance Act44and Free Flow of Non-personal Data in the EU45,the UAEs Open Data Specification
89、s Guidelines for the UAE Government Entities46and Smart Data Framework47and Chinas Data Security Law48.The study observed that NPD legislations generally include two components:1.General provision and introduction:This section describes the definition and scope of NPD and the responsibilities of the
90、 NPD protection authority.2.Use of NPD:This section describes the requirements for NPD sharing within the domestic public and private sectors,as well as cross-border transfer.3.5.1.1 Scope and definitionThe definition of NPD among the identified legislation is straightforward-data that is not person
91、al data is NPD.However,the scope of the identified NPD legislations varies from country to country.In China,the Data Security Law48applies to data processing activities within its territory.In the UAE,the Smart Data Framework47applies to entities wishing to use and share data originating in the UAE.
92、In the EU,the Free Flow of Non-personal Data45applies to the processing of electronic data except for personal data.Regarding specific NPD legislations for regulating the governments ability to share public sector data,the UAEs Open Data Specifications Guidelines46and the EUs Data Governance Act44ar
93、e examples of legislation developed to manage this aspect.3.5 Non-personal data protection19Volume 1-Introduction and study summaryVolume 1-Introduction and study summary203.5.1.2 Roles and responsibilities for NPD authorityAn NPD authority plays a key role in establishing,promoting and maintaining
94、NPD legislations.In China,the Cybersecurity Administration is the NPD authority at the national level,providing high-level guidance to authorities and departments at the regional level on implementing NPD legislation.In the UAE,the Federal Data Management Office is in charge of implementing NPD legi
95、slation at the national level.As the EU consists of several member states,there are two levels of NPD authority within the region-the commission and the Competent Authorities.The Competent Authorities are responsible for developing and implementing the EUs NPD legislation at a state level,while the
96、commission is responsible for being the central source of information at the EU level and overseeing the implementation of NPD legislation by the states Competent Authorities.Common responsibilities for the NPD authority include acting as a single official source of information for NPD legislation,e
97、stablishing technical standards for the use of NPD,implementing disciplinary actions and maintaining a list of specified NPD entities.Examples include the UAEs Federal Data Management Office,which maintains a list of entities that have applied for an Open Data License;the EUs Competent Authority,whi
98、ch maintains a list of registered data altruism organisations that provide technical advice and assistance;and Chinas CAC,which maintains a catalogue of essential data at the national level.3.5.1.3 Use of non-personal data We have observed three common areas regulated under the NPD legislation:1.Dom
99、estic public sector data sharing;2.Domestic private sector data sharing;and3.Cross-border transfer of non-personal data.NPD legislation also commonly features two principles for NPD usage:data interoperability and localisation.Domestic public sector data sharingBased on our observation,public sector
100、 data is often shared with minimal restrictions,but the use of public sector data should adhere to the security requirements for the data classification/category it belongs to.For example,in the UAE,NPD can be classified as open data,confidential data or sensitive data,with each having its own secur
101、ity requirement set out in the UAEs Cabinet Resolution No.21 of 2013,Regulation of Information Security at the Federal Entities,Article DC2.3 of the UAEs Smart Data Standards.Domestic private sector data sharingAs NPD generated in the private sector is vital to economic productivity,domestic transfe
102、r of private sector data is encouraged by NPD legislation.For example,the EUs Free Flow of Non-personal Data45emphasises the minimisation of data localisation.However,entities should still establish their own data security organisations to ensure data security when utilising collected data.Chinas Da
103、ta Security Law48,for example,requires the processors of important data to appoint a dedicated person and set up a data security organisation to ensure the data security of their daily activities.In addition,among the legislation studied,we found that data interoperability is another key concern add
104、ressed in NPD legislation.On the one hand,countries,such as the UAE,have their Open Data Specifications Guidelines for the UAE Government Entities,which provide technical specifications that need to be followed for NPD.Hence,the data is understandable,shareable,reliable and used as intended.On the o
105、ther hand,China,as well as the EU,for example,have not developed technical specifications like the UAE.However,NPD legislations in these jurisdictions outline the responsible party for supporting the implementation of data interoperability.In China,the CAC will advance the formulation of standards f
106、or data development,data utilisation technologies and data security48.In the EU,the European Data Innovation Board is tasked with proposing guidelines for a common European data interoperability framework44.21Volume 1-Introduction and study summaryCross-border transfer of non-personal dataEven thoug
107、h domestic free flow of non-personal data is broadly encouraged,some non-personal data is still considered important or critical and is prohibited from being shared with other countries.Certain requirements on cross-border NPD transfer and localisation were found within the sample.For instance,the E
108、U has outlined the requirements for international access and transfer of NPD in Article 31 of the Data Governance Act44.China has set outlined rules on cross-border transfer of NPD in Article 31 of its Data Security Law48.In a nutshell,in terms of requirements for data localisation,data related to t
109、he government,banking and financial sector,credit status,health,critical infrastructure,and data generated from online or cloud services are,for the most part,required to be stored locally.Volume 1-Introduction and study summary22China49,50,Germany6,the UAE10,the UK51,52,the US53,54,Vietnam12and the
110、 EU14,55,56,have legislations in place on ICT vulnerability management.There are two types of legislative models for ICT vulnerability management.One is established through dedicated legislation,and the other is incorporated into the broader cybersecurity legislation.ICT vulnerability management is
111、a lifecycle process,and its legislation is often made up of four phases-identification,analysis and verification,mitigation and disclosure.3.6.1 Identification There are three ways to identify vulnerabilities-internal identification,monitoring public sources of vulnerability information and direct r
112、eporting of vulnerabilities to the organisation.3.6.2 Analysis and verificationSome countries incorporate analysis and verification into their regulatory enforcement process.Using tools is a common way to assist in the analysis and verification process and includes automated testing tools,validation
113、 tools and the Common Vulnerability Scoring System.3.6.3 Mitigation Many countries have mitigation requirements in their regulations.For example,Chinas Cyber Product Security Vulnerabilities Management Regulations50state that after cyber product providers(Article 7)and network operators(Article 8)di
114、scover or have been notified that their networks,information systems or equipment have security vulnerabilities,they need to take measures to verify and remediate the known vulnerabilities in a timely manner.3.6 ICT vulnerability management23Volume 1-Introduction and study summary3.6.4 Disclosure Mo
115、st countries have disclosure requirements in their regulations.Vulnerability disclosures usually include responsible disclosure,coordinated vulnerability disclosure,disclosure timeline,disclosure content and encouraged disclosure.Disclosure is the focus area of legislation on ICT vulnerability manag
116、ement,especially responsible disclosure.For example,the EUs NIS 214states that reporters must comply with the proportionality principle-i.e.do not exploit vulnerabilities beyond what is strictly necessary to demonstrate the security problem-and reporters shall provide a clear and detailed descriptio
117、n of the vulnerability to vendors or coordinators.Volume 1-Introduction and study summary24As a crucial component of cybercrime prevention and the development of cyber maturity,cybersecurity awareness and capacity building is of significant importance for all countries.However,the approach taken tow
118、ards this issue varies among countries due to differing levels of national development and cybersecurity maturity.Some countries opt to enact dedicated legislation,such as China,the US,as well as the EU,while others have incorporated cybersecurity awareness-raising efforts within their national cybe
