{"id":9296,"date":"2024-09-22T23:08:00","date_gmt":"2024-09-22T23:08:00","guid":{"rendered":"https:\/\/journals.law.unc.edu\/ncjolt\/?p=9296"},"modified":"2024-09-24T13:22:18","modified_gmt":"2024-09-24T13:22:18","slug":"inheritingthesplinternet","status":"publish","type":"post","link":"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/inheritingthesplinternet\/","title":{"rendered":"Inheriting the Splinternet and Decoding its Cybersecurity Sector"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

When he invented the Internet, Al Gore imagined borderless broadband<\/a> freely flowing without restriction. Okay, maybe Al Gore did not invent the Internet. But that myth sure is memorable folklore. The inconvenient truth, however, is that the Internet evolved into something different. It is now the Splinternet<\/a>: a balkanized ecosystem where the sands are continually shifting based on geopolitics, security, privacy, nationalism, and layered commercial interests. Whether readers realize it or not, we have inherited the Splinternet. And now, we must do our best to make sense of it. <\/p>\n\n\n\n

Cybersecurity is a key piece to this puzzle. Sources highlight a 400% increase in cyberattacks<\/a> when work shifted home during the COVID-19 pandemic. Then, from 2020 to 2021, companies faced 50% more cyberattacks<\/a> with education, healthcare and service providers being most frequently targeted. And costs of those cyberattacks continue to rise. Cybersecurity Ventures reported<\/a> that ransomware alone cost the worldwide economy $20 billion in 2021, up from $325 million just six years prior. The overall cost of cybercrime, generally, is expected to rise from $9.22 trillion in 2023 to $15.63 trillion in 2028<\/a>. <\/p>\n\n\n\n

\u201cthe Splinternet: a balkanized ecosystem where the sands are continually shifting based on geopolitics, security, privacy, nationalism, and layered commercial interests.\u201d<\/p><\/blockquote>\n\n\n\n

Countless laws and regulations have sprung up across the globe attempting to curtail the Splinternet\u2019s rising cyber threats. Well-meaning policymakers may have attempted straightforward guidance, but their efforts are causing the Splinternet to continue cracking, fraying, and breaking into shards. The first step in gluing those puzzle pieces back together is understanding the rules making up this section of the Splinternet. Here is a non-exhaustive primer on some important international cyber standards that Splinternet explorers should know.<\/p>\n\n\n\n

A. US Federal Law<\/strong> – The United States does not have a single unified cybersecurity law. Instead, it takes a sector-by-sector approach, e.g., the Gramm-Leach-Bliley Act for financial institutions<\/a> and the Health Insurance Portability and Accountability Act (HIPAA)<\/a> for covered healthcare entities. Additionally, agencies like the Federal Trade Commission (FTC) and Securities Exchange Commission (SEC) enforce cybersecurity standards and disclosure rules<\/a>. Under the latest SEC cyber disclosure rule<\/a>, public companies must report \u201cmaterial\u201d cybersecurity incidents within four business days. Speaking of the SEC, it recently charged<\/a> a company\u2019s Chief Security Officer with securities fraud because of his allegedly misleading statements about the company\u2019s cyber practices. And, with an apparent \u201cfear of missing out,\u201d the FTC is currently investigating a cyberattack against MGM<\/a> Resorts.<\/p>\n\n\n\n

B. US State Law<\/strong> – Many US. States enforce cybersecurity standards requiring companies to maintain \u201creasonable<\/a>\u201d information security programs. Those laws sometimes identify program features or industry recognized standards, and usually include cyber incident reporting obligations<\/a> (most often for personal data breaches).<\/p>\n\n\n\n

C. European Union (EU)<\/strong> – The 2016 EU Directive on Network and Information Systems<\/a> (NIS 1<\/a>), and its 2022 replacement (NIS 2<\/a>), are the main EU-wide legislation regulating the cybersecurity of critical infrastructure and cloud-based software. Under NIS 1, companies providing certain services to the EU are required to \u201ctake appropriate and proportionate<\/a>\u201d cybersecurity measures and report incidents significantly impacting their availability to authorities \u201cwithout undue delay.\u201d In 2022, the EU passed NIS 2 expanding NIS 1\u2019s requirements. Although the practical details depend on how each Member State<\/a> implements the law, NIS 2 has<\/a>:<\/p>\n\n\n\n