In 2023, countries worldwide continued to strengthen their cybersecurity capabilities and systems in response to their national needs, using regulatory means to enhance their cybersecurity management. Based on continuous tracking and research, NSFOCUS summarized the development of global cybersecurity regulations and policies in 2023, providing a brief commentary and presenting NSFOCUS’s perspective on some important regulations and policies from an industry perspective.
The series includes four aspects: “Network Security,” “Data Security,” “Privacy Protection,” and “Tech Development and Governance,” with content organized in chronological order.
This post focuses on the regulations and policies related to network security. In terms of content, the regulations and policies for network security in 2023 mainly cover strategic planning, protection of critical infrastructure, supply chain security, password applications, industry regulatory mechanisms, key sector applications, talent and funding guarantees, etc.
To address cybersecurity threats arising from digital development, the EU passed the comprehensive cybersecurity legislation, Directive (EU) 2016/1148, in July 2016. This directive aimed to achieve a unified and high level of security for network and information systems within the EU, guiding the improvement of cybersecurity levels among EU member states. The newly released Directive (EU) 2022/2555 builds upon the NIS directives, expanding the scope to include critical sectors and entities such as public electronic communication networks and services, data center services, healthcare, and critical product manufacturing. Additionally, this directive is a crucial part of the EU Digital Strategy.
Established in 2021, JCDC is a public-private cybersecurity collaborative leveraging new authorities granted by Congress to unite the global cyber community in the collective defense of cyberspace. Its core functions include formulating network defense action plans, promoting public-private sector collaboration and information sharing, and developing network defense guidelines. The Planning Agenda is the organization’s first planning document, marking a milestone in promoting cooperation in U.S. cybersecurity and strengthening the information-sharing mechanism within the U.S. government.
The strategy exhibits four main characteristics. Firstly, it is a crucial component of the U.S.’s ongoing cybersecurity strategic thinking, refining the country’s cybersecurity governance system. Secondly, it emphasizes the continuous strengthening of strategic investments in key areas, focusing on investing in and building the future digital ecosystem. Thirdly, it gradually enhances the cybersecurity alliance ecosystem through joint measures. Lastly, it optimizes cybersecurity regulatory principles and reinforces corporate responsibility.
The proposed measures in the strategy reflect the Biden administration’s next steps in cybersecurity governance. It aims to further strengthen the Defend Forward cybersecurity strategy, potentially influencing the regulatory approach and cooperation paths in U.S. cybersecurity. Additionally, it is expected to drive the development of the cybersecurity market, including technologies like zero trust, quantum computing, and applications in information infrastructure and semiconductor supply chains. The spillover effects on industries and diplomacy will continue to influence the development of the cybersecurity ecosystem and regional alliances.
The nature of the securities and futures industry determines its close connection with networks and data, leading to pronounced and complex cybersecurity challenges. The release of the Regulations may bring new opportunities for the development of the cybersecurity industry. Firstly, in terms of network and information security in the securities and futures industry, the Regulations specify the construction requirements for monitoring and warning, intrusion detection and defense, situational awareness, etc. This is expected to promote the development of cybersecurity consulting, evaluation, operational maintenance, and incident response in the securities and futures industry. Secondly, in the aspect of personal information protection in the securities and futures industry, the regulations emphasize measures such as encryption, anonymization, backup and recovery, audit supervision, etc. This will undoubtedly drive the development of data information processing technologies related to personal information protection, as well as the development of data information audit tracing businesses. Thirdly, in the area of protecting critical information infrastructure security, the Regulations implement the requirements of the Regulations on the Security Protection of Critical Information Infrastructure in the securities and futures industry, specifying measures such as classified protection of critical information infrastructure, risk monitoring and evaluation of critical information infrastructure products, and emergency support for critical information infrastructure. This will also promote the development of products, solutions, and services related to the cybersecurity of critical information infrastructure networks in the securities and futures industry. Lastly, the measures specified in the regulations, such as talent cultivation, funding, and technical support, will directly promote the optimization of cybersecurity talent training, the construction of the industry’s cybersecurity industry ecosystem, etc.
The U.S. National Institute of Standards and Technology (NIST) releases Recommendations for Federal Vulnerability Disclosure Guidelines, advancing the systematic construction of vulnerability disclosure.