119、rsecurity strategies or awareness campaigns.China has placed great emphasis on raising cybersecurity awareness and has laid out specific requirements for such purpose in its cybersecurity law.The law explicitly mandates that the government and relevant departments organise and conduct regular cybers
120、ecurity awareness campaigns while also guiding and urging other entities to actively engage in cybersecurity education and publicity.Similarly,the US has addressed the importance of raising cybersecurity awareness in various laws and regulatory documents,such as the Gramm-Leach-Bliley Act57.The US h
121、as also issued a series of cybersecurity policies,national strategies,action plans,and presidential executive orders to help raise the cybersecurity awareness of citizens.In the EU,the recently revised NIS 2 Directive has delineated the responsibilities of government agencies and enterprises in each
122、 member state with regard to raising cybersecurity awareness.This directive provides a framework for promoting cybersecurity education and awareness at both the government and enterprise levels.3.7 Awareness and capability25Volume 1-Introduction and study summaryIt should be noted that countries wit
123、h dedicated legislation for raising cybersecurity awareness also implement complementary measures in addition to legal provisions,such as organising cybersecurity activities(such as national and/or sectoral cyberattacks drills)and issuing relevant national cybersecurity strategies to highlight its p
124、ositive impact on society.Our study indicates that,with the exception of the three aforementioned countries,most countries do not yet have comprehensive legislations that specifically address cybersecurity awareness and capacity development.However,it is evident that more countries recognise the sig
125、nificance of raising public awareness about cybersecurity issues and have implemented other administrative measures accordingly.For instance,India does not currently have a dedicated legislation on raising cybersecurity awareness and education,yet it has implementedmeasures,as mentioned in its Natio
126、nal Cyber Security Strategy 202059emphasising the need to attract young talents to the field of cybersecurity through targeted awareness campaigns and enticing career opportunities.Additionally,October is declared as the Cyber Security Awareness Month(CSAM)globally60,a range of posters and video cam
127、paigns were launched,and public surveys were conducted to assess the current level of cybersecurity awareness and identify areas for improvement.CSAM is globally recognised as a collaborative effort between governments,industries,and individuals to foster dialogue and raise awareness about priority
128、areas in cybersecurity.Through various awareness activities,CSAM encourages individuals,the workforce,and the community to adopt stronger security measures and work collectively towards creating a more effective security culture.Volume 1-Introduction and study summary26International cooperation in c
129、ybersecurity is more commonly mentioned in national cybersecurity legislation.For example,Article 42 of the EUs Cybersecurity Act states that ENISA may cooperate with competent authorities of third countries or with international organisations or both60.Article 17 of the EUs NIS 2 Directives states
130、that The Union may,where appropriate,conclude international agreements,in accordance with Article 218 TFEU,with third countries or international organisations14.Article 7 of Chinas Cybersecurity Law states that the state shall actively carry out international exchange and cooperation in terms of cyb
131、erspace governance49.In addition,this study looks into the mechanism of international cooperation.In general,the cooperation mechanism can be defined as state-to-state cooperation or state-to-private-sector cooperation.Under the state-to-state cooperation mechanism,the relationship can be establishe
132、d through bilateral or multilateral partnerships.Currently,there are numerous bilateral agreements for international cooperation on cybersecurity among the sample with their alliance,e.g.,the US-United Kingdom Cybersecurity Cooperation61;the UK-Australia Cyber and Critical Technology Partnership62;a
133、 Memorandum of Understanding(MoU)on developing capacity building of internet security and tech cooperation between China and Indonesia63;and an MoU for cybersecurity between China and Thailand64.Among the numerous multilateral cybersecurity partnerships,it is observed that partnerships are more comm
134、only formed among countries with geographic proximity or countries that have already formed collaborative relationships in other areas.The table below is a non-exhaustive list of cybersecurity cooperation legislation and binding agreements noted within our sample.3.8 International cooperation27Volum
135、e 1-Introduction and study summaryFor the state-to-private-sector cooperation mechanism,it is a more important and widespread form of cooperation in view of a higher degree of flexibility that can be adopted.For example,the private sector has designed training for policymakers to improve their techn
136、ical skills.Furthermore,enterprises have signed MoU with governments to help foster national cybersecurity capability.Under this mechanism,governments can leverage the knowledge and skills of the private sector.The partnership also provides greater opportunities for the private sector to contribute
137、to developing national cybersecurity,efficiently enhancing the competitiveness of the cybersecurity technologies and solutions marketplace and further strengthening the overall national cybersecurity capability.Legislation and binding agreements for cybersecurity cooperation within the sampleChinaSh
138、anghai Cooperation Organisation:Statement by the Heads of Member States of the Shanghai Cooperation Organisation on International Information SecurityThe China-ASEAN Joint Declaration in the Field of Non-Traditional Security Issues of 2002South AfricaAfrican Union Convention on Cyber Security and Pe
139、rsonal Data ProtectionUAEArab Convention on Combating Information Technology OffenceUSOrganisation of American States:Declaration Strengthening Cybersecurity in the AmericasOrganisation of American States:Declaration on the Protection of Critical Infrastructure from Emerging ThreatsEUNIS 2 Directive
140、sCybersecurity ActGlobalConvention on Cybercrime(Budapest Convention)Volume 1-Introduction and study summary28The cybersecurity technologies and solutions market mainly includes three types of products and services technologies(cybersecurity technologies and solutions),services and expertise and sec
141、urity management of outsourcing services.3.9.1 Cybersecurity technologiesSome countries have stipulated cybersecurity technology control requirements in their regulations,which involve certification,risk assessment and standard security processes for cybersecurity technologies.3.9.2 Cybersecurity se
142、rvices and expertiseServices and expertise laws and regulations often include talent training plans or arrangements at the national level.For example,in the US,the CISA65have three ways to build cybersecurity expertise and capacity,namely through the Cyber Career Pathways Tool,incorporating cybersec
143、urity concepts into classrooms and advancing the cybersecurity profession with the National Initiative for Cybersecurity Educations Workforce Framework for Cybersecurity(NICE Framework)and the CISAs National Initiative for Cybersecurity Careers and Studies(NICCS).The NICE Framework is the foundation
144、 for increasing the size and capability of the US cybersecurity workforce.The NICCS is a national resource for cybersecurity awareness,education,training and career opportunities.3.9.3 Security management of outsourcing servicesThe regulations in some countries cover the measures to mitigate the sec
145、urity impact of outsourcing.They are:conducting risk assessments;sharing responsibility;reviewing the practice of sub-tier suppliers;preparing an emergency response plan;and incorporating cybersecurity measures into contractual arrangements with suppliers and service providers.3.9 Cybersecurity tech
146、nologies and solutions marketplace29Volume 1-Introduction and study summary4.Designing cybersecurity legislationOur comparative study on the nine areas of cybersecurity found that there is no one size fits all method when designing cybersecurity legislation.Every country has its unique national circ
147、umstances,development priorities and exposure to cyber threats.Furthermore,varying maturity levels in cybersecurity,unique stakeholder characteristics,and different approaches to governance contribute to the notion that designing cybersecurity legislation is a unique process for each country.Through
148、 extensive analysis and academic research,however,our study identified five considerations that are foundational,universally applicable and significantly beneficial for countries to take into account when designing their cybersecurity legislation:1.Designing affordable cybersecurity legislation2.Rec
149、ognising cybersecurity as a shared responsibility3.Strengthening cybersecurity baseline requirements to prevent cybercrime4.Collaborating to solve cybersecurity problems5.Balancing security and development4.1 Designing affordable cybersecurity legislationAffordability refers to a countrys ability an
