The following cybersecurity overview covers six jurisdictions (the US, the EU, Germany, France, Australia and Mexico). For the purpose of this overview, the term cybersecurity refers to the protection of networks, hardware, software and data from attacks, damage or unauthorised access ("attacks").
Cybersecurity legislation is under development in most countries and is generally scattered over different areas of law. We have grouped these laws into the following categories.
- Domestic law security requirements: These types of legislation impose requirements on public authorities and private operators in civil society to ensure that they have security measures in place to prevent attacks. These often impose minimum standards to protect public service functions (essential services or critical infrastructure) against cyber threats (e.g. water, hospitals, banking). Also, cybersecurity rules in relation to data privacy belong to this group.
- Protecting national security interests: These types of laws fall under or are closely netted to national defence interest, and aim at preserving a state's national integrity by preventing e.g. state-sponsored espionage.1 These types of laws may therefore override open market principles,2 and restrict foreign investors from acquiring domestic businesses, or may restrict foreign suppliers from tendering in critical infrastructure projects. They may also restrict exports and supply of critical security technology to prevent dissemination of security.
- Criminalisation of certain cyber activity: These laws aim at criminalising specific acts committed mainly by digital or electronic means ("cybercrime") and acts for which there is a clear corresponding criminal act when committed physically ("cyber-enabled crime"). For example, burglary or theft is comparable in the cyber world with illegal hacking, interception and theft of data. Many countries have or are implementing the international agreement on what is deemed to constitute cyber-enabled crime (the Budapest Convention3).
Key observations and trends
We would like to highlight the following observations and trends:
- Domestic law security requirements are evolving and often spring from national cybersecurity strategies. Not all countries adopt legislation ("hard law") but instead rely on the evolution of industry standards to set the level of actual security requirements ("soft law"). The lack of hard law does not necessarily mean a lack of cybersecurity measures. Australia appears to be putting substantial effort, similar to that of the EU and US, into cybersecurity, but doing so without legislation and relying more on soft law. However, in Mexico, the lack of legislation and lack of cybersecurity efforts, appears to have led to a heightened risk situation, and both legislation and enforcement appear to be needed.
- Foreign investment review laws appear to be on the rise. The US already has a mechanism under CFIUS.4 In the EU, the EU Parliament has called on the European Commission to draw up common EU laws on foreign investment review.5 As some EU member states (e.g. France and Germany) already have such laws in place, whereas other do not (e.g. Sweden), industry should follow or engage in what elements the European Commission will consider when drafting such laws.
- There is an important difference and possible tension between on the one hand, (a) domestic security requirements, and on the other hand (b) national security interest (e.g. foreign investment review). The first addresses the level of security a country or region aims at achieving, which is in principle neutral as regards operators and their nationality (as long as the supplier meets the requirements). The second type of measures are based on national security interests and would therefore logically be used to address perceived risks associated with operators from certain countries (their nationality).
- National security interest policy goes beyond foreign investment review. The US has reportedly imposed and possibly revoked budgetary rules that required certain authorities to vet (request approval) from enforcement authorities when procuring information security systems.6 In 2012, both Australia and Germany blocked Huawei from tendering for certain network projects. In France, the supply of certain equipment which may be used for interception is prohibited, and supply may only be authorised by a specific governmental agency (ANSSI). Restrictions on who may supply to public authorities would have to be compatible with international trade law rules, but the trend may be that other countries could consider such restrictions if they detect or suspect cyberattacks associated with foreign suppliers.
- Recently, one country (the US) used economic sanctions as a tool to signal resistance against cybersecurity threats.7 Whereas the reason in that case was political (interference with elections), economic sanctions could potentially be used as a tool to ban operators allegedly involved in industrial cyber-theft or other security concerns.8 Also, the use of export control enforcement could become a method of blocking specific operators from trade. In March 2017, ZTE entered into a large settlement agreement for exporting sensitive US technology to Iran, which reportedly jeopardised US national security.9 Thus, imposing sanctions and enforcing export control rules could, following the US example, possibly be used by countries as tools to address national interest concerns to target specific operators, instead of basing the measure on the operator's nationality (as with the Huawei example in Australia and Germany cited above).
1. The concept of national security interest may be used in a broad sense to describe a nation's methods to preserve its sovereignty. Measures to protect national security may range from enhancing military power to ensuring supply of a country's basic needs (e.g. food and energy). For the purpose of this paper however, we apply the term national security interests to identify measures that target organisations or companies that are exposed to cybersecurity threats.
2. For instance the free trade principles on National Treatment under the WTO.
3. The Budapest Convention covers four categories of cybercrime: (1) offences against confidentiality of, integrity and availability of computer data and system (illegal access, illegal interception, data interference, system interference, misuse of devices), (2) computer-related offences (computer-related forgery and fraud), (3) content-related (child-pornography) and (4) infringement of copyright.
4. The Committee on Foreign Investment in the United States, see further explanation below under the US summary.
5. The European Parliament recently submitted a request to the Commission to put forward a proposal for new rules (Proposal for a Union act on the Screening of Foreign Investment in Strategic Sectors).
6. See article from 2013 http://www.reuters.com/article/us-usa-cybersecurity-espionage-idUSBRE92Q18O20130327. Later, in the Consolidated Appropriations Act 2016, the language seems to require a self-assessment.
7. The case concerned Russian interference with US elections in 2016, and several Russian individuals are now listed by the Office of Foreign Asset Control ("OFAC") and therefore in principle subject to a US trade ban.
9. https://www.bis.doc.gov/index.php/forms-documents/about-bis/newsroom/1659-zte-settlement-agreement-signed/file, and press release from the US Department of Justice, https://www.bis.doc.gov/index.php/forms-documents/about-bis/newsroom/1659-zte-settlement-agreement-signed/file, and press release from the US Department of Justice, https://www.justice.gov/opa/pr/zte-corporation-agrees-plead-guilty-and-pay-over-4304-million-violating-us-sanctions-sending
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.