Inheriting the Splinternet and Decoding its Cybersecurity Sector

When he invented the Internet, Al Gore imagined borderless broadband freely flowing without restriction. Okay, maybe Al Gore did not invent the Internet. But that myth sure is memorable folklore. The inconvenient truth, however, is that the Internet evolved into something different. It is now the Splinternet: a balkanized ecosystem where the sands are continually shifting based on geopolitics, security, privacy, nationalism, and layered commercial interests. Whether readers realize it or not, we have inherited the Splinternet. And now, we must do our best to make sense of it. 

Cybersecurity is a key piece to this puzzle. Sources highlight a 400% increase in cyberattacks when work shifted home during the COVID-19 pandemic. Then, from 2020 to 2021, companies faced 50% more cyberattacks with education, healthcare and service providers being most frequently targeted. And costs of those cyberattacks continue to rise. Cybersecurity Ventures reported that ransomware alone cost the worldwide economy $20 billion in 2021, up from $325 million just six years prior. The overall cost of cybercrime, generally, is expected to rise from $9.22 trillion in 2023 to $15.63 trillion in 2028. 

“the Splinternet: a balkanized ecosystem where the sands are continually shifting based on geopolitics, security, privacy, nationalism, and layered commercial interests.”

Countless laws and regulations have sprung up across the globe attempting to curtail the Splinternet’s rising cyber threats. Well-meaning policymakers may have attempted straightforward guidance, but their efforts are causing the Splinternet to continue cracking, fraying, and breaking into shards. The first step in gluing those puzzle pieces back together is understanding the rules making up this section of the Splinternet. Here is a non-exhaustive primer on some important international cyber standards that Splinternet explorers should know.

A. US Federal Law – The United States does not have a single unified cybersecurity law. Instead, it takes a sector-by-sector approach, e.g., the Gramm-Leach-Bliley Act for financial institutions and the Health Insurance Portability and Accountability Act (HIPAA) for covered healthcare entities. Additionally, agencies like the Federal Trade Commission (FTC) and Securities Exchange Commission (SEC) enforce cybersecurity standards and disclosure rules. Under the latest SEC cyber disclosure rule, public companies must report “material” cybersecurity incidents within four business days. Speaking of the SEC, it recently charged a company’s Chief Security Officer with securities fraud because of his allegedly misleading statements about the company’s cyber practices. And, with an apparent “fear of missing out,” the FTC is currently investigating a cyberattack against MGM Resorts.

B. US State Law – Many US. States enforce cybersecurity standards requiring companies to maintain “reasonable” information security programs. Those laws sometimes identify program features or industry recognized standards, and usually include cyber incident reporting obligations (most often for personal data breaches).

C. European Union (EU) – The 2016 EU Directive on Network and Information Systems (NIS 1), and its 2022 replacement (NIS 2), are the main EU-wide legislation regulating the cybersecurity of critical infrastructure and cloud-based software. Under NIS 1, companies providing certain services to the EU are required to “take appropriate and proportionate” cybersecurity measures and report incidents significantly impacting their availability to authorities “without undue delay.” In 2022, the EU passed NIS 2 expanding NIS 1’s requirements. Although the practical details depend on how each Member State implements the law, NIS 2 has:

• Broader coverage regulating more industries and entities than NIS 1;
• Stricter baseline security standards such as those around supply chain security assessments, incident handling, and mandatory multifactor authentication;
• Tighter incident reporting deadlines whereby in-scope entities will need to notify authorities within 24 hours after discovering a significant incident; and
• Mandatory registration requirements for certain regulated entities.

Beyond NIS2, the EU’s Digital Operational Resilience Act (DORA) introduces even stricter cybersecurity requirements on financial entities and their technology vendors operating in the EU.

D. Global Trends – There are, of course, numerous other cybersecurity regulations around the world. Among observed global trends, an increasing number of jurisdictions – like India, China, Singapore, and Saudi Arabia – are using cybersecurity rules to regulate cloud offers in their markets. Those jurisdictions are demanding that certain technologies obtain cybersecurity-related licenses or completely refrain from sending certain data outside the country under the guise of security.

E. Future Key Developments to Watch – While not yet enforceable, developing laws and regulations may fundamentally impact cybersecurity compliance.

• The US Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) commands the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring critical infrastructure entities to rapidly report cyber incidents and ransomware payments. CIRCIA’s first set of draft regulations were issued for notice and comment on April 4, 2024.
• The Draft EU Cyber Resilience Act mandates that “products with digital elements” perform a “cyber risk assessment” before entering the EU market along with strict security incident and vulnerability reporting. The legislation is expected to be finalized sometime in 2024, and fully enforceable three years later.

Cybersecurity laws and regulations will continue to evolve. The idea of a free-flowing Internet now resembles Al Gore’s political career: a 90s relic. We are stuck with the Splinternet. But, hopefully with the help of this article, Splinternet sojourners can glue enough fragments together as building blocks towards a more robust cybersecurity compliance plan.

Mike Serra

Mike Serra is Senior Counsel, Cyber & National Security, at a global technology company where he plays a key role in advising product teams on emerging and existing cybersecurity and national security regulations worldwide, and developing implementation plans to meet compliance obligations and customer expectations in these areas. He is also a thought leader in legal issues related to cybersecurity and technology, having spoken at the RSA cybersecurity conference and published articles about hot topics in cyber law in the Yale Journal of Law & Technology’s online blog and the Michigan Bar Journal. Outside of work, Mike enjoys following college football, playing ice hockey, and trying to be a “cool dad.”