150、d capacity to design and enforce cybersecurity legislation.On the one hand,affordability addresses whether the public and private sectors have sufficient financial or human resources to coordinate and implement measures to meet the relevant requirements set out in the laws.On the other hand,affordab
151、ility refers to whether the countrys social,economic,and political situations allow the required measures to be adopted realistically.The World Bank also believes affordability is an essential consideration in designing policies,stating that no matter how technically sound a policy is,programmes are
152、 likely to fail if the public sector lacks capacity and institutional support to execute them66.Our analysis indicated that most countries have established cybersecurity measures in line with their affordability.We observed that,socioeconomically,more developed countries have enforced cybersecurity
153、legislation with more stringent requirements and wider scope of coverage.The concept of affordability may seem fundamental and elementary,and is self-explanatory that countries with greater capacity to allocate more resources will produce a more complex and comprehensive policy.However,our analysis
154、also observed cases where a few countries pushed forward robust legislative standards and requirements when compared to other peer countries at a similar socioeconomic development level.When governments do not consider the factors addressed under affordability during policy design,they may experienc
155、e costly consequences,called the Policy Implementation Gap(PIG).The gap refers to the differences in the expected outcomes during the policy design stage and the actual results after implementation.Research conducted by the University of Kent explains that the occurrence of PIG can be attributed to
156、one of two reasons the lack of a realistic assessment of the implementation ability and the lack of multi-stakeholder collaboration67.Assessing the affordability of both the government and the complying stakeholders early in the design stage through active discussions may minimise the possibility of
157、 PIG.One way to minimise PIG:sectoral regulation approachDuring our comparative study,we observed a distinctive approach that many sampled countries adopted while designing cybersecurity legislation.The approach,known as sectoral regulation,is to create regulations and guidelines to explicitly addre
158、ss a single particular sector or industry.31Volume 1-Introduction and study summaryA noteworthy trend was how countries with relatively lower socioeconomic development levels enacted sectoral regulations prior to drafting national cybersecurity legislation.Research indicated that such an approach ca
159、n minimise complexity and maximise efficiency.Numerous scholars argue that the multi or cross-sector regulation approach is highly complex and runs the risk of low practicality.Schwartz and Satola,scholars from the World Bank,argue that establishing a legal framework for a multi-sector regulator(MSR
160、)is more complex than creating one for a single-sector regulator(SSR)68.Moreover,the Software Alliance(BSA),a multinational technology innovation public policy group,also argues that although cybersecurity does apply to all industries,there is a need for tailored guidance to address the unique risks
161、 or specific operations in certain sectors based on their business needs69.Laffont and Tirole,from the Massachusetts Institute of Technology Press,argue that an SSR may be better able to specialise and develop industry-specific expertise than an MSR70.In other words,a sectoral regulation approach ma
162、y enable lawmakers and regulatory bodies to better understand each sectors cybersecurity situation and needs.The enhanced level of understanding,in turn,may lead to policies that align with the capacity and affordability of both the enforcing regulators and the complying stakeholders.Ultimately,this
163、 would minimisepolicy implementation gaps.We identified numerous sectoral regulations across a diverse range of industries within our sample.One commonality observed was the presence and comprehensiveness of cybersecurity regulations in the finance and banking sector.This might be an indicator that
164、there is an urgent need for cybersecurity measures in that particular sector.Based on the unique national circumstances and needs,this paper does not intend to suggest a standardised order for all countries to follow when deciding which sector to prioritise their cybersecurity legislative efforts on
165、.However,there are two factors that countries should consider when making their tailored lists.The first factor is whether the sector contains critical infrastructures(CIs).CIs,as the backbone of a countrys major operations,are increasingly digitised across the globe.Thus,strengthening the cybersecu
166、rity of CIs is of paramount importance.Complementing this first factor,governments should also consider prioritising sectors that face the highest frequency of cyberattacks.As mentioned earlier,all of the countries in our sample have put in place sectoral cybersecurity regulations in the finance and
167、 banking sector.This aligns with IBMs global cyberattack trend analysis,which identified the finance and banking sector as the recipient of the largest number of cyberattacks from 2016 to 202071.Considering these two factors,countries may consider prioritising certain sectors,including but not limit
168、ed to banking and finance,energy,transportation and insurance.Volume 1-Introduction and study summary324.2 Recognising cybersecurity as a shared responsibilityConnectivity is the foundation upon which the benefits of digitisation lie.The quick and boundless transfer of information through cyber spac
169、e enable people to connect with significantly improved efficiency.The enhanced collaboration has allowed organisations to solve complex problems and create innovative solutions.However,due to high connectivity,the risks of and exposure to cyberattacks are also increased significantly.A successful at
170、tack on one channel may easily open the doors to another connected device or network.Thus,all stakeholders in society,including the government,private sector and individual citizens,have a role to play in establishing and practicing cybersecurity measures.Cooperation under the recognition of shared
171、responsibility is the foundationof building a holistically safe and secure digital environment.Scholars from the Centre for Strategic&International Studies argue that although there are things that only governments can do for cybersecurity,it is unrealistic to expect governments to handle all the ri
172、sks and threats72.When guiding national cybersecurity development,governments should recognise the nature of shared responsibility for cybersecurity.Policies and regulations should reflect this and promote collaboration,discussion and reasonable sharing of responsibilities.In many cases,stakeholders
173、 with deeper technical expertise,such as service providers or equipment vendors,are sometimes assumed to have to own more responsibilities for cybersecurity.The responsibilities should be shared among the stakeholders in a reasonable and clear manner.Governments should understand the importance of c
174、ollaboration among the diverse range of industries operating in society through multi-stakeholder discussion,and through this,produce practical and accountable legislation.For example,the Groupe Speciale Mobile Association(GSMA),a renowned research institution in the telecommunications sector,produc
175、ed a 5G cybersecurity shared responsibility model that illustrates the transparent and fair sharing of responsibilities among diverse stakeholders.33Volume 1-Introduction and study summaryShared responsibility exampleGSMAs shared responsibility model for 5G cybersecurityVolume 1-Introduction and stu
176、dy summary34With the growing adoption of 5G network infrastructure globally,establishing 5G cybersecurity is also increasingly moving into the spotlight.The Groupe Speciale Mobile Association(GSMA)produced a shared responsibility model that enables a holistic 5G cybersecurity establishment with resp
177、onsibilities clearly shared among diverse stakeholders73.The model suggests that at the product level,vendors,such as equipment or device suppliers,should have security assurance processes throughout product development and its lifecycle.At the network level,the mobile network operators(MNOs)should
178、ensure sound security management of the network infrastructure.At the application level,the application developers,service providers and device users should actively cooperate to protect the 5G network.Throughout all levels,governments should develop regulations to supervise each stakeholder in fulf
179、illing their roles and responsibilities.Moreover,standard-setting organisations should provide support by clearly defining requirements for operators to follow.According to the model,the diverse range of stakeholders should take up their corresponding roles and responsibilities throughout the entire
180、 5G cybersecurity value chain.Not only do vendors and MNOs need to manage the technical aspects of cybersecurity,but device users,governments and standard organisations also need to be actively engaged in establishing a holistically secure 5G environment.Although the model is designed for the 5G sec
