Digital Dawn: Cyber Security Policy in the Wake of Political Change

As we take stock of technological advancements amidst a year of political, one thing is painfully obvious. When it comes to building digitally resilient economies and societies, none of us can afford to be complacent.  

With more than 70 countries holding national elections in 2024, now is an excellent time to take stock of our approach to digital and cyber resilience and what we have to do to take it to the next level.

In NCC Group’s latest report - ‘Digital Dawn: Cyber Security Policy in the Wake of Political Change’ – we have drawn insights from government advisors, elected officials, public opinion and our own work and research to identify the cyber security policy issues in this bumper election year.   

If you are a business decision-maker, our report finds that you need to understand that the allocation of responsibility for cyber security is changing. Increasingly, the onus will be on providers to ensure security is built in. If you own or operate critical infrastructure, expect enforcement action to intensify.

If you are a political decision-maker, you need to get on the front foot and ahead of the game – how you think about digital and cyber resilience needs to set you up for long-term success. We have identified five key policy areas we believe new and existing governments must prioritise to achieve this in practice:

1) Pass 21st century cyber laws that define responsibilities, harmonise rules, and are underpinned with proper enforcement

Governments should establish clear policy, legal and regulatory frameworks, that:

• (Re)Define responsibilities within your nations’ whole of society response.

The emerging consensus about where to allocate responsibility for cyber security is a huge positive.
But this is either not yet reflected, or is only partially reflected, in nations’ policy, legal and regulatory frameworks.

Governments must clearly define the roles and responsibilities of all stakeholders in the cyber ecosystem – from public services, technology providers and critical infrastructure through to small businesses, academia and citizens. They must then ensure this view of the ‘whole of society’ approach is reflected across its policies, laws and regulations.
 

• Harmonise rules across industries and geographies.

Whether it’s standardising requirements across State boundaries, government departments and sectors or aligning rules across international borders, businesses need clarity about the rules of the road.

 A continued lack of alignment will only serve to create an ever more complex web of rules and regulations. This is likely to be counterproductive to delivering better cyber resilience and contribute to the problem of cyber security compliance becoming a ‘tick box’ exercise.

• Are enforced/enforceable.

We urge governments to only introduce new rules where they can be effectively and meaningfully policed and administered. Failure to do so will likely result in those who ignored cyber security standards when they were voluntary, continuing to ignore them when they are mandated.  

2) Provide digital safety nets for smaller organisations, while embedding security in the digital products and services they rely on

Our interviewees told us that it is unrealistic to expect small and medium-sized organisations to adhere to – and invest in – the same cyber resilience standards as larger firms, leaving a significant part of the economy vulnerable to cyberattacks.

Instead, we recommend that governments:

• Work with technology providers to embed secure-by-design and secure-by-default principles in their products – particularly those most relied upon by small businesses
   
• Support smaller organisations’ response and recovery to cyberattacks through ‘first responder’ services that provide proportionate (free-at-the-point-of-use) support to small businesses that have been victims of cyberattacks. This could include initial incident response services and triaging of further steps such as where victims could get the most effective help from. The Australian Government’s recently announced Small Business Cyber Security Resilience Service could trailblaze this sort of initiative.

NCC Group believes these steps would go some way toward meaningfully addressing the factors that have resulted in a general lack of cyber resilience across smaller firms – such as the lack of return on investment for cyber security consultancies to pitch their services to this end of the market, or the limited resources and capacity available to small firms.

3) Fortify your own defences investing in public sector cyber resilience, building trust in government services, and leading by example

Governments must practice what they preach when it comes to cyber security.

We acknowledge that running complex public services can draw attention and budgets away from cyber security. But failure to build digitally resilient government services risks eroding trust in both public institutions, as well as government leaders’ ability to set cyber rules for other sectors.

4) Forge a cyber resilient population – promoting cyber literacy, developing cyber professionals, and updating cyber laws

Cyber skills isn’t just about addressing the cyber industry’s significant skills shortage (although that is a critical part of it). It is also about equipping individuals – across organisations of all sizes and at all levels of seniority – with the cyber literacy they need to make decisions about their personal, organisational and even national cyber resilience.

With responsibilities for cyber security more clearly defined under a ‘whole of society’ approach (see recommendation 1 above), and notwithstanding the expected shift of responsibility to those with the broadest shoulders, governments should take further steps to allow individuals and organisations to actively participate in the digital economy.

This should include innovative citizen engagement measures to mainstream cyber security across all levels of the population, and embedding cyber security hygiene measures into nations’ psyche, as well as making cyber competence (or safe and secure online behaviours) mandatory elements of education curriculums.

At the same time, we will continue to need both technical and non-technical cyber professionals to defend society and the economy in cyberspace.

On the basis of a more cyber-skilled population, even more needs to be done to encourage talent into the cyber profession, particularly those from diverse and underrepresented backgrounds, as well those with crosscutting skills (e.g. those which bridge cyber security and related disciplines like engineering and safety).

This should include commitments to measure trends in the proportion of candidates coming into the cyber profession from non-traditional backgrounds and through non-traditional routes, the creation of national further education institutes for the exceptionally cyber gifted to build national cadres of excellence, and the development of crosscutting educational programs.

Crucially, governments should follow the lead of Belgium and Germany in reforming outdated national computer laws – such as the UK Computer Misuse Act 1990 and U.S. Computer Fraud and Abuse Act – to ensure cyber professionals undertaking legitimate cyber security work are not criminalised.​​​​​​
 

5) Establish long-term, evidence-driven policymaking structures 

There are many positives to be taken from cyber policymaking over the past few years including solid national strategies and tangible successes from global cooperation.

However, cyber policymaking can often be fragmented and siloed across government, struggles to keep pace with technological and societal changes, and can lose out to more consumer-friendly policy areas in terms of getting the attention it needs from politicians.

While it may not be a vote winner, a key way of tackling many of these problems will be to establish the right policymaking infrastructure.

Principally, we see three aspects to this:

• Leadership and cross-government coordination:
  While cyber security will continue to be a cross-cutting issue that requires the attention of multiple government leaders and departments, new governments should think about who will ultimately lead the delivery of their national cyber strategies and how that will be coordinated across institutions and departments.
   
• Measurability: Good policies are evidence-driven and measurable. However, across many nations, there is no one clear mechanism to measure the success or failure of cyber security policies, laws and regulations. We therefore support the concept of “cyber as a science”, developing cyber metrics and risk quantification, from an established baseline, to allow risk to be reliably measured and expressed in an informed way.

A data and evidence-based approach would help governments to measure the efficacy of their policies in reducing cyber risk. In practice, this could include the formation of a Bureau of Cyber Statistics, as proposed by Cyberspace Solarium Commission.
 

• Horizon-scanning:
  Centralised government horizon-scanning should collate the myriad of existing horizon-scanning initiatives across the public sector, private sector and academia, and formally feedback into policymaking processes.

Click here to download the report in full, where you can access the latest public perception and the drivers for policy change, key insights from government advisors and lawmakers, and access to your own digital cyber security priorities framework.