More nations in the Asia-Pacific are adopting a bottom-up approach to cybersecurity regulation. That’s a good thing, Scott Shackelford writes.
Cybersecurity is a major concern in the global community, and not least in the Asia Pacific. Take Japan, for example, which in 2014 suffered an estimated 12.8 billion cyber attacks, up from 7.8 billion in 2012 and substantially greater than the estimated 300 million when monitoring began in 2005. And they are not alone.
Governments around the world are considering how best to regulate an array of cybersecurity issues. From encryption to protecting critical infrastructure from misuse, overuse, and attack, a global experiment is now underway that could reveal what sets of governance best practices are yielding results.
But problems are manifold. Even defining winners and losers is difficult, given the challenge of tracking and attributing cyber attacks. Still, this is not stopping nations from acting as cybersecurity laboratories, which, in the process, is yielding some surprises and forging new alliances across the Asia-Pacific to better manage the multi-faceted cyber threat.
Among the lessons learned so far is a growing preference for a largely bottom-up approach to cybersecurity policymaking. Indeed, although there is a spectrum of cybersecurity regulatory frameworks ranging from more state-centric approaches (think Russia and China) to voluntary initiatives, more and more nations—including the United States—seem to be settling on a bottom-up approach to enhancing private-sector cybersecurity.
Emblematic of this movement in the United States context is the 2014 National Institute for Standards and Technology (NIST) Cybersecurity Framework. This framework, comprised partly of industry-driven and regularly updated cybersecurity best practices, has been influential in shaping cybersecurity due diligence, not only in the United States, but across an array of nations, including those in the Asia-Pacific.
In fact, NIST is now collaborating with several dozen nations around the world. Our recent study delved into the experiences of five such nations—including Japan, South Korea, and Australia—to compare the cyber threats they’re facing, see what’s being done about them, and how well these policies are working to date.
Consolidating control in cyberspace | Aim Sinpeng.
In response, each nation is reshaping its domestic regulations to better meet this mounting digital challenge. That’s been an easier process in some nations than others. Japan, for example, enjoys a long history of minimising direct regulation and favouring a private sector-led approach, with self-governance generating cybersecurity standards
South Korea, on the other hand, has prioritised top-down cybersecurity policymaking.
Similar to Japan, Australia is among the most supportive of many aspects of the NIST Framework within the Asia-Pacific region. Even South Korea has sought deeper engagement with the Obama Administration on cybersecurity, including potentially incorporating the NIST Framework domestically.
This may be in response to the perceived failures of its top-down policies, including the argument that its heavily regulated approach is too sluggish in the face of new cyber threats, and forces companies to use outdated security tools and procedures. For instance, South Korean regulations from the 1990s still require all online financial transactions to be authenticated using the SEED cipher, a relatively obscure and insecure authenticator not supported by most browsers and operating systems.
More nations in the Asia-Pacific—including the Philippines, Indonesia, and Taiwan—could benefit from similarly rethinking their own approaches to cybersecurity regulation, potentially following the lead of Japan and Australia.
That is not to say that the NIST Framework, or any similar bottom-up cybersecurity framework, is a magic bullet. Far from it. Such an approach can instill a reactive cybersecurity stance, for example. But it also is an important opening in a long and complex global conversation about cybersecurity norm building. Indeed, already some private-sector clients are receiving the advice that if their “cybersecurity practices were ever questioned during litigation or a regulatory investigation, the ‘standard’ for ‘due diligence’ was now the NIST Cybersecurity Framework.”
Learning can and does happen across nations and sectors that could lead to what Professors Jack Goldsmith and Tim Wu call “regulatory spillover effects,” which can “be good or bad, depending on which regulatory scheme prevails.”
The jury’s still out on all the benefits and drawbacks of bottom-up cybersecurity frameworks, including the NIST Framework, but the global reception it has received to date could help it to shape not only a standard of care for US critical infrastructure organisations, but spill over to help harmonise global cybersecurity best practices.
If that were to happen, some measure of cyber peace may be just over the horizon. And you never know, that sunrise, begun in the West, may just burn brightest in the East.
This essay is based on Scott J. Shackelford, Scott Russell, and Jeffrey Haut’s article, Bottoms Up: A Comparison of “Voluntary” Cybersecurity Frameworks, which is forthcoming from the University of California Davis Business Law Journal, available here.