Singapore International Cyber Week (SICW) is an annual conference which brings together cybersecurity professionals, government policymakers, and civil society to discuss the issues of the day. Alongside RSA and Israel Cyber Week, it’s one of the best opportunities in the cyber calendar to learn from the experiences of stakeholders from around the world.
I attended SICW 2023 on behalf of the Center for Cybersecurity Policy & Law. Over four days, I was fortunate to participate in 11 bilateral meetings, a mini retreat on artificial intelligence with global cyber ambassadors, a Global Forum on Cyber Expertise meeting, a Ransomware Task Force roundtable, and dinners with senior government officials from around the world.
The focus of SICW conversations has evolved notably over time. Here are my five takeaways from this year’s edition:
1. Governments are taking a more activist approach to cybersecurity.
A frequent refrain from policymakers was that we cannot continue to allow policy to lag technological innovation to the level it has in the past. Policymakers want to be active and nimbler in adjusting to the evolving technological landscape. Expect a sustained uptick in new policy initiatives and for cyber policies to be reviewed and updated more frequently. Whether policymaking processes in each country allow for such agility will be tested in the years ahead.
2. There’s some evidence of like minded governments taking tangible steps to drive policy harmonization.
Regulatory harmonization has been a top request from security companies for at least a decade. This year, we’re starting to see some tangible efforts take shape from governments. Numerous governments are leveraging, or intend to leverage, international standards like ETSI EN 303 645 to underpin national policies. Membership of the Secure by Design principles has grown to 17 governments. While discussion among governments is common, however, coordination and regulatory alignment is still an exception and not the rule.
3. More interest in multi-stakeholder collaboration
Long a talking point for policymakers in developed countries, a broader set of governments now want to drive public-private collaboration, notably a number in southeast Asia. Governments need to accept that the private sector has access to key intelligence and insights, but they can incentivize sharing. To be successful, these initiatives should prioritize two-way information sharing between public and private sectors and avoid making the number of forums so unwieldy as to overwhelm companies.
4. Europe often an outlier in its approach
While the above points were pretty consistent across most “like minded” countries, Europe continues to prioritization digital sovereignty and localization at the expense of international alignment and security. The European Cyber Resilience Act (CRA) and EU Cloud Security Scheme, in particular, have taken a different path than most of their peers and there is concern about the impact of this fragmentation on both trade and security.
5. Ransomware activity reminds us why we need to address these issues globally.
Progress has been made on ransomware in Europe and North America, but this has been offset by a rise in ransomware in Latin America and Africa. More needs to be done on capacity building in developing countries if we’re to reduce the attractiveness of ransomware attacks to criminal actors. This is a global challenge and one that will be addressed by a global consortium of 51 countries in the Counter Ransomware Initiative summit in Washington, DC this week.
NIST CSF 2.0 Includes Positive Changes, Need for Greater Consistency, Practical Guidance
The Cybersecurity Coalition submitted broadly supportive comments in response to the National Institute for Standards and Technology Discussion Draft of the Cybersecurity Framework (CSF) 2.0 Core.
Center for Cybersecurity Policy & Law Staff are Thankful for …
The staff at the Center for Cybersecurity & Law would like to say what they are thankful for this year.
Ninth Circuit Avoids Vulnerability Disclosure Precedent, Following Amicus Brief
The Court of Appeals for the Ninth Circuit affirmed the dismissal of all claims in a case that risked setting a precedent requiring premature vulnerability disclosure, In re Intel Corp. CPU Marketing.