This document aims to implement the requirements of Chapter 5 of the IoT Cybersecurity Improvement Act of 2020. It is designed to provide guidance on the disclosure process for security vulnerabilities related to information systems, including IoT devices, to help U.S. federal government agencies establish standardized vulnerability disclosure processes.
The document released by the U.S. has two characteristics. Firstly, it adopts a “framework” model to promote the systematic development of standards related to network product and system vulnerability standards, enhancing coordination and synergy between standards. Secondly, in the form of guidelines, it proposes ways to standardize the disclosure of vulnerabilities in network products and systems, promoting the standardization of vulnerability disclosure mechanisms and the authority, accuracy, and timeliness of disclosure information across different departments and industries.
The Chinese Ministry of Transport releases the Regulations on the Security Protection of Critical Information Infrastructure for Highways and Waterways, China’s first industry-level regulations on critical infrastructure protection.
The Regulations are the first industry-level regulations on the protection of critical information infrastructure. The Regulations took effect from June 1, 2023, and may provide two major market opportunities for the cybersecurity industry. Firstly, in the supply chain security market, there may be opportunities in the market for asset analysis of regulatory-side networks in the highway and waterway sectors, as well as opportunities for the construction of supply chain security monitoring and early warning capabilities, including support for network security risk detection of critical infrastructure products in highways and waterways. Secondly, the Regulations emphasize protection measures for personal information, such as encryption, anonymization, backup and recovery, audit supervision, etc. This will undoubtedly drive the development of data information processing technologies related to personal information protection.
Upon comparing with the previous version, the Regulations primarily undergo three revisions. Firstly, it optimizes the supervision approach for commercial passwords, shifting from the original comprehensive and strict control stipulations to strengthening key control points. The management approach transitions from strict pre-approval to enhanced comprehensive supervision throughout the entire process. Secondly, it reinforces commercial password detection and authentication, strictly guarding the gateway of product services. This includes advancing the construction of the commercial password detection and authentication system, specifying the qualification standards for commercial password detection and authentication institutions, and enforcing mandatory testing and certification systems for commercial passwords used in network key equipment and cybersecurity-specialized products. Thirdly, it strengthens the management of commercial password imports and exports, specifying the scope of commercial password import and export management, and implementing import permit lists and export control lists for commercial passwords.
The Chinese Ministry of Industry and Information Technology issues the ‘2023 Work Plan of the Industrial Internet Special Working Group,’ aiming to enhance the security protection level of the industrial internet.
The 2023 Work Plan is the third annual task arrangement under the Industrial Internet Innovation and Development Action Plan (2021-2023). By comparing the three annual task arrangements, one can gain a rough understanding of China’s basic development trajectory for industrial internet security management policies. Firstly, at the policy system level, it has gone through a process of developing policies related to the periphery from graded classification, presenting a trajectory characteristic of ‘establishment, pilot validation, and expansion.’ Secondly, at the protected target level, the emphasis has shifted from national to local and then to enterprise development, showing a trajectory characteristic of increasingly detailed protection targets. Thirdly, at the monitoring management level, it has progressed from establishing and improving platform functions to gradually perfecting the coverage of object ranges, presenting a trajectory of gradually enhancing the monitoring scope starting from the monitoring platform.
The release of the 2023 Work Plan marks the conclusion of the three-year action plan. The subsequent layout for industrial internet security management is undoubtedly a focus of widespread attention. From the deployment of the 2023 work tasks, data security may become one of the new important areas for industrial internet security after the completion of the three-year action plan tasks. Additionally, how to promote the rapid improvement of the industrial internet security market and form a scale is also one of the potential directions that require special attention.
China’s National Financial Supervision and Administration Commission issues the Notice on Strengthening Network and Data Security Management in Third-Party Cooperation, enhancing the security management of the financial industry’s supply chain.
The Notice is the first network security management document issued by the financial regulatory commission since its establishment, highlighting the strengthening of security management requirements for the information technology supply chain in the FBSI (Finance, Banking, Securities, and Insurance ) industry.
Due to its wide business scope and large data processing volume, the FBSI industry often becomes a vulnerable area for supply chain attacks. The Notice, while strengthening the requirements for supply chain security management, also specifically reports two risks: first, risks related to enterprise WeChat services, including improper storage of sensitive personal data and unauthorized use of archived data for model training; second, risks related to technology outsourcing, including vulnerabilities in unauthorized access and attacks through the improper use of email proxy tools.
