Securing critical infrastructure – striking a balance for innovation
Governments and enterprises now face a delicate balancing act between complying with legislation aimed at protecting critical infrastructure while also facilitating effective digital transformation, transparency, and innovation. In this article, Verizon looks at what organizations will need to consider when looking at various policy regimes across the Asia Pacific.
The last 18 months have been memorable in the murky world of cybercrime, from well-publicized critical infrastructure attacks to massive supply chain breaches. The underworld of financially motivated criminals and nefarious nation-state actors “came out swinging,” according to Verizon’s highly anticipated annual Data Breach Investigations Report (DBIR). As a result, we have seen governments sharpening their focus on critical infrastructure legislation to stem losses and boost resilience.
This year’s report paints a clear picture of the wide-ranging consequences of the weak links in the supply chain, which accounted for 62% of incidents in 2021. It’s clear that the “bad guys” have woken up to the multiplier effect of compromising the right partner – leading to policymakers scrambling to widen the definition of critical infrastructure in some jurisdictions.
For example, in early April 2021, the Verizon Threat Research Advisory Centre (VTRAC) collected reports of attacks by advanced persistent threats (APTs) from China and Russia, targeting Japanese manufacturing and the German Bundestag, respectively. Shortly afterward, the Japanese conglomerate FujiFilm and the world’s largest meat packer, JBS Foods, both suffered business interruptions caused by ransomware.
In total, organizations in the Asia Pacific experienced 4,114 cybersecurity incidents in 2021, with 283 confirmed data breaches. Many of these were due to attackers using social engineering and hacking tools. The effects of rapid digitalization from the global pandemic across all industries also led to a rise in ransomware which saw an increase that was greater than the last five years put together.
Taking a collaborative approach to a legislative framework
As the DBIR rightly highlights, cybersecurity threats are persistent, evolving, and increasingly severe. This creates cross-border challenges for both governments and enterprises to protect sensitive information, critical assets, the environment, and the safety of the public.
In an ideal world, there would be a common international approach using a multi-stakeholder framework that addresses cyber threats and risk management activities. For example, the approach embodied in the US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity was developed through an international multi-stakeholder process which is risk-based, flexible, and balanced.
From observation, we know that prescriptive legislative approaches which prioritize mandatory or sanction-based security measures can disincentivize organizations from ongoing investments in cybersecurity.
Global organizations also face an increasingly fragmented global regulatory landscape, which makes it onerous and expensive to comply with. For this reason, where possible, cybersecurity policies should rely on existing standards.
Unfortunately, we see policymakers in the Asia Pacific adopting different approaches and tools to deal with the evolving threat landscape, resulting in onerous compliance and duplication of requirements.
Australia – Expansion of industries and government oversight
Last year’s cyberattack on meat processing company JBS Foods demonstrated the supply-chain consequences of a cyberattack on an Australian critical national infrastructure provider. The five-day attack disrupted food supply operations leading to critical outcomes, despite the attack occurring offshore.
Australia’s government introduced updated legislation to include more industries with an emphasis on possible supply chain impacts. These have resulted in amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) earlier this year.
While these amendments define industries relevant to national security, private-sector industry providers have expressed concerns about the level of interference the government can exercise.
And while a one-size-fits-all approach mitigates the challenge of cyber skills shortages in Australia, it does not consider the complexities and nuanced characteristics of different industries, as well as the diversity of cyberattacks that might be experienced.
Singapore – Licensing the cybersecurity providers (CSPs)
Singapore’s Cybersecurity Act of 2018 already covers 11 sectors with 30 baseline requirements to deal with new and emerging threats such as ransomware and domain-specific risks like 5G. Earlier this year, the Cyber Security Agency of Singapore (CSA) issued licensing requirements for cybersecurity providers (CSPs).
These new licensing requirements include two security services in particular – Managed Security Operations Centres (MSOC) and penetration testing services.
Licensing the CSPs may pose a significant barrier to the global MSOC providers with mandatory registration requirements that could prevent Singaporean companies from accessing global managed security services because it will become too onerous for these large entities to comply with local registration mandates.