181、tor only,it is an exemplary model that countries may refer to when applying the notion of shared responsibility in all areas of cybersecurity.Deployment and operation securityProduct securityMNOsVendorsEco SecE2E supply chain risk managementE2E supply chain risk managementApplication securityDeliver
182、yService provider&customersGovernmentDevelop legislation and regulationsImplement E2E security supervisionStandard organisationsDefine requirement&standard schemeEco SecSource:GSMA4.3 Strengthening cybersecurity baseline requirements to prevent cybercrime The United Nations Office on Drugs and Crime
183、(UNODC)classifies the contents of cybercrime law into Substantive,Procedural,and Preventive categories74.Similarly,our comparative analysis identified three components of cybercrime law:Prevention,Investigation,and Recovery(Section 3.3).Our analysis also noted that investigations and penalties were
184、the dominant approaches governments took in the earlier stages of addressing cybercrime.However,in the recent decade,we have observed a shift in the trend for combatting cybercrime-from investigation to prevention.Such a shift could be due to a better understanding of the challenges around investiga
185、tion and the high efficiency through prevention measures.Challenges in investigationOur analysis identified numerous research papers75,76,that shed light on the challenges in investigating cybercrime.A report jointly published by Europol and Eurojust on Common Challenges in Combating Cybercrime stat
186、es that a key challenge investigation authorities face is collecting electronic communication data(ECD),which is the key to the successful investigation and prosecution of cybercrime77.ECD is personal or non-personal information collected,usually by service providers in the private sector.Since this
187、 data is linked closely with privacy concerns,companies are often sensitive and reluctant to share this form of customer data with investigators.The fear of liability and potential privacy infringement hinders data collectors from freely supporting investigation authorities.On top of that,the rapid
188、development of data encryption technology has further complicated the processing of ECD.Numerous communication services platforms have adopted data anonymisation and encryption policies into their service operations,which resulted in offenders exploiting these technologies.Consequently,collecting an
189、d using ECD,which is essential for investigation,requires many resources,incurs long delays,and carries privacy concerns77.35Volume 1-Introduction and study summaryAnother challenge is the absence of a unified legal framework across governments that enables the free flow of data and clarifies jurisd
190、iction in boundless cyberspace.Cybercrime,especially large-scale attacks,usually occurs across geopolitical boundaries.Thus,investigation of cybercrime usually requires cross-border data transfer.As our analysis on cross-border data transfer(Sections 3.4-3.5)suggests,even when data evidence is avail
191、able,sharing it with the country in need may require a significant amount of time and effort.Furthermore,while cybercrimes are committed in borderless cyberspace,geopolitical jurisdictions and ununified regulations give rise to confusion and conflict on who should investigate and penalise the offend
192、ers.Investigation of cybercrime is,indeed,an essential component in the war against cybercrimes.However,it is crucial for governments and businesses,especially those with resource constraints,to recognise the limitations,affiliated risks and affordability of investing significant resources into inve
193、stigating cybercrimes.Higher efficiency through preventionThe logic behind cybercrime prevention is increasing the difficulty and the cost of committing cyberattacks so that the return on the crimes investment is reduced and so is the incentive for cyber criminals.As mentioned earlier,governments ar
194、e increasingly shifting their attention from investigating to preventing cybercrime.Numerous research and experts suggest that even a marginal increase in cyber resilience,especially among individuals or small and medium-sized enterprises(SMEs),may create a significant deterrence effect.For instance
195、,simply adopting multi-factor authentication(MFA)for online accounts can prevent 99.9%of automated cyberattacks78,79,80.Establishing fundamental baseline requirements that raise the basic level of security across stakeholders may produce significant drops in cybercrimes.Baseline refers to fundamenta
196、l procedures,guidelines or standards that establish a foundational level of cybersecurity.There are numerous approaches and methods that can establish a baseline.Below,we explain two well-recognised frameworks which countries may utilise to develop their baseline requirements.Volume 1-Introduction a
197、nd study summary36The first is the Multi-Layered Defence(MLD)framework.It is a security approach that adopts and deploys multiple security controls and components,referred to as layers,in a system so different components may cover each others flaws or gaps81.The layer in this security concept does n
198、ot refer to the implementation of multiple of the same security tools.The layered security approach adopts multiple types of protection mechanisms against diverse vectors of attack82.Some examples of security layers include firewalls,patch management,multi-factor authentication,endpoint protection,e
199、mail filtering,awareness training and physical security.While there may be some overlapping characteristics among these security measures,the core area of protection for each is distinct.The different layers work together to bolster defence and establish a stronger foundation for secured cyber opera
200、tions.Adopting an MLD framework as the baseline in cybersecurity would effectively build resilience to prepare for,respond to,and recover from cyberattacks.The other framework is the Zero Trust security model.As the models name suggests,Zero Trust articulates a premise that an actor can be trusted o
201、nly after being sufficiently vetted.It is based on the assumption that the source of a cyberattack can be anyone,anywhere or anything83.With this stringent vetting process for all actors before gaining access rights to systems,sensitive information is protected holistically from both external and in
202、ternal threats.Singapore,for instance,has adopted both frameworks in its Cybersecurity Code of Practice for Critical Information Infrastructure(CII).Under its section 3.5,Cybersecurity Design Principles,sub-section 3.5.2 urges CII operators to adopt,to the extent possible,MLD(Singapore uses the term
203、 defence-by-diversity)and Zero Trust principles in relation to its people,process and technologies to reduce cybersecurity risks to the CII84.Incorporating concepts such as MLD or Zero Trust as baseline requirements is not solely about providing technical guidelines for stakeholders to follow.More i
204、mportantly,they intend to raise awareness and shape stakeholder mindset with alert,comprehensive and defence-oriented cybersecurity ideologies.The baseline requirements,however,must ensure that stakeholders have the capability or sufficient support to fulfil their obligations.If not,the occurrence o
205、f PIG may be inevitable.37Volume 1-Introduction and study summaryAs cybersecurity should be a shared responsibility,the process of establishing it involves multiple stakeholders and requires effective communication.Discussion and collaboration are essential elements of finding and enforcing solution
206、s to address cybersecurity issues.There are two well-recognised collaboration methods-Multi-Stakeholder Partnership(MSP)and Public-Private Partnership(PPP).These modes of partnership are not only beneficial but fundamental in designing and enforcing cybersecurity legislation.Multi-Stakeholder Partne
207、rship(MSP)It is vital to understand stakeholder affordability,responsibilities and needs when designing cybersecurity legislation.A well-recognised method to attain such an understanding is MSP.The Partnering Initiative(TPI),one of the global pioneers in the field,defines MSP as different societal p
208、layers working together,sharing risks,and combining unique resources and competencies to address challenges or exploit opportunities in ways that one cannot achieve alone85.Partnership 2030,a research group advocated by the United Nations MSP Charter,identifies MSP as a partnership where the public
209、sector,private sector,civil society,and academia work together as equals through an organised and long-term engagement in order to contribute to the common good86.The noteworthy points under these definitions are the diversity in stakeholders,the equality among them,the sharing of risks and resource
210、s and the achievement of collective objectives.According to Global Partners Digital(GPD),successful MSP cases ensure effective stakeholder engagement by creating an open,inclusive,transparent and accountable collaboration environment.The value of MSP is generated from the transfer of knowledge,infor
211、mation and resources between stakeholders.Hence,building trust and confidence among them is essential for fully realising the value of the model.MSP can produce the most desired outcomes if stakeholders are confident that their voices are heard equally and that the system is non-discriminatory,unbia
