NCC : Global cyber security landscape – what to expect in 2022

To kick off the new year we're sharing thoughts and predictions on what may shape the global cyber security landscape in 2022.

We've interviewed industry leaders from our four key geographies - the UK, the Asia and-Pacific (APAC) region, North America and Europe - to understand the key developments in each region over the last twelve months, and what we might expect from the year ahead and beyond.

Three key themes were evident across all four regions…

1. Governments are taking a far more interventionist approach to regulating and legislating cyber security and resilience

There appears to be broad consensus amongst policymakers that the free market approach to delivering secure, resilient infrastructure in the digital age has - thus far - failed. As such, our interviewees are seeing the governments in their respective regions becoming more interventionist, introducing an increasing number of seemingly stringent regulations that organisations need to abide by. In some cases, there has also been a shift from outcomes-based regulation to more prescriptive regulation, potentially indicating regulated entities' lack of maturity in understanding what they need to do to achieve the required outcomes.

These trends are particularly evident when it comes to securing critical infrastructure, with the EU expanding what constitutes critical infrastructure, the UK introducing flagship legislation on telecoms security, and governments in the the Asia and Pacific region taking steps to better protect their essential infrastructure. Meanwhile, in, and from, the US, the Biden administration is leading the global charge to improve supply chain security.

One sector that may go against the grain, according to Global Head of Research Jennifer Fernick, is decentralised finance (DeFi). As both Jennifer and Global CTO Ollie Whitehouse highlight, the value of DeFi is stored digitally, making it particularly vulnerable to cyber theft on an unprecedented scale. Poor cyber security and resilience could be devastating for DeFi companies. As a result, we may see a bottom-up, market-driven push for higher security standards, in stark contrast to the regulation-driven approach we've seen elsewhere.

Against this background, organisations need to understand how legislation and markets are evolving in the jurisdictions and sectors in which they operate, and what steps need to be taken to comply with new regulations, protect their organisation and, ultimately, continue functioning effectively. This could be particularly challenging for globally operating businesses, particularly those who own or operate critical infrastructure, because, whilst the overall objective is broadly the same for every jurisdiction, the way in which regulators want organisations to achieve it differs. As such, organisations are, perhaps, best advised to devise one regime that is cost-effective while meeting all global requirements.

2.Global cyber rhetoric is not necessarily matching up to the protectionist reality

There is no limit to the number of international statements of intent, trade deals and treaties agreeing to cooperate and collaborate on developing and adhering to an agreed set of norms in the borderless digital sphere. However, our interviewees note a very different reality in their regions, where recent government action points to a shift towards inward-looking, protectionist policies. Managing Director of NCC Europe/Fox IT Inge Bryan highlights European policymakers' focus on digital sovereignty, whilst Ollie points to new laws in the UK which give the government more power to intervene in foreign investment and acquisitions in key UK sectors. In Australia, as Regional Managing Director Charles Spencer points to, the government's flagship Security of Critical Infrastructure (SOCI) Act, first introduced to manage national security risks posed by foreign investment in critical infrastructure, has been strengthened further. Meanwhile, in the US, the Senate has proposed the 'CHIPS for America Act' which, if introduced, would see the launch of a massive government subsidy programme to support US production of semiconductor chips and lower the country's dependence on foreign supply chains.

Globally operating organisations face the challenge of looking beyond the rhetoric of what governments say on the world stage, and understanding and navigating the reality on the ground in the jurisdictions they operate. To aid organisations and deliver better security outcomes, nation states must balance their protectionist approaches with the need to work closely with their allies to mount a coordinated response to cyber risks. This should involve moving beyond high-level commitments towards setting out more clearly which areas of digital policy require a genuinely global response, and those which are so fundamentally linked to a nation's survival that nations will take charge individually, whilst coordinating with their allies (e.g. through international treaties).

3.The value of security and resilience is on the up

Increasing ransomware attacks, alongside unprecedented digitisation, connectivity and technological advancements that present new and evolving security challenges, have led to a rise in the perceived importance of cyber security and software resilience among North Americaand the Asia and Pacific region. At the same time, wary of increasing ransomware attacks and the growing sophistication of attackers, insurers are reportedly reducing the cover they provide to customers.

Meanwhile, there are not enough cyber skills in the world to meet today's challenges. This is deepening the need for increased investment in attracting and training new talent. Industry partnerships with educational providers, diversity and inclusion strategies, and a focus on transferable skills all have important roles to play in making the cyber security sector more open and accessible.

These factors are coalescing to drive up the value of security. Indeed, while organisations need to be prepared to invest more significantly in cyber security and software resilience than they have done to date, they are increasingly seen as essential enablers to responsible and sustainable business in the modern age. As the industry matures, however, organisations should be reassured that better quantification of return on investment will be available that allows them to have confidence in, and justify, investment decisions.

Views from across the globe

Click below to read the interviews in full

View from Europe with Inge Bryan, Managing Director of NCC Europe/Fox IT

"As more nations realise that ransomware is a threat to national security, I'm hopeful that we'll see a proactive, joined-up response from governments. European intelligence services need to come together with their allies to develop genuinely coordinated, proportionate defensive and offensive cyber operations. Failure to do so will leave Europe massively exposed."

View from the UK with Ollie Whitehouse, Global CTO

"Expect to see a far more interventionist and offensive approach to cyber security and software resilience from the UK government. We'll see the UK's new National Cyber Force, the new home of offensive cyber operations, become fully operational. My prediction for 2022 is that the Force will undertake the first UK government-led offensive operation against ransomware."

View from North America with Jennifer Fernick, Global Head of Research

"I'm captivated (and concerned) by the security implications of the ongoing development within the AI research community of large language models. They are scaling rapidly, and we are edging closer to a 'no-code future', where tools utilizing large language models replace coding and traditional app development. However, there are intrinsic security risks with using such tools is something that requires a deep and serious research effort by good-faith security researchers, so we better understand what is possible, before attackers do. This looming security issue isn't on policymakers' radar, but it soon will be."

View from the Asia and Pacific region with Charles Spencer, Regional Managing Director

"In Australia and Southeast Asia, a focus on securing critical infrastructure and increasing the pool of skilled talent will dominate political agendas. There will be a large focus on re-opening the region, and centralising R&D, higher-education and international co-operation to build vibrant and secure economies may factor."