Global Approaches to Cyber Policy, Legislation and Regulation

pdf
Read Full Report(PDF 881KB)
Globe criss-crossed by lit-up networks with padlocks on nodes

NicoElNino/Adobe Stock


This paper aims to serve as a guide to policymakers by examining different approaches to cyber-security policy, regulation and legislation. It provides an overview of the priorities of five countries (the UK, the US, Canada, Japan, and Singapore) and the EU. The focus rests on cyber policy advanced in the period between January 2019 and March 2023.

The research underlying this paper focuses on four key research areas:

  • The general context in which cyber policy is made.
  • Priorities with regard to the protection of critical national infrastructure (CNI).
  • Approaches to the development of cyber skills and the cyber workforce.
  • International cooperation on norm development for cyberspace.

The Context

All jurisdictions follow a unique cyber strategy, but common approaches exist:

  • Strategies are updated in line with domestic timelines but also adjust to changes in the cyber threat landscape (such as the rise of cybercrime) and respond to geopolitical events and the increased need to secure CNI and supply chains.
  • Strategies increasingly focus on harmonising and streamlining each jurisdiction’s cyber policies to avoid fragmentation and duplication of efforts.
  • There is an increasing reliance on interventionist policies and regulations to enhance resilience and cyber-security standards.

On Critical National Infrastructure

Ensuring greater protection of critical national infrastructure (CNI) is a priority for all jurisdictions examined. This is often done by updating or increasing existing cyber-security obligations, or expanding them beyond CNI sectors to further support the resilience of supply chains. International businesses and cyber-security professionals must simultaneously comply with changing (and at times varying) obligations among different jurisdictions. Further research comparing the differing scopes of CNI designations and their respective cyber-security obligations is needed.

On the Cyber Workforce

The global cyber-security workforce shortage and the need for further skills development is seen in all jurisdictions examined. A wide range of initiatives, many of which resemble each other, are advanced by the respective jurisdictions to attract talent, diversify the workforce and increasingly harmonise existing efforts. For example, several jurisdictions have adopted skills frameworks, such as the US’s National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework or the European Cybersecurity Skills Framework (ECSF), to harmonise language used to describe cyber-security roles. Little is known about the effectiveness of these initiatives in markedly reducing the cyber-security workforce gap in a quantifiable way. More research is needed to understand which initiatives help reduce the gap in the cyber-security workforce.

On International Cooperation on Cyber-Norm Development

All jurisdictions examined actively cooperate on cyber-norm development and seek to advance a free and secure cyberspace. They do so by supporting UN processes for norm development, by engaging in a range of multilateral, bilateral and multi-stakeholder arrangements, and by seeking greater cooperation on cyber (including on the development of cyber-security skills and closing the gap in the cyber workforce). More cooperation on skills development could further boost understanding of how to develop global solutions to a global problem.


WRITTEN BY

Dr Pia Hüsch

Research Fellow

Cyber

View profile

James Sullivan

Director, Cyber Research

Cyber

View profile


Footnotes


Explore our related content