For many global policymakers, the transformative impact of the COVID-19 pandemic has reinforced the need to adopt new cybersecurity and privacy policies. Here's a look at what we can expect in the year ahead.
The COVID-19 pandemic and resulting global economic downturn represent new challenges for government security leaders. Indeed, the massive shift to remote work for both the public and private sectors has forced businesses, governments and other organizations to adapt security practices, processes and policies to account for the significant range of new devices and assets which are now connected to enterprise networks. Both governments and enterprises have seen increases in COVID-19 related phishing and other cyberattacks against employees during the pandemic. Unpatched hardware, software and configuration vulnerabilities in home devices can now be exploited and leveraged to attack enterprise networks.
For many global policymakers, the transformative impact of the pandemic has reinforced the need to adopt new cybersecurity and privacy policies, many of which were under consideration before the pandemic, in order to strengthen trust in the digital economy. These include efforts to promote data privacy and protection, raise baseline security standards of care, and implement cybersecurity certification regimes.
At Tenable, we've identified the following global privacy and cybersecurity policy challenges and expected developments that cybersecurity professionals need to monitor in 2021:
European Union Network and Information Systems (NIS) Directive review and implementation of the EU Cybersecurity Act
Since the current NIS Directive entered into force in 2016, the cyberthreat landscape has been evolving. The EU Commission has launched a public consultation on a proposed revision of the Directive. This will be an opportunity to clarify minimum cyber hygiene standards, consider the expanded threat landscape of cloud computing and operational technology (OT) risks and harmonize security standards across the EU. Much of this harmonization will likely come through implementation of the cybersecurity certification schemes under the EU Cybersecurity Act. While the cybersecurity authorities of the member state — including BSI in Germany and ANSSI in France — will play lead roles in driving these certifications in their respective countries, we also expect them to work closely with the European Commission and the European Agency for Network and Information Security (ENISA) in order to drive towards greater convergence. Certifications under consideration in 2021 include new E.U.-wide certification standards for EU Common Criteria for critical infrastructure, as well as certification regimes for cloud services, artificial intelligence, and 5G.
Brazil data security and Latin America regional influence
It has been more than two years since the European General Data Protection Regulation (GDPR) came into effect and changed the landscape of global data security. The “data protection by default” approach of the GDPR is now being mirrored in Brazil with the Lei Geral de Proteção de Dados Pessoais (LGPD), with some key differences. The LGPD, which went into effect in August 2020, has a broad scope and applies to any organization that processes Brazilian citizen data. With digital transformation underway at many of the organizations which routinely process Brazilian citizens' data, it will be critical to understand these new requirements and to avoid penalties. The Brazilian government is expected to clarify some of the provisions of this law in 2021. Brazil is influential across the Americas and its minimum security standards will be impactful for data security practices.
Continued development of minimum data security standards
Japan, Brazil, Canada, India and New Zealand all made updates in 2020 on regulations impacting data security standards. All of these countries moved closer to the EU model of minimum cybersecurity standards and substantial fines for non-compliance. This trend is likely to continue, with governments reviewing their basic cybersecurity standards in light of the changing threat landscape and concerns for data privacy. Expect to see more extraterritorial reach for these laws as governments mandate basic cybersecurity requirements and leverage fines to organizations who ignore security.
Focus on critical infrastructure and operational technology standards in APAC
Because there is a wide range of maturity for OT security policy across APAC, there is a need for developing and harmonizing security best practices. Regional industry groups are likely to drive alignment with international, consensus-driven standards. As an example, the ASEAN Ministerial Conference on Cybersecurity (AMCC) agreed in 2018 to subscribe in principle to 11 voluntary, non-binding norms as well as to focus on regional capacity-building in implementing these norms. These norms include critical infrastructure protection and OT protection. In 2018 Singapore published its Master Plan for Operational Technology standards. These efforts are likely to grow across APAC in 2021 as 5G technology is adopted and the OT threat landscape risk grows. Additional country-specific activity in the region includes:
- Australia: Earlier this year, Australia launched a consultation on a proposed enhanced regulatory framework for operators of critical infrastructure and systems of national significance. This focus on critical infrastructure stems from Australia's Cyber Security Strategy 2020, where the government noted that highly sophisticated nation states and state-sponsored actors continue to target governments and critical infrastructure providers. In response, the strategy calls for critical infrastructure businesses to improve baseline security, and states that the government will invest funds in cyber situational awareness, research on cyberthreats, and vulnerability assessment.