Currently, China lacks specific policies and regulations for information technology supply chain security. From the perspectives of national and industry regulatory requirements, there is an urgent need to establish and improve relevant policy systems and standard specifications to guide and regulate the enhancement of the protection capabilities and levels of information technology supply chains in key industries. In practice, establishing and improving the monitoring and early warning capabilities of information technology supply chain security, or strengthening the foundational systems of information technology supply chain security, including supplier qualification and risk behavior monitoring, vulnerability monitoring of critical infrastructure products, and open-source technology vulnerability monitoring, are among the important content.
The National Cybersecurity Strategy Implementation Plan (NCSIP) is the first iteration of the plan published by The Office of the National Cyber Director (ONCD). It is a living document that will be updated annually, adapting to changes in the cybersecurity threat landscape.
The plan has three characteristics. First, it emphasizes the operability of specific measures, including setting specific timelines for relevant departments. It specifies responsible agencies, participating entities, and deadlines for each measure. Second, it focuses on repairing and strengthening the cybersecurity alliance ecosystem, enhancing cooperation and joint efforts. Third, it highlights the corporate responsibility in cybersecurity regulation, reinforcing the cybersecurity protection obligations of software products and service providers.
Overall, the plan is expected to have the following impacts on the development of cybersecurity. Firstly, it strengthens the competition for international technical standard discourse. The plan explicitly states the need to strengthen the participation of U.S. federal agencies in the international standardization process based on the national standard strategy for key and emerging technologies. Secondly, it propels the market development of cybersecurity technologies and applications. The technologies and application scenarios proposed in the plan, such as zero trust and quantum computing, are expected to play a significant role in the development of the U.S. and international cybersecurity markets. Thirdly, the spillover effects on industries and diplomacy will continue to manifest.
President Xi Jinping’s important instructions further emphasize and clarify the development ideas, models, and directions of the cybersecurity industry. It is of great significance for guiding the high-quality development of the cybersecurity industry.
According to Xi, it is necessary to insist on overall development and security and establish a development idea for cybersecurity enterprises led by the overall national security concept, build a large-scale cybersecurity work pattern’ and construct an open and collaborative development model for cybersecurity enterprises, and insist on strengthening the national cybersecurity fend and continuously innovate to enhance the supply capacity of cybersecurity services comprehensively.
In recent years, the U.S. government has attached great importance to building a cybersecurity workforce and has implemented a series of policies and regulations to promote cybersecurity talent development. The strategy released this time not only implements the requirements related to strengthening the U.S. cybersecurity workforce in the National Cybersecurity Strategy and its implementation plan but also reflects the comprehensive approach of the United States in cybersecurity talent cultivation. It may serve as a demonstration for other countries in this field when formulating policies.
The Chinese Ministry of Industry and Information Technology releases the Notice on Carrying Out the Filing of Mobile Internet Application Programs, emphasizing the importance of the filing system for mobile internet applications.
App filing is an important system for the supervision and management of mobile internet. This regulatory mechanism originates from Article 23 of the ‘Anti-Telecom Network Fraud Law of the People’s Republic of China,’ stating that ‘the establishment of mobile internet application programs shall, in accordance with relevant national regulations, apply for approval or file procedures with the telecommunications regulatory authorities.’ This Notice further refines the filing system requirements for mobile internet application programs. In addition to submitting relevant materials for filing, the Notice explicitly states that ‘those who have not completed the filing procedures are not allowed to engage in mobile internet information services.’
The United States released the first Department of Defense Strategy for Operating in Cyberspace in 2011, followed by the 2015 National Defense Strategy and the 2018 National Defense Strategy. The 2023 DOD Cyber Strategy builds upon the 2018 DOD Cyber Strategy. It implements the comprehensive deterrence, international cooperation, and investment-led guiding ideas of the U.S. cybersecurity strategy. It also provides clear guidance on specific cyber actions in the U.S. defense domain, such as conducting Defend Forward and Hunt Forward.
The annual release of the cyber strategy by the U.S. Department of Defense can be considered an indicator of the development of its militarization in cyberspace. It provides insights into areas such as the U.S. military’s reserves of cyber weapons, research and development of cyber attack and defense technologies, as well as a general understanding of its development goals, strategic layout, key work, and measures.
