We develop thought leadership on key topical issues to help inform and positively shape the cyber security policy environment to enable safe, secure, and resilient digital transformation and enablement.

Read our reports to find out more.

Critical Information Infrastructure and Supply Chain Security

Concerns regarding supply chain risks have intensified among policymakers in the Asia-Pacific (APAC) as the global integration of supply chains has created new efficiencies but also introduced higher levels of third-party risks. The disruption of these critical supply chains has negative effects not only on the economy but society as well and can be particularly significant for managing critical information infrastructure.

The Critical Information Infrastructure and Supply Chain Security report aims to assist policymakers in creating effective policies for supply chain resilience. The report reviews the key principles behind supply chain risk management (SCRM), key country approaches towards critical information infrastructure and SCRM, and identifies four key commonalities in APAC regulatory approaches. Most importantly, it highlights four key recommendations to enhance the security of supply chains in the APAC markets for critical information infrastructure.

Read our Critical Information Infrastructure and Supply Chain Security report here

Risk-Based Protection of Critical Information Infrastructure

Digital transformation has been a key agenda for many governments’ modernisation efforts. In the wake of the COVID-19 pandemic, there has been an acceleration of effort to ensure that critical infrastructure and information services which serve them are able to continue running in the event of another global catastrophe and remain resilient against disruption.

The Risk-Based Protection of Critical Information Infrastructure report aims to act as a guide for policymakers to better understand how to develop a strong risk-based approach towards regulating critical information infrastructure. The report reviews the definition of critical information infrastructure, assesses examples of regulatory approaches, and identifies principles and recommendations to consider in approaching regulations proportionately and effectively.

Read our Risk-Based Protection of Critical Information Infrastructure report here

Managing Technology Risks in the Public Sector and Regulated Industries

In today’s increasingly digitalised world, technology risk management is a complex task for organisations of all types and sizes. Public sector agencies and regulated industries face special challenges based on the technologies they employ to deliver everything from citizen services to transportation, telecommunications, and healthcare.

This report seeks to guide policymakers and organisations to better understand how to manage emerging risks stemming from new technologies being considered and existing technologies already present in current systems. The report dives deep into exploring two issues—cloud computing adoption and supply chain management—to help clarify some of the misconceptions that arise from cloud computing cybersecurity as well as recommend how to address threats arising from the technology supply chain to bolster resilience and security.

Read our Managing Technology Risks in the Public Sector and Regulated Industries report here

Cybersecurity Policy for Operational Technology: A Guide for Governments

OT represents the collection of hardware and software that helps to monitor, manage, and control physical devices and their related functions and processes, including components such as valve controls at water treatment facilities, monitoring mechanisms at nuclear power plants, or robotics on manufacturing floors. OT comprises vital components within critical information infrastructure (CII) sectors like utilities and transportation systems. The role of government in ensuring CII and other sectors operate safely and securely naturally reflects an important and similar government role to ensure the cyber resilience of OT.

This report will highlight some use cases and advantages of OT, describe the cybersecurity risks involving OT, and provide recommendations adapted from global best practices to create an effective OT cybersecurity regime.

Read our Cybersecurity Policy for Operational Technology: A Guide for Governments report here

Guide to Computer Emergency Response Teams (CERTs)

CERTs are critical in bolstering defences against cybersecurity threats of all types. Acknowledging the growing importance of CERTs as digital transformation gains pace in Asia, this report presents an overview of CERTs and serves as a guide for governments and industry in Asia to help identify best practices in the creation and operation of CERTs. This report was created in collaboration with industry experts, governments, and CERTs working in Asia.

Read our Guide to CERTs report here

Norms for Cybersecurity in Southeast Asia

Norms have a long history of reducing conflict between states, and after transposing the concept to cyberspace, they can create flexible and simply-spread shared behaviours. It’s these shared behaviours that build predictable and stable environments for businesses and citizens alike, as well as encouraging international cooperation on cybersecurity.

Broad adoption of cybersecurity norms can help promote social development, economic development, and lend stability and security. That is why we have published a white paper on cybersecurity norms in Southeast Asia for the Global Conference on CyberSpace.

Our paper assesses the policy and issues in Southeast Asia, outlines the existing efforts around cybersecurity norms and related activities in a variety of forums, and charts their development processes. It explains the benefits of collaborative cybersecurity for the region, and suggests some areas for the region’s stakeholders to continue work on norms development.

Read our Norms for Cybersecurity in Southeast Asia report here