Mary Ward was a pioneer. She was considered to have a talent for drawing, researching insects and writing several books on microscopy, which made her one of the most prominent scientists in the British Isles – a novelty for a woman at the time. Another novelty was her steam-powered carriage, in which she rolled through Ireland. In 1869, her vehicle earned her a sad notoriety: Ward is considered the first road traffic fatality. On a bend, the 42-year-old slipped off the bench, fell in front of the cart, which then ran over her. Seat belts, which might have saved the life of the mother of eight, were not mandatory at the time. It was only around 1900 that rules for traffic as we know them today emerged. Rules to avert damage and to make the interaction of everyone safer for all, something which is also the case today in the IT world. Countries are pushing ahead with legislation with the aim of protecting companies, administrations, and individuals from dangers from cyberspace.
Traffic regulations for more cyber security
From North America to India and Asia – all over the world, digital traffic regulations are in demand. Politicians are looking for ways to make the digital economy more resilient. The goal: To establish a culture of security in all private and public spheres. A look at Europe shows how this might be achieved. The European Union is currently pushing ahead with the new version of the directive for Network and Information Systems (NIS2). The union of states is pursuing the idea of modernizing the existing legal framework and adapting it to the intensifying threat situation. Although more digitalization also creates more opportunities for value creation, every additional digital opportunity also opens up potential gateways for third parties with nefarious intentions.
Whether it’s the energy, water, banking, finance, or health sectors, NIS2 extends the group of companies and public institutions that must make their IT landscape more resilient. And this applies to all sectors that are of crucial economic and social importance and are particularly dependent on information and communication technologies. The rules apply directly to a wider range of institutions and indirectly to companies that are part of a supply chain. The example of Crowdstrike shows why this is crucial: On July 19, 2024, the cybersecurity provider delivered a faulty update that caused computer systems around the world to fail. Around 8.5 million Windows devices at airlines, hospitals and retailers, were affected. It was a simple glitch, but in a fully digitally networked economy, it turned into an unprecedented problem.
Authorities, standards and guidelines to mitigate cyber risks
From hackers and botnets to accidents and mishaps, more and more digitalized and industrialized economies are arming themselves against threats like these. In 2022, for example, the Strengthening American Cybersecurity Act was passed in the US. The law updates existing federal information security regulations, requires operators of critical infrastructure to report cyber and ransomware attacks, and improves the security of cloud services for federal agencies. Not unlike Malaysia: Malaysia’s first standalone Cyber Security Act 2024 came into force in 2024. The law sets regulatory standards for cybersecurity and aims to protect the national critical information infrastructure. A dedicated agency – the National Cyber Security Committee – is to implement and monitor the requirements. The same applies to India and Singapore: The subcontinent has set up its own government agency, the Indian Computer Emergency Response Team, which publishes guidelines and recommendations for companies and is responsible for preventing cyber attacks. And the city state aims to protect critical information infrastructures with their Cybersecurity Act introduced in 2018.
Internet Exchanges and cyber resilience: More resilience for providers and customers
Critical infrastructure with a particularly high economic importance and need for protection: This is precisely the situation of telecommunications companies in many countries around the world. The basic principle is that to make networks resilient, all levels – from undersea cables to Internet Exchanges to data centers – must be individually secured. In practical terms, this means that each infrastructure is only as resilient as the individual elements of which it is composed. So, if all the components of a shared infrastructure – be it the roads or the global telecommunications infrastructure – are designed to be redundant and diversified, the overall system will be more resilient for everyone. On the one hand, for the providers who provide their services in this way and, on the other hand, for the customers who build their own IT on such mutually secured services and solutions.
Telecommunications providers in particular are setting a good example in this respect. In contrast to other industries, they often have a fully integrated resilience approach, as figures from PwC’s Global Crisis and Resilience Survey 2023 show: Technology, Media and Telecommunications has the most integrated resilience programs (28%), ahead of Health (24%), Energy (24%), and Financial Services (22%). This includes interconnection providers in Europe and Germany – in view of NIS2, some operators will have to tighten up their identity and access management, but in principle, interconnection services already belong to the “critical infrastructure” category (according to NIS1). In addition, many Internet Exchanges are now certified according to national regulatory requirements such as the so-called IT-Grundschutz from the German Federal Office for Information Security and ISO27001. Both are recognized frameworks and standards for IT and information security, which NIS2 demands.
Not just a compliance exercise: Weighing up IT risks in our own economic interest
Whether in Berlin, Kuala Lumpur, New Delhi or Washington – companies that want to ensure professional and secure IT operations for themselves and their customers have always been well advised to follow guidelines and standards for greater IT security. And that is true even out of pure economic self-interest. The experts at PWC, for example, recommend that laws for more cyber resilience should not be dismissed as mere compliance and checklist exercises, but should be recognized as a competitive advantage. Those who do not base their actions solely on how the law will affect them elevate their own corporate interests to the level of the common good of society.
Self-interest as the basis for the common good? Whether on the information superhighway or on the road, it makes sense. Since they came into force in 1934, Germany alone has amended its road traffic regulations more than 30 times – from speed limits to lane markings to the general requirement to wear seat belts. Very much in the spirit of Mary Ward.
