Main Image Credit NicoElNino/Adobe Stock
This paper aims to serve as a guide to policymakers by examining different approaches to cyber-security policy, regulation and legislation. It provides an overview of the priorities of five countries (the UK, the US, Canada, Japan, and Singapore) and the EU. The focus rests on cyber policy advanced in the period between January 2019 and March 2023.
The research underlying this paper focuses on four key research areas:
- The general context in which cyber policy is made.
- Priorities with regard to the protection of critical national infrastructure (CNI).
- Approaches to the development of cyber skills and the cyber workforce.
- International cooperation on norm development for cyberspace.
All jurisdictions follow a unique cyber strategy, but common approaches exist:
- Strategies are updated in line with domestic timelines but also adjust to changes in the cyber threat landscape (such as the rise of cybercrime) and respond to geopolitical events and the increased need to secure CNI and supply chains.
- Strategies increasingly focus on harmonising and streamlining each jurisdiction’s cyber policies to avoid fragmentation and duplication of efforts.
- There is an increasing reliance on interventionist policies and regulations to enhance resilience and cyber-security standards.
On Critical National Infrastructure
Ensuring greater protection of critical national infrastructure (CNI) is a priority for all jurisdictions examined. This is often done by updating or increasing existing cyber-security obligations, or expanding them beyond CNI sectors to further support the resilience of supply chains. International businesses and cyber-security professionals must simultaneously comply with changing (and at times varying) obligations among different jurisdictions. Further research comparing the differing scopes of CNI designations and their respective cyber-security obligations is needed.
On the Cyber Workforce
The global cyber-security workforce shortage and the need for further skills development is seen in all jurisdictions examined. A wide range of initiatives, many of which resemble each other, are advanced by the respective jurisdictions to attract talent, diversify the workforce and increasingly harmonise existing efforts. For example, several jurisdictions have adopted skills frameworks, such as the US’s National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework or the European Cybersecurity Skills Framework (ECSF), to harmonise language used to describe cyber-security roles. Little is known about the effectiveness of these initiatives in markedly reducing the cyber-security workforce gap in a quantifiable way. More research is needed to understand which initiatives help reduce the gap in the cyber-security workforce.
On International Cooperation on Cyber-Norm Development
All jurisdictions examined actively cooperate on cyber-norm development and seek to advance a free and secure cyberspace. They do so by supporting UN processes for norm development, by engaging in a range of multilateral, bilateral and multi-stakeholder arrangements, and by seeking greater cooperation on cyber (including on the development of cyber-security skills and closing the gap in the cyber workforce). More cooperation on skills development could further boost understanding of how to develop global solutions to a global problem.
(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. (ISC)² sponsored this policy guide to raise awareness of the world’s leading cyber-security policies that will impact the future of the global cyber-security workforce.
Research Analyst for Cyber, Technology and National Security
Director, Cyber Research