Open source software is one of the key areas of focus in U.S. cybersecurity regulation. Security risks of open source software mainly come from two aspects. On one hand, the security risks of open source software itself directly threaten various information systems built on it, as seen in typical events like the Log4j2 incident. On the other hand, attacks on the open source software supply chain threaten multiple links upstream and downstream of open source software, as seen in typical events like the SolarWinds incident. The U.S. government has undertaken a series of actions, including convening the Open Source Software Security Summit, releasing the Requests Public Comment on Open-Source Software Security and Memory Safe Programming Languages, and publishing policy documents such as Improving Security of Open Source Software in Operational Technology and Industrial Control Systems.
The National Cyber Incident Response Plan (NCIRP) is a crucial task explicitly mentioned in the 2023 National Cybersecurity Strategy previously released by the White House. The NCIRP 2024 planning initiative is also part of the JCDC Planning Agenda, bringing together government and the private sector to execute cyber defense plans that achieve specific risk reduction goals and enable more focused collaboration. According to the information released by CISA, the NCIPR would begin drafting in December 2023 and then be opened to the public for feedback. It is expected to be approved and published by the end of 2024.
In recent years, the United States and South Korea have continued to strengthen cooperation in the field of cybersecurity. At the top-level design, the leaders of the two countries signed a new bilateral Cyber Framework in April 2023. In terms of organizational structure, CISA and NIS established the Critical Infrastructure Framework Action Team in June 2023. This Memorandum of Understanding (MoU) emphasizes the areas of cooperation outlined in the Framework, such as strengthening joint exercises, expert exchanges, talent development, and sharing best practices in the fields of networks and infrastructure. Collaborative alliances are a significant measure in the United States’ cybersecurity strategic planning. In addition to signing memoranda, CISA strengthens international cooperation in cybersecurity with partners through joint cybersecurity consultations, vulnerability/malware analysis reports, and other means.
For a long time, the U.S. government has been highly concerned about the security of critical sector supply chains. During the Biden administration, multiple supply chain policy documents were released, such as Executive Order 14017 on Securing America’s Supply Chains, Strengthening Software Supply Chain through Secure Software Development Practices, CHIPS and Science Act of 2022, Cybersecurity Guidance for Supply Chain Risk Management, etc.
The newly released Supply Chain Action Plan not only deploys future work arrangements for relevant departments but also serves as a summary of supply chain work during the Biden administration. Although the actions do not specifically formulate rules for the information technology supply chain, the announcement of establishing new institutions in cybersecurity and promoting key cross-border supply chain security exercises reflects the recent focus of the United States on supply chain cybersecurity areas such as ports, cross-border, and semiconductor supply chains.
The Cyber Solidarity Act will further improve the EU’s legal framework for cybersecurity, significantly enhancing the EU’s capabilities to respond to cyber threats. From this proposal, one can see several basic principles and attitudes of the EU regarding cybersecurity. Firstly, it emphasizes technological defense. From the setup and operation mode of the EU Security Operations Center (SOC), it is evident that the EU, in the construction of the cybersecurity defense system, emphasizes the integrated application of advanced technologies in cybersecurity, such as artificial intelligence. Secondly, it values the cyber threat defense of small and medium-sized enterprises. Due to a lack of financial resources, facilities of these enterprises are often more susceptible to cyber attacks, making them a vulnerable link in the national cybersecurity defense. Thirdly, it places importance on public-private cooperation. This is also reflected in the creation of the EU Cybersecurity Reserve Force and the strengthening of cybersecurity emergency mechanisms. Fourthly, it advocates collective defense. This can be seen as an extension of the European collective defense policy in the cybersecurity field, solidifying cooperation among member countries and promoting the continuous improvement of Europe’s regional cybersecurity defense system.
The Act, previously voted on by the Senate, will be submitted for presidential signing and formal enactment. The total budget is $886 billion, an increase of $28 billion, or approximately 3%, compared to 2023. According to preliminary estimates, the cybersecurity budget is around $1.45 billion, a 14% increase from 2023. This growth rate reflects the United States’ strong trend of strengthening national defense cybersecurity. According to the Act, the main areas of expenditure for U.S. cybersecurity defense in 2024 include cybersecurity risk and situational awareness, information technology and data management, cyber warfare capabilities, artificial intelligence, etc.