Red tape that tears us apart: regulation fragments Indo-Pacific cyber resilience

The fragmentation of cyber regulation in the Indo-Pacific is not just inconvenient; it is a strategic vulnerability.

In recent years, governments across the Indo-Pacific, including Australia, have moved to reform their regulatory frameworks for cyber resilience. Though well-intentioned, inadequate coordination with regional partners and stakeholder consultations have created a situation of regulatory fragmentation—the existence of multiple regulatory frameworks covering the same subject matter—within and among Indo-Pacific jurisdictions.

This inconsistency hinders our ability to collaboratively tackle and deter cyber threats, essentially fragmenting the cyber resilience of the Indo-Pacific.

Regulatory fragmentation threatens regional security for three key reasons.

Firstly, it impedes technical efficiency. While we tend to think of cyberspace as borderless, its composite parts are designed, deployed and maintained on the territory of states that enact their own laws and regulations. Factors such as threat perception, the organisation of the given state and its agencies, and regulatory culture shape these frameworks. The degree to which the state provides essential services and owns physical and digital infrastructure also influences framework development.

As governments introduce complex regulatory obligations for cyber resilience, most digital services providers and ICT manufacturers will have to divert resources from efforts that would otherwise enable them to prepare for and respond to threats more effectively and across jurisdictions. Ironically, this undermines the effectiveness of regulatory regimes for cyber resilience in the first place.

In addition, complex and confusing nation-specific requirements push regulatees to follow a checkbox approach to cyber resilience, rather than a holistic, risk-informed and agile one. Boards may prioritise meeting the bare minimum of regulatory requirements instead of maintaining a risk management posture commensurate with the rapidly evolving threat environment.

Secondly, regulatory fragmentation undermines innovation. Complex regulatory regimes—especially for government procurement and for critical infrastructure operators—can seriously undermine competition and innovation. Startups and smaller vendors (looking to sell to such entities) have to divert scarce resources away from research, development and innovation to fund compliance with a maze of obligations. This is especially problematic for small and medium enterprises in sectors reliant on innovation—such as cyber resilience and advanced manufacturing—as regulatory risk mitigation can deny these firms the ability to scale and expand into new markets.

Thirdly, regulatory fragmentation impedes trust in partnerships. A jurisdiction’s regulatory robustness in relation to cyber resilience is a key factor in determining the suitability of partners in sensitive policy domains.

For example, while Japan has taken steps to invest in its national cyber resilience, particularly after Chinese hackers compromised government networks, the United States has remained cautious about Japan’s ability to protect sensitive information. Through sections 1333 and 1334 of the National Defense Authorization Act for Fiscal Year 2025, the US Congress tasked the Departments of State and Defense with reporting on issues such as: the effectiveness of Japanese cyber policy reforms since 2014; Japanese procedures for protecting classified and sensitive information; and how Japan ‘might need to strengthen’ its own cyber resilience ‘in order to be a successful potential [AUKUS Pillar 2] partner’.

Collaboration requires trust. That trust hinges not just on the quality and harmonisation of regulatory frameworks; it also depends on whether they’re enforced and underpinned by a shared appreciation of the cyber threat environment, including in relation to state-sponsored actors looking to preposition themselves in critical infrastructure assets and steal intellectual property.

That trust also relies on a shared appreciation of the importance of removing unnecessary impediments to innovation, including the growth of allied and partner capability, and threat mitigation by stakeholders, which is itself contingent on shared political will.

After all, regulatory fragmentation is politically driven. Leaders, ministers, officials and regulators each seek to satisfy constituents at home and exert influence abroad over cyber policy. They may prefer to clean the cobwebs through visible operational reactions rather than kill the spider through holistic, long-term preparation.

Such political considerations may disregard commercial and technical realities when regulatory parameters are determined in the interests of digital sovereignty, including when it comes to (not) banning technology vendors.

Fixing this is a tall order but not impossible. Australia and its partners could consider establishing a baseline degree of regulatory harmonisation and reciprocity. This could include factors such as:

—Definitions of the subjects and objects of cyber regulation;

—Thresholds and deadlines for reporting breaches of cyber resilience to the state;

—Standards and controls that regulatees must implement, and outcomes they must achieve;

—Technology supply chain risk management requirements, including methods to assess whether procuring technology from certain vendors is too risky;

—Types of penalties for non-compliance; and

—Powers of the state to gather information or intervene in the operations of regulatees.

Allies and partners must better align their regulatory frameworks. Be it via multi-stakeholder collaboration or multilateral regulatory diplomacy, tackling regulatory fragmentation will make the Indo-Pacific more cyber-resilient.

Let us tear away the red tape that tears us apart.