212、sed and transparent86.Partnership 2030 aligns with this view,4.4 Collaborating to solve cybersecurity problemsVolume 1-Introduction and study summary38stating that the essential characteristics of a successful MSP are non-discriminatory identification of relevant stakeholders and an equal opportunit
213、y for stakeholders to participate and benefit from the partnerships87.Adopting an MSP approach in legislation design and implementation is well-recognised by scholars across the field88.In the realm of cybersecurity,MSP has been a widely considered topic in international discussions.The Global Confe
214、rence on Cyber Space(GCCS)has repeatedly highlighted the importance of adopting MSP in developing cybersecurity policies.The conference chairs statement articulates that governments are urged to ensure that cyber policies at the national,regional and international levels are developed through multi-
215、stakeholder approaches that include civil society,the technical community,businesses and governments across the globe89.Furthermore,the UN Group of Governmental Experts,in its 2015 report,also supported the use of the MSP model in addressing cybersecurity problems by stating that governments would b
216、enefit from the appropriate participation of the private sector,academia and civil society90.When devising solutions for cybersecurity problems,different stakeholders can bring unique values and perspectives to the table.The private sector is well informed on the forms of cyber threats businesses fa
217、ce,products and innovations available in the market,or if there are any PIGs.The academia can introduce the latest research findings,aggregate insights from international forums or educate future talents.Civil society addresses the human rights implications of security policies,assesses the impact o
218、f policies on different members of society and draws attention to areas requiring more prioritised attention91.Within the public sector,relevant ministries,agencies,judiciaries,law enforcement bodies,or national defence authorities can each provide unique and diverse opinions that can be insightful
219、for devising solutions to cybersecurity challenges92.The following examples from Mexico and India illustrate how an MSP can be adopted for solving cybersecurity problems.39Volume 1-Introduction and study summaryVolume 1-Introduction and study summary40MSP examplesMexicoIn the early days of cybersecu
220、rity establishment,the Mexican government and the Organisation of American States(OAS)coordinated a roundtable discussion where diverse stakeholders and experts gathered together to understand Mexicos cybersecurity status and its future direction93.Not only did technical specialists join the discuss
221、ion,but academic scholars,businesses from the industrial and financial sectors,and stakeholders from civil society also made their voices heard.Furthermore,the government hosted a series of workshops inviting international experts from across the globe to discuss the topic with representatives from
222、the legislative and executive branches of the Mexican public sector94.These discussions yielded a set of expert recommendations to guide Mexicos national cybersecurity framework and strategy.Moreover,the Mexican government gained access to greater resources and insights from the private sector for a
223、 more comprehensive and accurate assessment of the countrys cyber-readiness and maturity level94.IndiaIndia introduced the Indian Cyber Crime Coordination Centre(I4C)scheme in 2018 to strengthen its efforts in combatting cybercrime through multi-stakeholder cooperation96.The scheme is a highly compr
224、ehensive initiative encompassing projects related to crime investigation,research and development,legislative amendment and international cooperation.The National Cybercrime Threat Analytics Unit(TAU)was formed,along with numerous other projects,under the scheme to provide a platform for law enforce
225、ment personnel,persons from private sectors,academia and research organisations to work collaboratively on threat intelligence reports.The scheme also founded the Cybercrime Ecosystem Management Unit,in which academia,industry experts and government authorities collaborate on cybercrime investigatio
226、ns97.Furthermore,the National Cyber Research and Innovation Centre was also established to invite diverse stakeholders from academia,the private sector,and inter-governmental organisations to leverage their expertise on emerging technological development and potential associated vulnerabilities98.Th
227、e Mexican and Indian examples demonstrate the benefits of incorporating MSP into cybersecurity issues and the versatile ways in which MSP can find solutions to address cybersecurity issues.There is no standardised correct method of forming an MSP.However,as mentioned earlier,the most desired outcome
228、s of MSP can be produced under a non-discriminatory,neutral and transparent platform for dialogue where stakeholders are confident that their voices are heard with equal standings.Under the MSP model,expertise and resources can be shared,and the affordability,responsibilities,and needs of relevant s
229、takeholders can be understood.These benefits all contribute to minimising the extent of PIG.As the central coordinator for society,governments carry the role of identifying the relevant stakeholders and creating effective channels for dialogue and discussion.Public-Private Partnership(PPP)After iden
230、tifying challenges,affordability and potential solutions through multi-stakeholder discussions,governments,in many cases,cooperate with the private sector to enforce the implementation of action plans.Such cooperation between the public sector and private entities is referred to as Public-Private Pa
231、rtnerships(PPPs).The following is a non-exhaustive list of PPP cases noted in our sample.PPP in national cybersecurity commitments and initiativesCountry/regionDocuments/initiativesChileFirst Latin American country to join Microsofts Government Security Program(GSP),which offers governments cybersec
232、urity information99.The Chilean attorney generals office signed a collaboration agreement with Microsoft to receive consultation on investigating cyber criminals99.IndiaKeralas Cyberdome:a PPP initiated by Keralas police department to collaborate with private cybersecurity entities on reactive and p
233、reventive cyber incident management.The initiative has been replicated in Assam,Maharashtra,Gujarat and Tamil Nadu100.SingaporeSingtel Cyber Security Institute-workforce development and education institution created by Singapore Telecommunications Limited in partnership with Economic Development Boa
234、rd,FireEye,Symantec,and Palo Alto Networks101.South AfricaThe National Cybersecurity Policy Framework(NCPF)repeatedly stresses the implementation of government-led PPP102.UAECyber Pulse Innovation Centre:a joint initiative between the UAE government,Abu Dhabi Polytechnic and Huawei for training tale
235、nt on cybersecurity103.The UAE Cybersecurity Council signed an MoU with Huawei to collaborate on promoting innovation,strengthening national strategies and driving capacity development104.41Volume 1-Introduction and study summaryPPP in national cybersecurity commitments and initiativesCountry/region
236、Documents/initiativesUKPPP is strongly supported by the national cybersecurity strategy.The Centre for the Protection of National Infrastructure(CPNI)conducts information exchange with private entities at a sector-specific level,which includes approximately 14 sectors.USExecutive Order 13636 for Imp
237、roving Critical Infrastructure Cybersecurity:the National Institute for Standards and Technology(NIST)is tasked with cooperating with private sectors in building a cybersecurity framework by identifying industry best practices and voluntary consensus standards105.The US Department of Homeland Securi
238、ty(DHS)implemented a cyber-threat information sharing program that automates the rapid and timely transfer of threat information between the public and private sectors106.EUEuropean Public-Private Partnership for Resilience(EP3R)107Cooperative Models for Public-Private Partnership(PPP)108The table a
239、bove illustrates how governments across the world are utilising diverse forms of PPP to address different cybersecurity challenges.The PPP model has been adopted to build cybersecurity frameworks,protect national critical infrastructures,report incidents and vulnerabilities,train future talents,educ
240、ate government authorities and investigate cybercrime.Governments are taking such profound and extensive PPP measures because of the inseparable nature of establishing national cybersecurity with the private sector,and the synergistic effect of sharing innovative resource use and application of mana
241、gement knowledge”that partnering with the private sector creates109.Scholars such as Kruhlov,Latynin,Horban,and Petrov argue that PPP is increasingly seen as addressing many of the challenges posed by cybersecurity management because of the existing network communications,server equipment,and highly
