Policy trends: where are we today on regulation in cyberspace?

This is the first edition of our policy analysis and observations of trends in the regulation of cyberspace, and cybersecurity, within the Kaspersky Security Bulletin.

This year so far has been very challenging: increased tensions in international relations have had a huge impact on both cyberspace and cybersecurity. Further to this, we share below our key observations regarding the trends we believe have been the highlights of this year and have the potential to shape the future of cyberspace in the year ahead.

#1 Fragmentation shifting to polarization: governments and multistakeholder communities are all the more divided — and have formed into groups based on like-mindedness

The previously observed and discussed fragmentation of cyberspace on the whole — and the internet in particular (also referred to as the ““splinternet” or the balkanization of the internet) — is taking on a new form. In the past we observed the first signs of governments’ diverging views on how cyberspace and cybersecurity should be regulated. Although by no means all governments stepped into this arena, the few countries that did managed to establish initial laws with extraterritorial effect (such as the EU’s GDPR, which established extraterritorial requirements for many organizations outside the EU) that produced a far larger impact beyond their national borders.

The year 2022, however, has overhauled the existing fragmentation: it does still exist, but only among the emerging alliances of the like-minded, covering not only governments but also non-state actors. The war in Ukraine has further deepened polarization between different groups of states and communities. The biggest challenge stems from the IT security community (which traditionally sticks together and is supposed to act as “neutral firefighters” in cyberspace) splitting into separate closed groups as well. For example, the global Forum of Incident Response and Security Teams (FIRST) suspended all member organizations originating from Russia or Belarus, thereby undermining the fundamental principle of trust in cybersecurity. Such a decision also prevents further threat information exchange between those in charge of responding to cyberincidents. Perhaps naturally, this has triggered talk among those left out regarding launching their own alternative communities.

The growing polarization in cyberspace poses a security risk for many of us, given the borderless nature of the threats and incidents we face. Even when the initial intention of threat actors is to target a particular organization, this can easily spill over to many others in ICT supply chains, going far beyond the initial target (as already occurred with, for example, WannaCry). Will organizations from different jurisdictions be able to exchange threat information with each other, and will they be able to cooperate across borders for incident response? Some of them will, but overall more and more barriers are emerging to this, creating security risks.

#2 Tech localization and “digital sovereignty” is no longer just about data

Globalization is still with us in 2022, but it’s becoming less popular: there’s a move toward buying local or domestic products because it could be safer. Unfortunately, cyberspace and the tech sector have already become one more arena for economic and geostrategic competition among states, while vaguely-defined (most likely intentionally so) concepts about “digital sovereignty”, “data sovereignty”, “strategic autonomy”, etc. are discussed more in different communities — from decision-makers to the media. Though initially perceived as attempts by governments to regulate and protect data (after the first data localization laws appeared), this now has the potential to affect far more areas, including microchip and other hardware manufacturing and software development. In some critical sectors of cybermature jurisdictions this already exists: mostly domestic companies are preferred for procurement. But could it expand further into the consumer market?

If so, in a global context, widespread application of data localization rules in particular would most likely create challenges for cybersecurity (i.e., for better and more effective threat intelligence to fight cyberthreats). With less visibility into the cyberthreat landscape, the lower the chances of developing effective detection tools or producing high-quality threat intelligence. These risks will increase if more and more countries impose data localization rules on their markets.

Thus, a dilemma could arise where attempts to provide more cybersecurity through strengthening data security, on the one hand, may actually lead to weaker cybersecurity (from less visibility and threat intelligence), on the other. The solution could lie in developing smart regulation approaches as well as defining clear security criteria for vendors to be trusted enough for cyberthreat-related data processing.

#3 Do cyberdiplomacy and international cybersecurity still exist? If so, they’ve taken a back seat this year

Kaspersky has been actively involved in many multistakeholder initiatives to advance cyberdiplomacy, including at the UN and regional levels. Subjectively speaking, 2022 has seen the discussion of cyberdiplomacy and international cybersecurity become less widespread and profound. What does this mean? The war in Ukraine and ongoing tensions in international relations have placed onto the agenda issues about security in its conventional sense, where cyber is just one of its aspects. What will happen next is hard to predict, but if military action continues, cyberdiplomacy will most likely stay sat firmly on the back seat; however, it’s to be hoped that it won’t disappear completely.

#4 Full-blown cyberwar hasn’t occurred, and this is of course good news. But we seem to be facing a more complex challenge — hybrid operations

Cyber Armageddon hasn’t occurred. Though many experts predicted it, it hasn’t materialized in the current war in Ukraine. This is good news, for sure. At the same time, unfortunately, the unfolding events have shown that cyberweapons are being used in the conflict to create hybrid warfare, where actions take place both in the digital realm (including with data manipulation and misinformation operations) and on the ground. The challenge is that the international community hasn’t developed clear responses to deal with this, and most likely any technological and technical solutions will be insufficient.

#5 Liability of digital products: a new area in future regulatory efforts

Safety and security labels don’t exist yet for software. And where a vulnerability may create security or safety risks, users may wonder whom to reach out to for liability issues. So far, different vertical legislative approaches do provide solutions for consumers, such as personal data protection laws for cases where personal data has been affected. The financial and banking sector is well-regulated too. But what about a mass-market photo-editing app that can be exploited by stalkerware? Should the developer be responsible? Some jurisdictions apparently already have the answer. The EU — as a norm-setter — has been among the first to propose a game-changing draft law titled the Cyber Resilience Act, with proposed fines as high as those in the GDPR. And in the U.S. there have been some first attempts to define baseline criteria for cybersecurity labeling of consumer software, as discussed in a separate blog post. Most likely, next year and beyond, other governments will find the regulation of software development liability a good idea, and we could well see even further fragmentation as a result of the different approaches taken among states.