- India: Government leaders in India have been increasingly focused on the security of their industrial technology infrastructure against cyberattacks. Critical infrastructure cybersecurity will therefore likely be a major focus area in India's National Cyber Security Strategy 2020 and early implementation of the strategy is expected in 2021.
- Japan: Japan continues to implement provisions of the Cyber Physical Security Framework, released by the Ministry of Economy, Trade and Industry (METI) in 2019 and focused on security for consumer and industrial IoT. As part of this implementation, METI released a draft IoT Security Safety Framework earlier this year, focusing on security for the layer of mutual connections between physical devices and cyberspace. METI will likely develop further guidance on Cyber Physical Security in 2021, especially as the Tokyo Summer Olympics, which constitute a prime target for cyber attackers, have been rescheduled for next summer.
Brexit and data security
As Brexit is finalized with the U.K., there will continue to be concerns about data privacy standards and enforcement across borders. This will be tested with new reviews and examination of data privacy enforcement and adherence to agreed upon standards. While the UK has committed to implementing both the GDPR and the NIS Directive, data security remains a sensitive issue that the EU and U.K. governments will continue to review.
Regulatory Harmonization of Cybersecurity Regulations for Financial Services
This year, we saw further progress in the U.S. regarding efforts to harmonize the regulatory requirements for cybersecurity in financial services and the growing acceptance of a risk profile model that could be examined across multiple regulatory agencies. The framework is largely based on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. There is also continued discussion of harmonization in Europe and APAC. And we expect additional review of these requirements in Europe in the year ahead as banks seek to reduce duplication across national agencies and limit burdensome regulatory requirements. This is hopefully an opportunity to focus on critical risks and maintaining harmonized standards for cybersecurity.
U.S. Energy and Critical Infrastructure Security
Over the last year, the U.S. Congress has worked on the American Energy Innovation Act, which contains numerous cybersecurity provisions to strengthen the cybersecurity of the nation's energy infrastructure through public-private partnerships, rate incentives for cybersecurity investments and advanced cybersecurity technology and application research and development. While this bill is unlikely to pass before the end of this Congress, we expect to see similar legislative efforts on strengthening energy sector cybersecurity in 2021. The U.S. Department of Energy (DoE) and Department of Homeland Security (DHS) will also continue to prioritize energy grid and industrial cybersecurity through policy guidance and updated standards. Questions regarding whether these approaches will take a more voluntary or regulatory approach in 2021 may depend on presidential and congressional election outcomes. Additional U.S. activity includes:
- Supply chain protections: With a COVID-19 vaccine expected by 2021, the U.S. and other global governments will continue to focus on supply chain security to protect the manufacturing and distribution of vaccines.
- Transportation and infrastructure: Congress is also expected to consider a major transportation and infrastructure package in 2021. This legislation is expected to include provisions on smart, digital infrastructure. Therefore, critical infrastructure and OT cybersecurity considerations will need to be addressed as well.
- Vendor certifications: Implementation of the U.S. Department of Defense (DoD) Vendor Cybersecurity Certification Program The Cybersecurity Maturity Model Certification (CMMC), part of the DoD unified standard for implementing cybersecurity across the defense industrial base (DIB), will become more impactful in defense acquisition processes in 2021. As before, contractors will remain responsible for implementing critical cybersecurity requirements to protect sensitive defense information. However, the CMMC requires third-party assessments of contractors' compliance with mandatory practices, procedures and capabilities to prevent cyberattacks from new and evolving threats. Due to the size and complexity of the defense industrial base, it's likely that the CMMC will face technical and logistical hurdles as it is implemented on a much larger scale. However, it also represents an important opportunity for the DoD to improve its cybersecurity posture and close the cyber exposure gap for the DoD and its contractors by creating incentives for stronger cybersecurity processes and practices.
Understanding the policy landscape helps security and business leaders to stay prepared for new trends and requirements. In the modern connected world, policy trends in one region often influence government actions in another region. Governments are increasingly scrutinizing data privacy and security. This trend is likely to continue. Awareness of the above trends can help leaders to stay aware of government concerns and this helps avoid costly fines and regulatory problems.
Adam Palmer, Tenable's chief cybersecurity strategist, also contributed to this blog post.
- To learn more about the issues covered in this blog, watch the Tenable webinar, 5 Global Trends That Will Impact Your Security Program in 2021.
- For additional insights, listen or subscribe to the Tenable Research Podcast. Check out the latest episode here or on your favorite podcasting platform.
- Get help with your 2021 initiatives. Please contact your authorized Tenable representative or click here to request a call back.