242、 specialised professionals in the private businesses109.From establishing ICT infrastructures and designing technical safety regulations to information exchanges to investigating and preventing cyber threats,the expertise of the private sector is needed in all areas to establish cybersecurity.Furthe
243、rmore,in many countries,numerous essential services,including critical infrastructure,are handled by private entities.The following case study on Singapore part 1 explains how Singapore has privatised over 40 Government-Linked Companies(GLCs),including numerous CIs,in the past three decades.Thus,it
244、is not just beneficial but fundamentally important for governments to cooperate with private sector bodies in addressing cybersecurity issues.Part 2 of the case study further illustrates two different approaches Singapore has taken in its cybersecurity PPP efforts.Volume 1-Introduction and study sum
245、mary42Case study on Singapores Public-Private PartnershipPart 1:The private sector presence in Singapores CI sectorSince its independence in 1965,Singapore has adopted a state-led development approach to establish its national infrastructure and economy.The state-owned enterprises,known as Governmen
246、t-Linked Companies(GLCs),ran various vital sectors that served as the foundation of the countrys operation.In 1985,however,an economic recession hit the country,which shed light on the need for higher operational efficiency and productivity.To address the challenge,Singapore took a deregulation and
247、privatisation approach so that market forces may drive the country out of economic stagnation.Over the following decades,more than 40 GLCs were privatised,including numerous critical infrastructures(CI).Today,with strong private sector ownership across its CI sectors,it is not a choice but a natural
248、 course of action for the Singapore government to partner closely with private sector owners to address the cybersecurity of its CIs.Part 2:Singapores Public-Private Partnership(PPP)in cybersecurityWe observed two different approaches Singapore took in establishing PPP in cybersecurity.One approach
249、is based on a variation of the Design-Build-Finance-Operate(DBFO)model,in which the government procures private entities to design,build,finance,and operate public projects under a contractual agreement with set terms and public grant supplements110.The method shares risks,responsibilities and resou
250、rces in delivering public service projects with private sector contractors who have the expertise and economic incentives111.An example is the Cyber-Watch Centre(CWC)implemented by the Infocomm Development Authority of Singapore(IDA)in 2007.The CWC was established utilising the DBO model.IDA appoint
251、ed e-Cop Pte Ltd,a managed security and monitoring services firm,to design,build and operate the CWC112.The Centre has successfully monitored cyber threats that the government network received and provided an early warning system for efficient prevention and remediation112.In 2022,the CWC was replac
252、ed with the Government Cyber Security Operations Centre(GCSOC),which is now under the commission of the Government Technology Agency(GovTech)113.While there are standalone cybersecurity PPPs like the CWC project,other procurement PPP projects,such as infrastructure projects,often include cybersecuri
253、ty requirements as part of the overall contract111.Another PPP approach is establishing an MoU.An MoU is a form of agreement that outlines the common understanding of the action,partnership,commitment and outcome.However,it is not a legally binding agreement or an enforceable contract.It is a steppi
254、ng stone for two parties to explore and develop a formal relationship114.Instead of a top-down regulation that forces the private sector into serving the needs of the public sector,Singapores MoU approach intends to consider the opinions and affordability of the private sector partners.Only after ex
255、tensive discussions and successfully establishing collaboration will the MoU progresses into a binding agreement that specifies human and financial commitments.The Cyber Security Agency of Singapore(CSA)signed numerous MoUs with a diverse range of private sector partners,including Singtel,FireEye,Mi
256、crosoft,Palo Alto Networks and CheckPoint Software Technologies,on various areas of cybersecurity.These MoUs led to significant contributions to Singapores cybersecurity research and development,information sharing and workforce development111.The cases under the two approaches demonstrate how PPP e
257、nabled Singapore to harness the expertise and efficiency of the private sector to be able to more effectively implement cybersecurity measures,and create a more secure digital environment in Singapore.43Volume 1-Introduction and study summaryInternational cooperationUnder both the MSP and PPP cooper
258、ation models,an integral element governments must consider is expanding the scope of partnership beyond domestic stakeholders.As our comparative analysis on international cooperation(Section 3.8)suggests,forms of cooperation include inter-governmental dialogues or treaties,partnerships between gover
259、nments and foreign private entities,NGO-initiated partnerships and dialogue programmes,or a combination of the above.As we can see from Mexicos MSP example and PPP examples from Chile,governments are reaping significant benefits from inviting foreign public and private entities into the development
260、of domestic cybersecurity solutions.Furthermore,governments are also engaging themselves in global dialogues.There are multilateral initiatives,such as the Global Conference on Cyber Space(GCCS)or the Budapest Convention,that enables the sharing of knowledge and resources within the global community
261、.Regional or bilateral cooperation also enhances the depth of partnerships,e.g.,the African Union Convention on Cybersecurity and the China-ASEAN Cybersecurity Communication and Training Centre.Especially for countries in the earlier stages of socioeconomic development,and with low cybersecurity mat
262、urity,the expertise and resources of foreign stakeholders open opportunities that cannot be otherwise harvested within the limited domestic landscape.Capacity-building cooperation provides opportunities to benchmark successful legislation,learn from past experiences of industry-leading partners and
263、receive advisory support from a broader range of expertise.The OECD report on cybersecurity policy making states that capacity building of less developed countries is shared as key objectives by most strategies115.Resonating with the notion of shared responsibility,incorporating international cooper
264、ation in MSP and PPP would empower nations to fulfil their roles as a member of the global cyber arena.Thus,international cooperation is essential in building comprehensive cyber resilience for both the domestic and global communities.Volume 1-Introduction and study summary444.5 Balancing security a
265、nd developmentThe final consideration addresses the fundamental objective and nature of establishing cybersecurity while not hindering the development of society.Technology advancement and the proliferation of digitisation opened a new chapter on how societies,businesses,and governments operate.Whil
266、e the growth potential spurred by cyber development is boundless,it can also be reckless if not managed carefully.Cybersecurity legislation is to set up guardrails to guide and protect people on their path of development.Governments role should be to ensure the security of their countries and its pe
267、ople in this rapidly expanding digital environment.Having excessively stringent security measures,however,may produce the unintended consequence of hindering the development of societies and economies.Although the intent of protecting society from cyber threats is well-recognised,having excessively
268、stringent security measures may shadow opportunities for innovation and progress.In the name of security enhancement,legislation may blindly place excessive responsibilities on compliance with stakeholders that they cannot afford.Such measures may be unsustainable and suppress stakeholders ability t
269、o grow and innovate.We must recognise that enhancing cybersecurity and attaining economic development are two sides of the same coin.We cannot accomplish one without the other.Economic development cannot be sustainable without a secure digital environment,and cybersecurity is meaningless when econom
270、ic development is stagnant.Designing good cybersecurity legislation is,thus,finding the right balance between security and development.The right balance would create a secure digital environment that stimulates sustainable ICT development-the kind of development that would allow the growth of our di
271、gital economy and enable the betterment of peoples livelihoods.By placing such ideology and mindset at the core of designing cybersecurity legislation,governments may bring stakeholders together with a shared and unified vision of secure development.45Volume 1-Introduction and study summaryThe Elect
272、ronic Communication Services Act of Finland well reflects some of our considerations.BackgroundIn January 2020,the European Commission published a set of soft laws called the EU 5G Toolbox for member states to follow when designing national security measures for 5G deployment116.The commission left