Singapore is recognized as a policy thought leader in its approach to regulation, especially in the areas of data flows and cybersecurity, so this approach is likely to influence other ASEAN countries.
“In a way, this may result in a de facto localisation of the MSOC service offering thereby disrupting the global supply chain. From a customer perspective this may translate into a limited product and service offering rather than leveraging the global talent pool of experts and resources to only those resources that are based in Singapore,” according to Verizon’s Head of APAC Policy and Regulatory Counsel, Priya Mahajan.
While this gives a competitive advantage to Singaporean companies, it could lead to a reduction in security readiness as specialist cyber skills are not always readily available.
“Providers may need to take a more restrictive approach if they are unable to leverage global expertise. End user organizations will need to interrogate service providers on how this will impact their service to determine their new level of risk,” says Mahajan.
Japan – Influence from the US and reporting from the industry
The collaborative relationship between Japan and the United States in the areas of cyber-physical systems, cloud, and network security has been a positive influence on market access, with NIST continuing to engage Japan’s Ministry of Economy, Trade and Industry (METI) and other government agencies.
The United States-Japan Digital Trade Agreement helps drive shared rules that support businesses in key sectors where both countries lead the world in innovation – it is particularly important for cybersecurity to promote collaboration and supplier adherence to common principles in addressing the challenges.
In May 2022, Japan’s parliament passed an economic security bill aimed at guarding technology and reinforcing critical supply chains while imposing tighter oversight of Japanese firms working in sensitive sectors or in critical infrastructure.
Japan is taking a cautious approach, with the measures included in the legislation implemented over two years. It proposes mandatory reporting of software updates and allows the government to vet some equipment procurement in 14 industries, including energy, water supply, information technology, finance, and transportation.
To promote innovation and investments in the cybersecurity sector, the government may consider establishing a category of trusted offshore service providers for companies based in an allied country (likely to be the United States), allowing that category of providers to provide services to critical information infrastructure sectors and offer flexibility in the rules. This flexibility will facilitate trade, which is intended to usher in a new era of economic growth and competitiveness for the Japanese ICT sector.
A rising tide lifts all boats – making the region stronger through global collaboration
Ultimately, despite the differences in these approaches, the spirit of both governments and private enterprises is to leverage international best practice to facilitate data flows and take a coordinated approach.
The DBIR aligns its suggested best practice findings with the Centre for Internet Security’s Critical Security Controls. This provides organizations with a way to translate the report’s data into security efforts with the top controls that are considered worthwhile for most organizations. These are baseline requirements that include data protection, secure configuration of assets and software, and security awareness and skills training.
“It is important to show there is a framework available for the government to promote an ecosystem to support innovation,” says Mahajan. “Security measures should not discriminate against either local or global security service providers, but to enhance best practices across the board to support partnerships and global frameworks.”
Increasing enforcements on critical sectors will have knock-on effects on those who are not so classified. They will typically need a security service provider to help them assess their overall security posture and comply with increased cyber incident reporting and monitoring requirements, as well as be an expert on network and internet traffic operating in geographies where there are increased cyber threats.
For enterprises, this means reaching out to a trusted provider that can facilitate a consistent compliance framework. This framework includes the critical sectors they need to comply with and the controls that are appropriate for the industry vertical. Resources such as the DBIR can assist security leaders in identifying the critical controls for their sector. Although the type and frequency of the attacks may differ according to industry vertical and size, it is important to see the big picture to deploy defenses efficiently and effectively.
The 2022 Verizon Data Breach Investigations Report contains details on the actors, actions and patterns that can help you prepare your defences and educate your organisation. Get the intelligence you need. You can also read more on Critical Infrastructure here.
READ MORE
- 3 Steps to Successfully Automate Copilot for Microsoft 365 Implementation
- Trustworthy AI – the Promise of Enterprise-Friendly Generative Machine Learning with Dell and NVIDIA
- Strategies for Democratizing GenAI
- The criticality of endpoint management in cybersecurity and operations
- Ethical AI: The renewed importance of safeguarding data and customer privacy in Generative AI applications