Given today’s growing fragmentation and polarization in cyberspace, does international cybersecurity exist? And what is it?
Cybersecurity has become one of the most important issues for business, government and society in the course of the last few years and especially in the last few months. The Corona pandemic and the Russia-Ukraine war have shown that global crisis events can also have a global digital impact. Legislators have recognized this politically and addressed it in regulatory terms.
Whereas in the first years of legal regulation of cybersecurity, the focus was primarily on the protection of critical infrastructures and selected digital services such as cloud computing, online search engines and online marketplaces, the legal regulation of cybersecurity is now understood holistically and as a topic of global cyberresilience.
This means that, above all, the protection of the digital supply chain is also included. This is particularly evident in the EU Cyberresilience Act recently proposed as a draft by the European Commission, which extends the general European principles of product liability not only to manufacturers, but also to importers and distributors. The concept of goods with digital elements is understood broadly and can refer to software, hardware and embedded systems. With the Cyberresilience Act, cybersecurity is thus not only thought of vertically and in relation to individual products, but horizontally as a general, cross-product and cross-service requirement, taking into account that manufacturers and developers come from countries all over the world and sometimes not having the same level of trust in cybersecurity.
Moreover, not only European legislators but also nation states are focusing on securing the digital supply chain. The second German IT Security Act, for example, introduced a so-called „Lex Huawei“ into regulation, which stipulates that manufacturers of digital products with critical functionalities must ensure cybersecurity throughout the entire supply chain. Open source components must also be included. The Chinese legislator has introduced similar legal provisions recently.
Another term that has become increasingly important in the last 2-3 years is digital sovereignty. This also includes hardware sovereignty. The increasingly intensifying conflict between China and Taiwan suggests that we in Europe must become more independent in the production of key digital technologies in order to reduce dependencies. In the meantime, therefore, the political focus is not on globalization but on regionalization.
The EU legislature has also taken up this issue in its current regulation by proposing the draft „EU Chips Act“, which contains a package of immediate measures to address the already existing semiconductor crisis in the EU. This means that the procurement of computer chips can be coordinated centrally at European level, additional and substantial measures are provided for research funding, and it is also possible to intervene in civil law structures among suppliers should this be necessary, for example, to protect critical infrastructures. This shows that European legislation is also moving toward an increasingly holistic approach that is no longer just about cybersecurity, but about digital resilience in its entirety and with that, a considerable global and transnational approach to cybersecurity from a legal perspective.
Threat intelligence is one of the key assets in fighting cyberthreats. But how much of the information do we actually need? Could threat intelligence be political? What are the current challenges to the international community to have timely and high-quality threat intelligence for cybersecurity?
In fact, the topic of threat intelligence has also been regulated by law for some time now. We see, for example, attempts by the nation states and the European Commission to facilitate and accelerate the exchange of information and to make it as effective and trustworthy as possible. The reliability of information plays a role in this, but so does the willingness of individual actors to participate in the exchange of information in the EU, for example, there has been a disparity in the past in that the larger member states in particular have been able to contribute more information than smaller EU member states due to their increased personnel and financial capacities and thus a larger and better authority infrastructure. Also, legislation in the EU provides for the introduction of peer learning mechanisms so that member states can support each other in building a threat intelligence infrastructure. Another issue I would like to address from a legal perspective in this context is how to deal with vulnerabilities and legal certainty when performing penetration testing. Both are currently insufficiently regulated in legal terms. The European Union has no clear political course on how to deal with vulnerabilities and, in particular, zero day exploits. This, of course, includes the issue of digital counterattack or hackback in the case of cyberattacks led by foreign actors. Here, it is absolutely necessary and time-critical to find a common clear line. Moreover, the legal requirements for conducting penetration tests are legally unclear in many states, and penetration testing, even for cyber defense purposes, is often punishable by law. This is unacceptable and requires legal reform, because the information that is to be used for good threat intelligence has to come from somewhere.
Given the current turbulent times and war context in Europe – what can and should we do better to enhance cyber-resilience? What is the role of trust in international cooperation? How can it be re-built now?
It was very clear in our discussion that for effective and practical cybersecurity, we need an interdisciplinary approach and global perspective that also takes into account the interests of companies and users.
It was also very easy to see, in my opinion, that innovation cannot be created by legislation alone. Rather, it depends on the holistic economic and political climate. Legal certainty, however, is an absolute prerequisite for technological innovation. Without business confidence and that clearly also means trust in the actions of political actors, there can be no innovation and thus no effective cybersecurity.
This can also be seen in the generally exuberant digital legislation in the EU in recent years. And I’m not just talking about cybersecurity, but also, for example, data protection legislation and platform regulation. So we have to be careful that we don’t hit digital overregulation. In the coming years, the focus should rather be on implementing new laws appropriately in practice and also examining whether certain laws are not absolutely necessary for greater resilience. That, too, is part of good legislation and cybersecurity practice. Last but not least: We should take care that cybersecurity does not become a primarily political issue, which is increasingly the case as a result of legal regulations. Political decisions are important, but they must not lead to a degree of legal uncertainty that is no longer compatible with the original goals of appropriate technical and organizational cybersecurity. Cybersecurity means trust and reliability, especially in a global context, but we are increasingly seeing national legislators using cybersecurity to enact general legislation with significant extraterritorial effect. This inhibits innovation, builds barriers, and fuels distrust in markets. In view of the current global political threat situation, however, it will no longer be possible to stop this trend at the present time, so it is to be hoped that cybersecurity legislation will at some point become more apolitical again and thus also more objective. Thank you.