273、the specifics of the regulations up to each government to decide.Following the announcement,the EU member states took divergent approaches to produce 5G cybersecurity regulations and implementation frameworks based on their national circumstances117.As one of the earliest adopters,in December 2020,E
274、duskunta,the Parliament of Finland,passed the Electronic Communication Services Act,which details regulatory guidelines on the who,what and how of managing 5G cybersecurity in Finland118.Implication for the considerations Finland is recognised by numerous scholars and experts as one of the pioneers
275、of 5G technology,leading the progressive development of 5G infrastructure in the European region119.The Finnish Act provides a comprehensive framework for assessing communication network devices used in critical parts of the public communication network.The following table is a visual illustration o
276、f Finlands 5G cybersecurity implementation framework.The government and the parliament provided legal guidance and appointed the Transport&Communication Agency(Traficom)as the central decision-making body.Traficom communicates with a range of stakeholders,conducts security assessments and enforces n
277、ecessary measures to ensure the security of the 5G network.Traficom has two-way communication channels with the Advisory Board,5G operators and equipment vendors.4.6 Case study:an analysis of the Electronic Communication Services Act of FinlandVolume 1-Introduction and study summary46Section 244b of
278、 the Act stipulates the creation of an Advisory Board to comprehensively evaluate and monitor the development of the communication networks as well as the implementation of legislative practices regarding network security120.As illustrated in the above table,a wide range of stakeholders from various
279、 ministries and administrative sectors are represented on the board.Expert opinions and potential concerns from the fields of defence,foreign affairs and labour are incorporated into decision-making for 5G cybersecurity issues.The advisory board provides recommendations to Traficom on how to improve
280、 security measures and legislation120.Integration of multiple stakeholders with diverse backgrounds,expertise,and resources enables the decision-making body to guide the countrys 5G cybersecurity legislation from a comprehensive perspective.The Act also requires Traficom to engage in mutual discussi
281、ons with 5G operators and equipment vendors.5G in Finland is primarily operated by three major companies,namely DNA,Elisa and Telia121.The operators are supplied by numerous equipment vendors,most notably Finlands Nokia,to establish 5G infrastructures.The Act provides Traficom with authority to requ
282、ire operators to remove any devices which are deemed to threaten national security from critical parts of its network.However,the Act also states that Traficommust enter into discussion with the operators and equipment vendors prior to making any decisions120.Moreover,operators and vendors must be p
283、rovided with opportunities to remedy any security deficiencies identified120.Section 301a of the Act also stipulates that full compensation may be made,under certain circumstances,by the state to the owner of the device identified to pose national security threat if Traficom made the final call to r
284、emove such devices from the system as a last resort.The circumstances include the device to be removed was put into use before the enforcement of the law or the owner of the device could not have reasonably foreseen the deficiencies120.These legal requirements intend to create a fair environmentFinl
285、ands 5G cybersecurity implementation framework47Volume 1-Introduction and study summaryGovernment&ParliamentAdvisory Board(Multiple stakeholders involvement)Ministry of Transportation and CommunicationInternal Affairs AdministrationDefense AdministrationMinistry of Labor and EconomyOther administrat
286、ive sectors that are central to the security of communication networksTransport&communication agency:TraficomDecision making&execution5G operators;Equipment vendors&suppliersService provisionConsultation on device security;Correction on security deficiencies;Discuss on threats and actions;Legal reco
287、urse if needed.Laws®ulationsfor bilateral communication between private-sector businesses and public-sector regulators.By opening the doors for operators and vendors to engage in discussion,express opinion and conduct remediation,the Act forms a public-private partnership underlined with transpar
288、ency,trust and confidence.Moving on,Section 244a of the Act states that if there are strong grounds to suspect that using a device would endanger national security or national defence,Traficom may oblige the owner to remove the device from its network120.Finlands focus on the device level is notewor
289、thy.Alkio and Rouvinen,European legal experts,pointed out that the Finnish Act operates at the level of a device and does not permit banning vendors outright122.As the security assessment is made on devices,companies are protected from exclusion and market development is accelerated with unhindered
290、competition.Finland recognises the importance of maintaining a confident and competitive private sector market so that the enhancement of security measures does not hinder the development of technology.Finlands target focus on the device level,as argued by scholars,could be derived from Finnish perc
291、eption towards cybersecurity,where it is seen as a technical issue that needs a technical solution122.Under the Finnish 5G cybersecurity framework,the government has incorporated a wide range of voices and opinions from both the governing and complying stakeholders.The AVANCE legal expert team descr
292、ibes the Finnish adoption of MSP and PPP as corresponding to what the International Telecommunication Union(ITU)identifies as the most desired stage of ICT regulation:collaborative,exploits synergies across sectors,and pools the expertise of diverse stakeholders122.Furthermore,bilateral discussion a
293、llows policy designers and regulators to consider the affordability of both the enforcing and complying stakeholders.Thus,the extent of PIG may also be minimised through continuous adjustment and improvement.Finally,lets look at the results produced by Finlands 5G cybersecurity initiatives.Today,ove
294、r 80%of Finlands citizens have access to 5G network.The low network latency and high data transfer capacity enabled by the 5G infrastructure contributed significantly to the countrys various societal functions,including healthcare,agriculture and manufacturing123.According to a 2021 report from The
295、Groupe Speciale Mobile Association(GSMA),Europes advancement in mobile networks led to an outstanding productivity increase,which is equivalent to an economic value of EUR 540 bn124.Finland,as one of the 5G development leaders in the region,is contributing greatly to value creation through its Elect
296、ronic Communication Services Act.The Finnish government recognises how developing 5G technology could bring significant value to its economic and social operations.The Electronic Communication Services Act is to ensure the safety and security of the country while reaping the benefits of 5G prolifera
297、tion.The Act is enabling Finland to take huge leaps in creating sustainable ICT development and attaining the betterment of citizens livelihood.Volume 1-Introduction and study summary485.Emerging trends of cybersecurity legislation 5.1 Legislation of new technologyIn the past few years,many develope
298、d countries have made significant progress in the development of AI and introduced policies in different ways.The EUs AI regulatory framework has built on the original intention and experience of GDPR while actively promoting AI legislation through a unified legislative model based on the principle
299、of protecting individual rights.Similarly,the US actively promotes AI legislation based on promoting industrial development.On a national level,the US Congress enacted the National AI Initiative Act in January 2021,creating the National AI Initiative,which provides an overarching framework to streng
300、then and coordinate AI research,development,demonstration and education activities across all the US Departments and Agencies125.Furthermore,China released the Administrative Provisions on Algorithm Recommendation of Internet Information Services in 2021,emphasising that China is committed to making
301、 technological development as important as national security in its AI legislation.Based on the understanding of the current status of legal supervision of AI in China,the US and the EU,it is predicted that the security,privacy and ethical issues of AI applications will be considered in the legislat
302、ive process in the near future.In other words,a risk-based approach will be leveraged to implement AI legislation.Blockchain is the next emerging new technology,a decentralised ledger of all transactions across a peer-to-peer network.It is the technology that enables the existence of cryptocurrency,
303、such as Bitcoin.In the US,the Financial Crimes Enforcement Network(FinCEN),the Federal Reserve Board(FRB)and the Commodity Futures Trading Commission(CFTC)have issued their interpretations and guidance on cryptocurrencies126.On the other hand,in 2013,the Peoples Bank of China banned financial instit
304、utions from dealing in cryptocurrencies and later expanded the ban to cover crypto exchanges and ICOs.Furthermore,China banned bitcoin mining in May 2021,forcing many engaging in the activity to close operations entirely or relocate to jurisdictions with a more favourable regulatory environment127.B
305、ased on the current status of legal supervision of AI in China and the US,it can be predicted that legislation on blockchain will continue to encourage the development and implementation of blockchain technology,with an emphasis on cybersecurity risks stemming from the use of cryptocurrencies.Volume
306、 1-Introduction and study summary50The cross-border data flow has become an important area of competition among countries.Looking at the legislation of developed countries in the field of cross-border data transfer,we can see that some countries are also tightening their legislative requirements and
307、 guidelines related to cross-border transfer of personal data.The EU has stipulated the requirement of more stringent protection standard for the governance of cross-border data transfer,while supporting the free flow of personal data between member states in the EU through a unified legislative mod
308、el that protects human rights and strengthens internal data flow.At the same time,conditional cross-border data transfer rules have been established for personal data flowing out of EU member countries to ensure the safe transmission of personal data.On the contrary,the US has established restrictiv
309、e rules for transmitting personal data through a decentralised(industry-based)legislative model based on the main principle of economic interest.For example,the National Security and Personal Data Protection Act of 2019128,which has not come into effect yet,explicitly prohibits the transmission and
310、storage of data to specific countries.Through legislation and promotion trends of cross-border data transfer in the countries and regions above,countries prefer to promote a regional,data-free transfer model while continuously refining the requirements of cross-border data transfer.Therefore,on the
311、issue of cross-border data transfer,countries should consider the relationship between the development of their data economy and national security,which is a key issue they will need to consider for a long time to come.5.2 Greater emphasis on cross-border data transfer51Volume 1-Introduction and stu
312、dy summary5.3 Cybersecurity insuranceCybersecurity insurance is a speciality insurance product intended to protect businesses from risk events arising from the use of information technology infrastructure,the internet and related activities.Cybersecurity insurance does not simply protect users from
313、financial damages caused by cyberattacks.Instead,it is also a mechanism to indirectly encourage and motivate organisations to strengthen their cybersecurity by leveraging insurance premiums.Currently,China,the US and the EU have legislation on cybersecurity insurance.As mentioned in the earlier sect
314、ions,cybersecurity insurance is one of the areas of attention many countries carry in the realm of cybersecurity legislation.Diverse forms of insurance products are being created in the market.5.4 ICT supply chain More and more countries are increasingly paying attention to supply chain security due
315、 to the increasing number of related issues reported in the past few years.The SolarWinds cyberattack129is one of the most significant supply chain attacks reported in recent years.Even though SolarWinds was recognised as one of the trusted IT management solution suppliers,a catastrophic cyberattack
316、 still occurred.As a result,countries are beginning to reconsider the current status of supply chain security and the required legislation to mitigate supply chain security risks.The US,China and the EU have legislation on supply chain management.The US has the US Executive Order on Securing the Inf
317、ormation and Communications Technology and Services Supply Chain130and the Federal Acquisition Supply Chain Security Act131.As for China,the government has published the Measures for Cloud Computing Service Security Assessment132and Measures for Cybersecurity Review133.In the EU,the NIS 214and ENISA
318、-published Threat Landscape for Supply Chain Attacks(2021)134are in place.Volume 1-Introduction and study summary52The core components of ICT supply chain cybersecurity are(1)vendor risk management and(2)security of underlying products and services.Supply chain security is a complex issue that not o
319、nly includes suppliers security review and product or service certification requirements but also addresses the security of the underlying products and services themselves.ICT supply chain legislation shall involve these two core components.Only focusing on either one of these two is deemed insuffic
320、ient,and it will lead to a false sense of security.Last but not least,a number of principles should be considered in supply chain management,including evaluation and competition,resilience and stability of the supply chain and trustworthy assessment of products and technologies.5.5 Legislation for n
321、on-personal data protectionData is commonly recognised as the fuel for the digital economy-it is estimated that open data can contribute over 3 trillion USD to the global economy annually135.As such,governments have emphasised the sharing of NPD to serve the development of the digital economy.Howeve
322、r,regulating the use of NPD is still in its early development phase at a global level,and consensus for this is yet to be achieved.However,based on the experience of regulating personal data use,many concerns have been expressed about promoting the sharing of NPD.First,building a robust infrastructu
323、re for data transmission is a prerequisite to ensure the secure and reliable sharing of NPD136.Constructing a resilient,secure and highly-accessible infrastructure to support the sharing of large amounts of data concurrently is one of the challenges that need to be addressed.Second,determining the o
324、wnership and pricing of NPD data is another challenge.Unlike the ownership of personal data,which can be linked back to the data subjects,the ownership of non-personal data is difficult to be determined.Furthermore,the value of NPD is highly subjective to the user.When it comes to data assertation,s
325、tandardising the pricing model to determine the monetary value of NPD would be another struggle for governments.53Volume 1-Introduction and study summaryThe contributors of this discussion paper wish to thank our partners,Mr Kenneth Wong,Ms Lisa Li and Mr Danny Weng,who gave us a chance to work on t
326、his project.We are very grateful and appreciative of their valuable suggestions that improved the project outcome.We are also grateful for the contributions of our team members:Mr Duncan Ding,Ms Sara Qu,Ms Vivian Tong,Ms Frances Lin,Ms Levana Qi and Mr Tory Kim.The project has been hard work,but we
327、couldnt have done it without the support and guidance of experts and professionals.We want to thank Ms Xi Gelian and Dr Annie Xue from Gen Law Firm in Beijing;Associate Professor Ding Hao,Associate Professor Chen Xing,and Associate Professor Shang Xuejiao from the Guangdong University of Foreign Stu
328、dies in Guangzhou;Dr.William J.Drake from the Columbia Institute for Tele-Information at Columbia Business School in New York for their help with this project.They provided us with professional insights and expert opinions essential to producing this paper.Last but not least,we would like to send ou
329、r warmest appreciation to all those who contributed to writing this paper in any form,either direct or indirect.AcknowledgementsVolume 1-Introduction and study summary54Endnotes1 Decreto n 9.573,de 22 de Novembro de 2018 Accessed 27 March 2023.2 Decreto n 11.200 de 15 de Setembro de 2022 Accessed 27
330、 March 2023.3 Chile Cybersecurity 2023 Accessed 27 March 2023.4 Regulations on the Security Protection of Critical Information Infrastructure Accessed 27 March 2023.5 Act on the Federal Office for Information Security(BSI Act-BSIG)Accessed 27 March 2023.6 The Information Technology Act Accessed 27 M
331、arch 2023.7 Singapore Cybersecurity Act 2018 Accessed 27 March 2023.8 Critical Infrastructure Protection Act Accessed 27 March 2023.9 UAE Information Assurance Regulation Accessed 21 February 2023.10 The Network and Information Systems Regulations 2018 Accessed 27 March 2023.11 Cybersecurity and Inf
332、rastructure Security Agency Act of 2018 Accessed 27 March 2023.12 Vietnam Law on Cybersecurity Accessed 27 March 2023.13 CER Directives Accessed 27 March 2023.14 NIS 2 Directives Accessed 27 March 2023.15 N.Hanacek,NIST Accessed 27 March 2023.16 Framework for Improving Critical Infrastructure Cybers
333、ecurity,Version 1.1 Accessed 21 February 2023.17 No.20(3)/2022-CERT-In Accessed 28 March 2023.18 National Cyber Security Incident Plan of China Accessed 28 March 2023.19 H.R.2471-Consolidated Appropriations Act,2022 Accessed 27 March 2023.20 Guiding Opinions on Promoting the Development of the Cybersecurity Industry(Draft for Comments)Accessed 22 February 2023.21 Measures for the Administration of